Virus causing BSOD (I think) problem

[SAM THE MAN]

started getting some trojans and other viruses on my computer. tried to get rid of them with AVG but kept coming. So i got kaspersky, uninstalled everything and installed kaspersky. It said it had installed, click next and nothing. So i uninstalled it and tried again but nothing. So I installed adware, scanned and it deleted several viruses. Went to restart my computer, and whilst loading windows it came up with a BSOD
stop code: 0x0000008E

Restarted and clicked "load last know good settings" Didnt get the 1st BSOD. Log into windows and now get a BSOD saying

"The driver is attempting to access memory after it has been freed"
Stop: 0X000000D5

The thing to make note of is that, I had viruses and get the second BSOD now.

MY computer loads up into safe mode ok...but I dont know what to do. My memory is fairly new and has been fine until I got these viruses so I doubt the memory is at fault. I even put in memory which I know works

I would format my computer but I have important stuff on there and have no backups

Please help..... Thanks!

 

[johnb35]

You will probably need to download combofix from another computer and transfer it to infected computer via a usb flash drive. Get combofix and instructions here. Then run in safe mode and post the log that is displays back here.

 

[SAM THE MAN]

as requested:

ComboFix 09-03-02.03 - Sam 2009-03-03 22:08:16.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.737 [GMT 0:00]
Running from: g:\anti virus\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sam\Application Data\inst.exe
c:\documents and settings\Sam\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\INSTALL.LOG
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\200933441.dll
c:\windows\system32\afisicx.exe
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\ezosavam.ini
c:\windows\system32\inf\xccdfb16_090131.dll
c:\windows\system32\inf\xccefb090131.scr
c:\windows\system32\kavumefe.dll
c:\windows\system32\reader_s.exe
c:\windows\system32\senekabmcmvjbn.dat
c:\windows\system32\senekanvmeycpi.dat
c:\windows\system32\tmpxccacj0.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\w.exe
c:\windows\system32\xcchit32.ini
c:\windows\xccdf16_090131a.dll
c:\windows\xccdf32_090131a.dll
c:\windows\xccwinsys.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RESTORE
-------\Service_restore


((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))
.

