i've ran into pretty some pretty nasty viruses in my day that i was eventually able to remove but this one has me stumped. i am at the point where i was going to just reformat this guy's laptop, but either it will give me a stop 0x0000007b blue screen at the end of the boot cd loading it's files telling me to check for viruses (and after a few seconds will shut down), or shut down right before or while the boot cd is trying to load it's files. i'm not being shut off from logging on to the computer, and on the desktop i see the tell-tale signs of it possibly being a virut virus (pornotube, nudetube icons on the desktop). i can run a scan but nothing i've used can remove everything, so like i said, i don't even want to try and remove the virus anymore and reformatting seems to be the next best thing. the problem is i can't even do that! where do i go from here?

Hi, Welcome to Helpmyos.com!

Are you able to boot into Safe Mode with Networking or Last Known Good Configuration?

i am able to boot into safe mode, and i have already run last known good configuration...

Hi.

Please run this in Safe Mode.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

well, it took a while to get combofix to run without the computer shutting down, but not in safe mode (it wouldn't go past the 5th stage). not sure if it'll run the same but i still have the log just in case:


ComboFix 10-07-27.05 - Brundell 07/28/2010 21:33:59.1.2 - x86
MicrosoftÆ Windows Vistaô Home Premium 6.0.6001.1.1252.1.1033.18.2813.1772 [GMT -4:00]
Running from: c:\users\Brundell\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\PlayMe
c:\program files\PlayMe\Uninstall.exe
c:\program files\Protection Center
c:\programdata\Microsoft\Windows\Start Menu\Programs\PlayMe
c:\programdata\Microsoft\Windows\Start Menu\Programs\PlayMe\Uninstall.lnk
c:\programdata\pragmamfeklnmal.dll
c:\users\Brundell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data Protection
c:\users\Brundell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data Protection\About.lnk
c:\users\Brundell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data Protection\Activate.lnk
c:\users\Brundell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data Protection\Buy.lnk
c:\users\Brundell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data Protection\Data Protection Support.lnk
c:\users\Brundell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data Protection\Data Protection.lnk
c:\users\Brundell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data Protection\Scan.lnk
c:\users\Brundell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data Protection\Settings.lnk
c:\users\Brundell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data Protection\Update.lnk
c:\users\Brundell\Desktop\Data Protection Support.lnk
c:\users\Brundell\Desktop\nudetube.com.lnk
c:\users\Brundell\Desktop\pornotube.com.lnk
c:\users\Brundell\Desktop\spam001.exe
c:\users\Brundell\Desktop\spam003.exe
c:\users\Brundell\Desktop\troj000.exe
c:\users\Brundell\Desktop\youporn.com.lnk
c:\users\Greg\AppData\Roaming\avdrn.dat
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PlayMe
c:\windows\PRAGMApoeprniosp
c:\windows\PRAGMApoeprniosp\pragmabbr.dll
c:\windows\PRAGMApoeprniosp\PRAGMAc.dll
c:\windows\PRAGMApoeprniosp\PRAGMAcfg.ini
c:\windows\PRAGMApoeprniosp\PRAGMAd.sys
c:\windows\PRAGMApoeprniosp\pragmaserf.dll
c:\windows\PRAGMApoeprniosp\PRAGMAsrcr.dat
c:\windows\system32\0042.DLL
c:\windows\system32\0044.DLL
c:\windows\system32\gaopdxcounter

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gaopdxserv.sys
-------\Legacy_PRAGMAPOEPRNIOSP
-------\Service_gaopdxserv.sys
-------\Service_PRAGMApoeprniosp


((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))
.

