Hijack This Log

A

Acetyle

New Member
I haven't used this site in awhile, and I do appreciate the work you guys do, as well as all the members who use these threads. A friend really messed up his computer. I can barely access the internet, I can't open up my task manager. I get an error that says the administrator has blocked that action. I can't even access the task manager using safe mode.

I also tried installing Microbytes, but the virus doesn't seem to want any other anti spyware stuff running. It appears it's one of those bogus buy me now or your computer will explode gimmics, except this one is one of the worst I've seen.

Thanks in advance for any and all advice / help.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:04:23 PM, on 2/19/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\smss32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [Wsegucokuhupo] rundll32.exe "C:\WINDOWS\ovohovojamazekud.dll",Startup
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Hotbar\bin\11.0.78.0\Weather.exe" -auto
O4 - HKCU\..\Run: [richtx64.exe] C:\DOCUME~1\Rami\LOCALS~1\Temp\richtx64.exe
O4 - HKCU\..\Run: [Malware Defense] "C:\Program Files\Malware Defense\mdefense.exe" -noscan
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm174YYUS
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/WebfettiInitialSetup1.0.1.1.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4094 bytes
 
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply please post:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
ComboFix 10-02-20.03 - Rami 02/20/2010 15:37:17.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.322 [GMT -5:00]
Running from: C:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Administrator\Local Settings\Application Data\{5060472B-A9E4-4FCD-AF94-EEAF3D17A4BE}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{5060472B-A9E4-4FCD-AF94-EEAF3D17A4BE}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{5060472B-A9E4-4FCD-AF94-EEAF3D17A4BE}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{5060472B-A9E4-4FCD-AF94-EEAF3D17A4BE}\install.rdf
c:\documents and settings\All Users\Application Data\sysReserve.ini
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSA.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSA_kyf_update.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAAbout.mht
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAau.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAEula.mht
c:\documents and settings\Nezo\Application Data\FunWebProducts\Data\Nezo\avatar.dat
c:\documents and settings\Nezo\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
c:\documents and settings\Nezo\Application Data\ShoppingReport\cs\Config.xml
c:\documents and settings\Nezo\Application Data\ShoppingReport\cs\db\Aliases.dbs
c:\documents and settings\Nezo\Application Data\ShoppingReport\cs\db\Sites.dbs
c:\documents and settings\Nezo\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
c:\documents and settings\Nezo\Application Data\ShoppingReport\cs\report\aggr_storage.xml
c:\documents and settings\Nezo\Application Data\ShoppingReport\cs\report\send_storage.xml
c:\documents and settings\Nezo\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
c:\documents and settings\Nezo\Local Settings\Application Data\{BE8BD730-1071-466D-BA24-B2DC28ECC0CD}\chrome.manifest
c:\documents and settings\Nezo\Local Settings\Application Data\{BE8BD730-1071-466D-BA24-B2DC28ECC0CD}\chrome\content\_cfg.js
c:\documents and settings\Nezo\Local Settings\Application Data\{BE8BD730-1071-466D-BA24-B2DC28ECC0CD}\chrome\content\overlay.xul
c:\documents and settings\Nezo\Local Settings\Application Data\{BE8BD730-1071-466D-BA24-B2DC28ECC0CD}\install.rdf
c:\documents and settings\Rami\Application Data\WeatherDPA\Weather\WeatherStartup.xml
c:\documents and settings\Rami\Local Settings\Application Data\{330A469F-FA57-449D-AB51-FE1DB99AED7A}\chrome.manifest
c:\documents and settings\Rami\Local Settings\Application Data\{330A469F-FA57-449D-AB51-FE1DB99AED7A}\chrome\content\_cfg.js
c:\documents and settings\Rami\Local Settings\Application Data\{330A469F-FA57-449D-AB51-FE1DB99AED7A}\chrome\content\overlay.xul
c:\documents and settings\Rami\Local Settings\Application Data\{330A469F-FA57-449D-AB51-FE1DB99AED7A}\install.rdf
c:\windows\jestertb.dll
c:\windows\ovohovojamazekud.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\H8SRTpmaxvrhmwn.dll
c:\windows\system32\H8SRTtwoewiyqxm.dat
c:\windows\system32\H8SRTvouoktkibo.dll
c:\windows\system32\helper32.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\IS15.exe
c:\windows\system32\krl32mainweq.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\smss32.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\srcr.dat
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\warning.html
c:\windows\system32\winlogon32.exe
c:\windows\system32\WS2Fix.exe
c:\windows\wmpnenec.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_H8SRTd.sys
-------\Service_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))
.