2009-03-03 17:11 . 2009-03-03 17:11 <DIR> d-------- c:\program files\Zone Labs
2009-03-02 21:59 . 2009-03-02 21:59 136,096 --a------ c:\windows\system32\drivers\tbpanel.sys
2009-03-02 21:59 . 2009-03-02 21:59 41,473 --a------ c:\windows\services.ex_
2009-03-02 21:59 . 2009-03-02 21:59 130 --a------ c:\windows\adobe.bat
2009-03-02 21:59 . 2009-03-02 21:59 6 --a------ c:\windows\_id.dat
2009-03-02 21:57 . 2009-03-02 21:57 <DIR> d-------- c:\windows\LastGood
2009-03-02 21:57 . 2009-03-02 21:57 124 --a------ c:\windows\system32\4.tmp
2009-03-02 21:56 . 2009-03-02 21:56 <DIR> d---s---- c:\documents and settings\Administrator.SAMS-BUILD\UserData
2009-03-02 20:35 . 2009-03-02 20:35 <DIR> d-------- c:\windows\LastGood.Tmp
2009-03-02 19:05 . 2009-03-02 19:05 244 --ah----- C:\sqmnoopt03.sqm
2009-03-02 19:05 . 2009-03-02 19:05 244 --ah----- C:\sqmnoopt02.sqm
2009-03-02 19:05 . 2009-03-02 19:05 232 --ah----- C:\sqmdata03.sqm
2009-03-02 19:05 . 2009-03-02 19:05 232 --ah----- C:\sqmdata02.sqm
2009-03-02 18:59 . 2009-03-03 18:35 <DIR> d-------- c:\program files\Lavasoft
2009-03-02 18:59 . 2009-03-03 18:35 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-02 18:59 . 2009-03-02 18:59 244 --ah----- C:\sqmnoopt01.sqm
2009-03-02 18:59 . 2009-03-02 18:59 232 --ah----- C:\sqmdata01.sqm
2009-03-02 18:52 . 2009-03-02 18:52 <DIR> d-------- c:\program files\Common Files\xing shared
2009-03-02 18:50 . 2009-03-02 18:50 <DIR> d---s---- c:\windows\system32\config\systemprofile\UserData
2009-03-02 18:49 . 2009-03-02 18:49 182,912 --a--c--- c:\windows\system32\dllcache\ndis.sys
2009-03-02 18:45 . 2009-03-02 18:47 162,816 --a------ c:\windows\system32\56.tmp
2009-03-02 18:41 . 2009-03-02 18:45 134,656 --a------ c:\windows\system32\6.tm_
2009-03-02 18:41 . 2009-03-02 18:41 164 --a------ c:\windows\system32\5.tmp
2009-03-02 17:42 . 2009-03-02 18:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2009-03-02 17:01 . 2009-03-02 17:03 161,792 --a------ c:\windows\system32\3.tmp
2009-03-02 17:01 . 2009-03-02 17:01 124 --a------ c:\windows\system32\2.tmp
2009-03-02 16:34 . 2009-03-02 16:34 <DIR> d-------- c:\windows\system32\3361
2009-03-02 16:34 . 2002-02-15 14:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-03-02 16:34 . 2009-03-02 16:34 77,824 --a------ c:\windows\system32\u16240633.dll
2009-03-02 16:34 . 2009-03-01 22:40 66,048 --a------ c:\windows\system32\sopidkc.exe
2009-03-02 16:34 . 2009-03-01 22:41 32,768 --a------ c:\windows\system32\umtcdtw.sys
2009-03-02 16:33 . 2009-03-03 22:09 <DIR> d-------- c:\windows\system32\inf
2009-03-02 16:33 . 2009-03-02 20:23 <DIR> d-------- c:\documents and settings\Sam\Application Data\comidle
2009-03-02 16:33 . 2009-03-02 16:33 155,222 --a------ c:\windows\system\xccef090131.exe
2009-03-02 16:33 . 2009-03-02 16:33 138,013 --a------ c:\windows\system32\15.tmp
2009-03-02 16:33 . 2009-03-02 16:33 124 --a------ c:\windows\system32\14.tmp
2009-02-23 16:12 . 2009-02-23 16:15 <DIR> d-------- C:\openbve
2009-02-23 16:10 . 2009-02-23 16:15 <DIR> d-------- C:\Copy of openbve
2009-02-17 16:23 . 2009-02-24 09:29 8 --a------ c:\windows\system32\nvModes.dat
2009-02-17 16:22 . 2009-02-17 16:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-02-11 11:59 . 2009-02-24 18:17 147 --a------ c:\program files\go.bat
2009-02-11 11:48 . 2009-02-11 11:51 <DIR> d-------- c:\program files\MP3Gain
2009-02-09 21:37 . 2009-02-09 21:37 <DIR> d-------- c:\windows\system32\win32deps
2009-02-09 21:37 . 2009-02-09 21:37 <DIR> d-------- c:\windows\system32\osxdeps
2009-02-09 21:37 . 2009-02-09 21:38 <DIR> d-------- c:\program files\TaoFramework
2009-02-09 21:22 . 2009-02-09 21:22 <DIR> d-------- c:\program files\OpenAL
2009-02-09 21:22 . 2009-02-09 21:22 413,696 --a------ c:\windows\system32\wrap_oal.dll
2009-02-09 21:22 . 2009-02-09 21:22 110,592 --a------ c:\windows\system32\OpenAL32.dll
2009-02-09 21:14 . 2009-02-09 21:14 <DIR> d-------- c:\program files\MSBuild
2009-02-09 21:13 . 2009-02-09 21:13 <DIR> d-------- c:\windows\system32\XPSViewer
2009-02-09 21:13 . 2009-02-09 21:13 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-09 21:11 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-02-04 16:17 . 2009-02-24 22:39 <DIR> d-------- C:\Kontiki
2009-02-04 13:04 . 2009-02-10 08:36 <DIR> d-------- c:\windows\nview
2009-02-04 13:04 . 2009-01-15 08:19 453,152 --a------ c:\windows\system32\nvudisp.exe
2009-02-04 13:04 . 2009-03-02 20:33 201,144 --a------ c:\windows\system32\nvapps.xml
2009-02-04 10:23 . 2009-01-15 08:19 206,793 --a------ c:\windows\system32\nvapps.nvb
2009-02-03 20:32 . 2009-01-15 08:19 18,725 --a------ c:\windows\system32\nvdisp.nvu
2009-02-03 20:24 . 2009-02-04 10:21 <DIR> d-------- C:\NVIDIA
2009-02-03 17:12 . 2009-02-03 17:18 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-02-03 13:10 . 2009-01-07 11:28 453,152 --a------ c:\windows\system32\NVUNINST.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 21:38 90,112 ----a-w c:\windows\DUMP75bc.tmp
2009-03-03 18:36 --------- d-----w c:\program files\LimeWire
2009-03-03 18:33 --------- d-----w c:\program files\LimeWire Plus
2009-03-03 18:31 --------- d-----w c:\program files\uTorrent
2009-03-03 17:17 90,112 ----a-w c:\windows\DUMP7a8f.tmp
2009-03-03 07:59 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-03-02 20:35 --------- d-----w c:\program files\Kaspersky Lab
2009-03-02 20:35 --------- d-----w c:\documents and settings\Sam\Application Data\uTorrent
2009-03-02 20:35 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-03-02 20:24 --------- d-----w c:\program files\Accessdiver
2009-03-02 18:59 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-02 18:52 --------- d-----w c:\program files\Common Files\Real
2009-03-02 18:49 182,912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-02 18:27 --------- d-----w c:\program files\SpywareBlaster
2009-03-02 18:27 --------- d-----w c:\program files\MagicDisc
2009-03-02 18:02 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-02 18:00 --------- d-----w c:\program files\MagicISO
2009-03-02 18:00 --------- d-----w c:\program files\CursorXP
2009-03-02 17:42 --------- d-----w c:\program files\Google
2009-02-26 07:54 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-24 19:08 583 ----a-w c:\program files\WaveGain frontend.ini
2009-02-19 13:06 --------- d-----w c:\documents and settings\Sam\Application Data\Vso
2009-02-11 11:59 --------- d-----w c:\program files\Info
2009-02-10 18:56 --------- d-----w c:\program files\Messenger Plus! Live
2009-02-09 21:20 --------- d-----w c:\documents and settings\Sam\Application Data\FileZilla
2009-02-09 20:42 --------- d-----w c:\program files\FileZilla FTP Client
2009-02-04 10:24 --------- d-----w c:\program files\AGEIA Technologies
2009-02-03 17:12 --------- d-----w c:\documents and settings\Sam\Application Data\SystemRequirementsLab
2009-01-15 08:19 6,301,248 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2009-01-10 09:28 --------- d-----w c:\documents and settings\Sam\Application Data\anpo.republika.pl
2009-01-10 00:35 --------- d-----w c:\program files\Download Direct
2009-01-09 18:33 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-09 18:33 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-01-09 14:04 --------- d-----w c:\program files\Nokia
2009-01-09 14:04 --------- d-----w c:\program files\Common Files\PCSuite
2009-01-09 14:04 --------- d-----w c:\program files\Common Files\Nokia
2009-01-09 14:01 --------- d-----w c:\program files\PC Connectivity Solution
2009-01-09 13:36 --------- d-----w c:\documents and settings\All Users\Application Data\Installations
2009-01-08 21:38 --------- d-----w c:\documents and settings\Sam\Application Data\vlc
2009-01-06 23:11 98,304 ----a-w c:\windows\DUMP9441.tmp
2009-01-06 21:04 --------- d-----w c:\program files\DivX
2009-01-06 21:00 --------- d-----w c:\program files\CCleaner
2009-01-06 20:55 --------- d-----w c:\program files\RadarSync
2009-01-03 09:45 --------- d-----w c:\program files\RealVNC
2009-01-03 09:39 --------- d-----w c:\program files\VNCRemoteSetup
2008-12-27 21:48 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-12-27 21:48 249,856 ------w c:\windows\Setup1.exe
2008-04-19 03:45 3,902,784 -c--a-w c:\documents and settings\Sam\gosetup.exe
2007-10-10 16:16 0 -c--a-w c:\documents and settings\Sam\channels.dat
2007-08-15 10:48 47,360 -c--a-w c:\documents and settings\Sam\Application Data\pcouffin.sys
2007-08-02 11:22 174,088 -c--a-w c:\documents and settings\All Users\Application Data\firstlsp.reg.dat
2004-03-08 11:19 180,736 ----a-w c:\program files\WaveGain.exe
2003-04-18 09:46 4,096 ----a-w c:\program files\win2dos.exe
2003-02-24 12:04 69,632 ----a-w c:\program files\WaveGain frontend.exe
1998-09-25 13:16 287,744 -c--a-w c:\program files\UNWISE.EXE
2007-08-07 12:20 61 -csh--w c:\windows\cnerolf.dat
.