2010-02-20 00:54 . 2010-02-20 00:57 -------- d-----w- C:\SmitfraudFix
2010-02-20 00:53 . 2010-02-20 00:53 1872472 ----a-w- C:\SmitfraudFix.exe
2010-02-20 00:48 . 2010-02-20 00:48 -------- d-s---w- c:\documents and settings\Rami\UserData
2010-02-19 21:32 . 2010-02-19 21:32 -------- d-----w- c:\windows\system32\MpEngineStore
2010-02-19 20:55 . 2010-02-19 20:55 388096 ----a-r- c:\documents and settings\Rami\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-19 20:55 . 2010-02-19 20:55 -------- d-----w- c:\program files\TrendMicro
2010-02-19 20:54 . 2010-02-19 20:54 1401344 ----a-w- C:\HijackThis.msi
2010-02-19 20:49 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 20:49 . 2010-02-19 20:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 20:49 . 2010-02-19 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-19 20:49 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 20:44 . 2005-01-22 18:30 163840 ----a-r- c:\windows\system32\igfxres.dll
2010-02-19 20:43 . 2010-02-19 20:43 5115824 ----a-w- C:\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 20:36 . 2010-02-20 20:05 3866774 ----a-r- C:\ComboFix.exe
2010-02-20 20:03 . 2010-01-08 17:20 0 ----a-w- c:\windows\Utafedojodohuje.bin
2010-02-20 20:03 . 2010-01-08 17:20 120 ----a-w- c:\windows\Cpakuqoqiwogi.dat
2010-02-15 23:29 . 2009-10-28 20:24 -------- d-----w- c:\program files\Canon
2010-01-21 00:01 . 2008-01-23 23:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-21 00:00 . 2008-01-23 23:32 -------- d-----w- c:\program files\HPQ
2010-01-20 23:39 . 2009-07-20 20:38 -------- d-----w- c:\program files\QuickTime
2010-01-19 22:13 . 2008-06-16 04:07 -------- d-----w- c:\program files\Common Files\Apple
2009-12-31 16:14 . 2004-08-04 12:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-28 19:24 . 2008-03-31 16:27 48808 ----a-w- c:\documents and settings\Nezo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-22 05:42 . 2004-08-04 12:00 662016 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-20 00:28 . 2009-12-20 00:28 0 ----a-w- c:\windows\nsreg.dat
2009-12-19 23:42 . 2008-06-16 03:36 48808 ----a-w- c:\documents and settings\Rami\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-16 12:58 . 2008-01-23 23:07 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 14:41 . 2004-08-04 12:00 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:33 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:33 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2004-08-04 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2004-08-04 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-20_20.23.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-20 20:28 . 2010-02-20 20:28 16384 c:\windows\Temp\Perflib_Perfdata_638.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Malware Defense"="c:\program files\Malware Defense\mdefense.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wsegucokuhupo"="c:\windows\ovohovojamazekud.dll" [BU]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2004-11-05 18:52 233534 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-01-22 18:31 126976 ----a-r- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 04:11 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-01-21 18:40 790528 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-01-22 18:36 155648 ----a-r- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 01:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smss32.exe]
c:\windows\system32\smss32.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-11-04 18:38 688218 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-11-04 18:40 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wsegucokuhupo]
c:\windows\ovohovojamazekud.dll [BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm174YYUS
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 15:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2104)
c:\windows\system32\msi.dll
c:\windows\system32\shdoclc.dll
.
Completion time: 2010-02-20 15:43:28
ComboFix-quarantined-files.txt 2010-02-20 20:43

Pre-Run: 40,829,935,616 bytes free
Post-Run: 40,799,465,472 bytes free

- - End Of File - - 4305E946E1155CC38872D9559E0AEB94






Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 15:49:23, on 2/20/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [Wsegucokuhupo] rundll32.exe "C:\WINDOWS\ovohovojamazekud.dll",Startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Malware Defense] "C:\Program Files\Malware Defense\mdefense.exe" -noscan
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm174YYUS
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3066 bytes






It seems the unchangable backround telling me the computer is infected has been removed and I can access my task manager as well. I also no longer have anything in the quick start bar telling me that I need to install their garbage spyware software. A few more concerns I have though have appeared:

1. When the computer boots it will only start if I arrow to Windows Home before windows starts. If I leave it untouched it tries to run a Windows Set up and an error happens saying it needs a certain file to continue. I hit enter and the system reboots. Basically as long as I am here to make sure it boots Windows normally it is okay.

2. I also now have an error upon boot up:

Window title: RUNDLL

Once again I would like to say thank you for all advice and help.

Error loading C:\Windows\ovohohojamazekud.dll
The specified module could not be found.
 
You are still somewhat infected, hopefully you will be able to download and run malwarebytes as it should clean you up a bit more especially the malware defense infection.


How to run a scan with Malwarebytes' Anti-Malware

Download Malwarebytes' Anti-Malware from Here , Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Please post the malwarebytes log along with a fresh hijackthis log.

There is still some cleaning we can do with combofix but i'll wait until after malwarebytes runs.
 
Malwarebytes' Anti-Malware 1.44
Database version: 3770
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

2/21/2010 2:10:00 PM
mbam-log-2010-02-21 (14-10-00).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 167017
Time elapsed: 37 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malware defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\wmpnenec.dll.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTpmaxvrhmwn.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTvouoktkibo.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\smss32.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon32.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{297D43D6-5E4B-4AC5-80E9-002DF4B60EF0}\RP367\A0130150.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{297D43D6-5E4B-4AC5-80E9-002DF4B60EF0}\RP367\A0130168.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{297D43D6-5E4B-4AC5-80E9-002DF4B60EF0}\RP368\A0130175.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{297D43D6-5E4B-4AC5-80E9-002DF4B60EF0}\RP368\A0130212.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{297D43D6-5E4B-4AC5-80E9-002DF4B60EF0}\RP368\A0130213.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{297D43D6-5E4B-4AC5-80E9-002DF4B60EF0}\RP368\A0130215.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{297D43D6-5E4B-4AC5-80E9-002DF4B60EF0}\RP368\A0130228.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{297D43D6-5E4B-4AC5-80E9-002DF4B60EF0}\RP368\A0130238.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{297D43D6-5E4B-4AC5-80E9-002DF4B60EF0}\RP368\A0130240.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{297D43D6-5E4B-4AC5-80E9-002DF4B60EF0}\RP368\A0130227.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rami\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Defense.lnk (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
 
Sorry about that. Figured I would get a fresh reboot in before I posted.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 14:24:58, on 2/21/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [Wsegucokuhupo] rundll32.exe "C:\WINDOWS\ovohovojamazekud.dll",Startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 2742 bytes
 
Please rerun hijackthis and place a check next to these entries.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [Wsegucokuhupo] rundll32.exe "C:\WINDOWS\ovohovojamazekud.dll",Startup
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe (file missing)


Then click on fix checked at the bottom.

Then navigate to C:\WINDOWS\ovohovojamazekud.dll and delete that file. You may have to boot into safe mode to do it.

If you have not already placed combofix on your desktop, please do so now so we can carry out this next step.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code: 
File::
c:\windows\Utafedojodohuje.bin
c:\windows\Cpakuqoqiwogi.dat
c:\windows\ovohovojamazekud.dll

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Also please post a fresh hijackthis log after doing this fix.
 
ComboFix 10-02-21.02 - Rami 02/21/2010 17:45:39.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.328 [GMT -5:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt

FILE ::
"c:\windows\Cpakuqoqiwogi.dat"
"c:\windows\ovohovojamazekud.dll"
"c:\windows\Utafedojodohuje.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Cpakuqoqiwogi.dat
c:\windows\Utafedojodohuje.bin