------- Sigcheck -------

2004-08-03 23:56 31232 44201075b29fff1bcd95797319b12d19 c:\windows\system32\svchost.exe
2009-03-02 16:34 139264 a335dd3e1dd19f94a4815b363d1da28f c:\windows\system32\3361\SVCHOST.EXE

2009-03-02 18:49 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\dllcache\ndis.sys
2009-03-02 18:49 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys

2005-03-02 00:36 2056832 d8aba3eab509627e707a3b14f00fbb6b c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 09:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2005-03-02 00:34 2056832 81013f36b21c7f72cf784cc6731e0002 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 08:38 2057600 515d30e2c90a3665a2739309334c9283 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-08-14 09:22 2057728 ba002228743b6824d87f0551dbc86d45 c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2GDR\ntkrnlpa.exe
2008-08-14 09:18 2062976 63ec865dff6ccfc7bef94b5c50297cad c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2QFE\ntkrnlpa.exe
2008-08-14 09:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3GDR\ntkrnlpa.exe
2008-08-14 15:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3QFE\ntkrnlpa.exe
2007-02-28 08:38 2027520 54a8b9806027049f8b19f1274a63c7b4 c:\windows\system32\ntkrnlpa.exe
2007-02-28 08:38 2057600 515d30e2c90a3665a2739309334c9283 c:\windows\system32\dllcache\ntkrnlpa.exe

2007-06-13 10:23 1440768 0cf64efcff9ccc383d465502cd2497e8 c:\windows\explorer.exe
2007-06-13 11:26 1050112 9efb01293458b1ea9a7efd999047c296 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-03 23:56 1049088 2ed0aa82d0229b14e699d49c078d6d3c c:\windows\$NtUninstallKB938828$\explorer.exe
2007-06-13 10:23 1050112 c6b270038c499d7df9be3f2f8fafe72d c:\windows\system32\dllcache\explorer.exe

2004-08-03 23:56 32256 a363e342c794179d7289939b0532d122 c:\windows\system32\ctfmon.exe

2005-06-11 00:17 74752 d02a4da5894505884020611c1aaf7429 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-03 23:56 75264 3c96bd516b583d4aebbc20305e60aceb c:\windows\$NtUninstallKB896423$\spoolsv.exe
2005-06-10 23:53 74752 6adfe3960131be501877f57ea177ec84 c:\windows\system32\spoolsv.exe

2007-07-30 18:19 53080 f3e9065eb617a7e3a832a7976bfa021b c:\windows\LastGood\system32\wuauclt.exe
2008-10-16 14:09 51224 e654b78d2f1d791b30d0ed9a8195ec22 c:\windows\SoftwareDistribution\WebSetup\wuauclt.exe
2008-10-16 14:09 51224 e654b78d2f1d791b30d0ed9a8195ec22 c:\windows\system32\wuauclt.exe
2007-07-30 18:19 53080 f3e9065eb617a7e3a832a7976bfa021b c:\windows\system32\dllcache\wuauclt.exe

2004-08-03 23:56 41984 b9f8e6d454bc72dca90f90ec851815e1 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2008-02-19 1555480]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFre1.dll" [2008-02-19 1555480]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2008-10-26 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 32256]
"WallpaperSS"="c:\program files\WallpaperSS\WallpaperSS.exe" [2007-03-12 450560]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1223168]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-23 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vistadrv"="f:\exx hdd\Program Files\VistaDrives\vsdrv.exe" [2006-07-30 121089]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 1007667]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1974272]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 32256]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-10-26 5724184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-06 20:16 176128 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2008-11-10 15:07 1273856 c:\program files\Nokia\Nokia PC Suite 7\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2008-12-03 12:47 1223168 c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 434176 c:\program files\QuickTime\QTTask.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe"
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"PeerGuardian"=c:\program files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"JMB36X Configure"=c:\windows\system32\JMRaidTool.exe boot
"36X Raid Configurer"=c:\windows\system32\JMRaidSetup.exe boot
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"LiveMonitor"=c:\program files\MSI\Live Update 3\LMonitor.exe
"JMB36X IDE Setup"=c:\windows\JM\JMInsIDE.exe
"TrueImageMonitor.exe"=c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"D-Link AirPlus G"=c:\program files\D-Link\AirPlus G\AirGCFG.exe
"AcronisTimounterMonitor"=c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R0 hotcore2;hotcore2;c:\windows\system32\drivers\hotcore2.sys [2007-12-27 30808]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-03 114768]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-03 20560]
S2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2005-11-30 58952]
S3 AF05BDA;AF9005 BDA Device;c:\windows\system32\drivers\AF05BDA.sys [2007-07-30 114432]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-06-15 16512]
S3 DigiCellDriver;DigiCellDriver;\??\c:\program files\MSI\DualCoreCenter\NTGLM7X.sys --> c:\program files\MSI\DualCoreCenter\NTGLM7X.sys [?]
S3 FoxAwdWINFLASH;FoxAwdWINFLASH;c:\program files\FOXCONN\FOX LiveUpdate\FoxAwdWINFLASH.sys [2007-08-04 17120]
S3 FXDrv32;FXDrv32;c:\progra~1\FOXCONN\FOXLIV~1\FXDrv32.sys [2007-08-04 23872]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-05-24 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-05-24 8320]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wnnkugqw