.
((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-21 16:55 . 2010-02-21 16:55 -------- d-----w- c:\documents and settings\Rami\Application Data\Malwarebytes
2010-02-20 20:05 . 2010-02-21 22:43 3868001 ----a-r- C:\ComboFix.exe
2010-02-20 00:54 . 2010-02-20 00:57 -------- d-----w- C:\SmitfraudFix
2010-02-20 00:53 . 2010-02-20 00:53 1872472 ----a-w- C:\SmitfraudFix.exe
2010-02-20 00:48 . 2010-02-20 00:48 -------- d-s---w- c:\documents and settings\Rami\UserData
2010-02-19 21:32 . 2010-02-19 21:32 -------- d-----w- c:\windows\system32\MpEngineStore
2010-02-19 20:55 . 2010-02-19 20:55 388096 ----a-r- c:\documents and settings\Rami\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-19 20:55 . 2010-02-19 20:55 -------- d-----w- c:\program files\TrendMicro
2010-02-19 20:54 . 2010-02-19 20:54 1401344 ----a-w- C:\HijackThis.msi
2010-02-19 20:49 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 20:49 . 2010-02-19 20:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 20:49 . 2010-02-19 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-19 20:49 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 20:44 . 2005-01-22 18:30 163840 ----a-r- c:\windows\system32\igfxres.dll
2010-02-19 20:43 . 2010-02-19 20:43 5115824 ----a-w- C:\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 23:29 . 2009-10-28 20:24 -------- d-----w- c:\program files\Canon
2010-01-21 00:01 . 2008-01-23 23:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-21 00:00 . 2008-01-23 23:32 -------- d-----w- c:\program files\HPQ
2010-01-20 23:39 . 2009-07-20 20:38 -------- d-----w- c:\program files\QuickTime
2010-01-19 22:13 . 2008-06-16 04:07 -------- d-----w- c:\program files\Common Files\Apple
2009-12-31 16:14 . 2004-08-04 12:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-28 19:24 . 2008-03-31 16:27 48808 ----a-w- c:\documents and settings\Nezo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-22 05:42 . 2004-08-04 12:00 662016 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-20 00:28 . 2009-12-20 00:28 0 ----a-w- c:\windows\nsreg.dat
2009-12-19 23:42 . 2008-06-16 03:36 48808 ----a-w- c:\documents and settings\Rami\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-16 12:58 . 2008-01-23 23:07 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 14:41 . 2004-08-04 12:00 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:33 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:33 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2004-08-04 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2004-08-04 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-20_20.23.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-21 22:36 . 2010-02-21 22:36 16384 c:\windows\Temp\Perflib_Perfdata_ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2004-11-05 18:52 233534 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-01-22 18:31 126976 ----a-r- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 04:11 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-01-21 18:40 790528 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-01-22 18:36 155648 ----a-r- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 01:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smss32.exe]
c:\windows\system32\smss32.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-11-04 18:38 688218 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-11-04 18:40 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wsegucokuhupo]
c:\windows\ovohovojamazekud.dll [BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Search
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 17:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-02-21 17:52:25
ComboFix-quarantined-files.txt 2010-02-21 22:52
ComboFix2.txt 2010-02-20 20:43

Pre-Run: 41,081,462,784 bytes free
Post-Run: 41,050,972,160 bytes free

- - End Of File - - 038F627CB143A74F2714A22A099E75B0


Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 18:07:15, on 2/21/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 2547 bytes
 
Your log looks good now. If you want, you can go into services and disable the asp.net state service. How is your system running now? Are you able to access task manager now?

I also noticed you aren't running any active virus programs at all. Browsing the internet today without a virus program is asking for problems. I highly suggest you download and install at least a free program such as AVG, AVAST or AVIRA.
 
Yes the computer is working much better.

Task Manager is working well too. The only problem I have yet is I get an error when the computer boots before windows starts it tells me that the system32\hal.dll is corrupted and windows won't start. It attempts to boot the windows recovery option for some reason and that error happens. As long as I make sure to select the proper boot option it starts fine.

I will also install a AVG on this computer too.

Once again I thank you for your patience and your cooperation.
 
Do you have 2 drives in this system and perhaps you had installed windows on the other drive as well?
 
no. It's a laptop, and I'm not sure how it got there. This is a friend's laptop who is completely deficient when it comes to technology.

It was a problem when I first received it.
 
I appreciate all the help you have provided with the computer. The computer is in much better shape than it was. I googled the problem I was having and found a solution that worked.

Thank you again for your assistance.
 
Glad you got it working ok now. Usually with a hal.dll error the computer won't boot, not sure how yours booted up though.
 
You must log in or register to reply here.
Back
Top