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - msiexec.exe /i kis.en.msi

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1674677c-564e-11dc-b886-806d6172696f}]
\Shell\AutoRun\command - msiexec.exe /i kis.en.msi

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85f43488-388f-11dc-964f-806d6172696f}]
\Shell\AutoRun\command - D:\start.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe []

2009-03-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-03-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-02 17:42]

2009-02-27 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-09-18 23:42]

2008-12-03 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-04-07 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-12-13 c:\windows\Tasks\Uniblue SpyEraser Nag.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []

2008-04-07 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-reader_s - c:\documents and settings\Sam\reader_s.exe
HKLM-Run-JMB36X IDE Setup - c:\windows\RaidTool\xInsIDE.exe
HKLM-Run-yitokejoje - c:\windows\system32\fekabota.dll
HKLM-Run-CPM07f935ec - c:\windows\system32\ligasuta.dll
HKLM-Run-reader_s - c:\windows\System32\reader_s.exe
HKLM-Run-SytéUpdates - 6.tmp
HKLM-RunServices-SytéUpdates - 6.tmp
HKU-Default-Run-phkqzagp.exe - c:\windows\phkqzagp.exe
HKU-Default-Run-services - c:\windows\services.exe
HKU-Default-Run-SytéUpdates - 6.tmp
HKU-Default-RunServices-SytéUpdates - 6.tmp
HKLM-Explorer_Run-xccinit - c:\windows\system32\inf\rundll33.exe
HKLM-Explorer_Run-services - c:\windows\services.exe
HKU-Default-Explorer_Run-services - c:\windows\services.exe
Notify-ylxhwvzx - hhuweni.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.keepingittwisted.com/xbox_register.aspx
uInternet Settings,ProxyServer = 202.57.255.210:80
uInternet Settings,ProxyOverride = ;*.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Anti-Banner
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Handy Password: Autosubmit - c:\program files\Handy Password\handypasswordtoolbar.dll/menu_autologin.html
IE: Handy Password: Fill - c:\program files\Handy Password\handypasswordtoolbar.dll/menu_fill.html
IE: Handy Password: Fill With - c:\program files\Handy Password\handypasswordtoolbar.dll/menu_fillwith.html
IE: Handy Password: Lock/Unlock - c:\program files\Handy Password\handypasswordtoolbar.dll/menu_lock.html
IE: Handy Password: Save - c:\program files\Handy Password\handypasswordtoolbar.dll/menu_save.html
FF - ProfilePath - c:\documents and settings\Sam\Application Data\Mozilla\Firefox\Profiles\n6x94fkk.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/|http://www.hotukdeals.com/all/all/hothttp://www.exceem.co.uk/forums/exceemspy.html
FF - component: c:\documents and settings\Sam\Application Data\Mozilla\Firefox\Profiles\n6x94fkk.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmidas.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-03 22:26:32
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-1004336348-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-823518204-1004336348-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:78,6e,ad,2e,a2,51,38,f9,75,49,d9,97,c5,02,7b,b8,d3,2e,b3,9c,ee,35,6a,
e0,16,a3,b6,5d,00,84,66,99,ab,64,f0,41,93,e7,06,6c,e9,5d,13,91,01,c3,d8,ab,\
"??"=hex:04,3c,00,a0,6e,a7,ff,1a,ce,55,ca,83,7f,c7,26,94
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(384)
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\cscui.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

- - - - - - - > 'lsass.exe'(444)
c:\windows\system32\relog_ap.dll
.
Completion time: 2009-03-03 22:34:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-03 22:34:22

Pre-Run: 265,829,765,120 bytes free
Post-Run: 273,733,500,928 bytes free

Current=10 Default=10 Failed=9 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,10,11
408 --- E O F --- 2008-07-10 23:24:50







Now my computer doesnt like it in safe mode with networking. I log in and the blank screen just stays there!

 

[johnb35]

Can you boot into regular mode now? It looks like you are still infected please follow the instructions here and post the requested logs back here.