2010-07-29 02:18 . 2010-07-29 02:18 -------- d-----w- c:\users\Default\AppData\Local\Symantec
2010-07-29 02:08 . 2010-07-29 02:13 -------- d-----w- c:\users\Brundell\AppData\Local\temp
2010-07-29 02:08 . 2010-07-29 02:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-29 02:08 . 2010-07-29 02:08 -------- d-----w- c:\users\Greg\AppData\Local\temp
2010-07-29 02:08 . 2010-07-29 02:21 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-07-28 23:33 . 2010-07-28 23:33 -------- d-----w- c:\users\Brundell\AppData\Roaming\Malwarebytes
2010-07-28 23:32 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 23:32 . 2010-07-28 23:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-28 23:32 . 2010-07-28 23:32 -------- d-----w- c:\programdata\Malwarebytes
2010-07-28 23:32 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-29 02:16 . 2010-06-10 23:30 -------- d-----w- c:\program files\Spyware Doctor
2010-07-29 01:16 . 2009-01-17 15:55 -------- d-----w- c:\users\Brundell\AppData\Roaming\Skype
2010-06-11 02:00 . 2010-05-13 00:49 975136 ----a-w- c:\programdata\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch2.exe
2010-06-11 02:00 . 2010-05-13 00:49 44832 ----a-w- c:\programdata\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch.exe
2010-06-11 00:01 . 2010-05-29 18:48 -------- d-----w- c:\program files\til
2010-06-10 23:59 . 2010-06-10 23:59 -------- d-----w- c:\users\Brundell\AppData\Roaming\U3
2010-06-10 23:32 . 2010-06-10 23:30 -------- d-----w- c:\programdata\PC Tools
2010-06-10 23:32 . 2010-06-10 23:30 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-10 23:30 . 2010-06-10 23:30 -------- d-----w- c:\users\Brundell\AppData\Roaming\PC Tools
2010-06-10 23:30 . 2009-09-08 01:36 -------- d-----w- c:\users\Brundell\AppData\Roaming\GetRightToGo
2010-06-10 23:07 . 2010-06-08 21:11 -------- d-----w- c:\program files\Symantec
2010-06-10 23:07 . 2010-06-10 23:07 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-10 23:07 . 2010-06-10 23:07 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-10 23:07 . 2010-06-10 23:07 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-10 23:06 . 2008-05-05 18:49 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-10 23:02 . 2010-05-20 18:15 0 ---ha-w- c:\windows\system32\wupd.dat
2010-06-09 00:04 . 2009-01-18 04:28 -------- d-----w- c:\program files\dvdSanta
2010-06-08 21:20 . 2008-05-05 18:50 -------- d-----w- c:\programdata\Symantec
2010-06-08 20:14 . 2009-12-26 16:46 -------- d-----w- c:\programdata\Norton
2010-05-25 23:25 . 2010-05-25 23:25 105184 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-05-25 23:24 . 2009-01-17 04:21 8224 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-25 00:13 . 2010-05-13 23:37 5300 ----a-w- c:\programdata\Intuit\QuickBooks 2010\qbbackup.sys
2010-05-24 00:23 . 2010-05-20 18:14 5861 ----a-w- c:\windows\system32\WORK.DAT
2010-05-20 18:15 . 2010-05-20 18:15 12 ----a-w- c:\users\Greg\AppData\Roaming\kqyvwo.dat
2010-05-13 00:49 . 2010-05-13 00:49 348160 ----a-w- c:\programdata\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcr71.dll
2010-05-13 00:49 . 2010-05-13 00:49 499712 ----a-w- c:\programdata\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcp71.dll
2010-05-12 01:57 . 2009-01-17 17:13 105184 ----a-w- c:\users\Greg\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-12 01:31 . 2009-01-17 04:24 105184 ----a-w- c:\users\Brundell\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-07 04:34 . 2010-05-07 04:34 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-05-06 22:07 . 2010-05-06 22:06 23111 ----a-w- c:\windows\hpqins15.dat
2010-05-06 22:04 . 2010-05-06 22:01 77350 ----a-w- c:\windows\hpqins05.dat
2009-11-14 16:22 . 2009-11-14 16:22 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-01-17 04:23 . 2009-01-17 04:23 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2009-01-17 04:23 . 2009-01-17 04:23 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 19:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{442AE524-EBA5-4b17-82F3-888D68BC999A}]
2009-11-24 19:27 252416 ----a-w- c:\program files\oovootb\auxi\oovooAu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1FB2F9A-D35E-11DD-8935-E46A56D89593}]
2009-11-24 21:35 87512 ----a-w- c:\program files\oovootb\oovoodx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
"{A1FB2F9A-D35E-11DD-8935-E46A56D89593}"= "c:\program files\oovootb\oovoodx.dll" [2009-11-24 87512]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{a1fb2f9a-d35e-11dd-8935-e46a56d89593}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-29 417792]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-14 30192]
"NDSTray.exe"="NDSTray.exe" [BU]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-11-26 1087752]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-01-18 1286608]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-12-8 1153824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

R2 gupdate1ca0a484a3d0af0;Google Update Service (gupdate1ca0a484a3d0af0);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 133104]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-11-14 30192]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 samhid;samhid;c:\windows\system32\drivers\samhid.sys [2006-01-07 7548]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-02-02 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-02-02 59664]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-29 20384]
S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2010-02-05 233136]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-12-09 365280]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-10 102448]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg.sys [2010-02-05 70408]
S3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [2008-04-25 73728]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-02-02 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service [x]


--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 21:14]

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 21:14]
.
.
------- Supplementary Scan -------
.
TCP: {08545B9A-961B-49E3-B7AE-4840F6B466AD} = 93.188.165.167,93.188.161.171
TCP: {B19879ED-EB14-4C56-A4F1-6378E911A908} = 93.188.165.167,93.188.161.171
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
BHO-{99E00A4C-D35E-11DD-BA95-9B6A56D89593} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
HKLM-Run-jswtrayutil - c:\program files\Jumpstart\jswtrayutil.exe
HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
HKLM-Run-hpqSRMon - (no file)
SafeBoot-Symantec Antvirus



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-28 22:21
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll

- - - - - - - > 'lsass.exe'(700)
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll

- - - - - - - > 'Explorer.exe'(5000)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\program files\Spyware Doctor\TFEngine\TfWah.dll
c:\windows\system32\msi.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\eappcfg.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Spyware Doctor\TFEngine\TFService.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\RtHDVCpl.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-07-28 22:46:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-29 02:46

Pre-Run: 112,037,044,224 bytes free
Post-Run: 147,473,240,064 bytes free

- - End Of File - - 23774317EDAA41BADF49FA333E2A6DAC

Hi.

That seems to have removed a nasty rootkit which probably came from the rogue security software.

Please download Malwarebytes Anti-Malware from Here.


Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

i thought this program was familiar. i tried running this before but it wouldn't work. i received this error message:

An error has occurred. please report this error code to our support team.

MBAM_ERROR--UPDATING (0,0,WinHttpSendRequest)

Hi.

Remove the Proxy setting in Internet explorer and/or in FireFox.

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"

Click the apply button and restart that computer in normal mode.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18904

7/29/2010 11:22:16 PM
mbam-log-2010-07-29 (23-22-16).txt

Scan type: Quick scan
Objects scanned: 138265
Time elapsed: 13 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{08545b9a-961b-49e3-b7ae-4840f6b466ad}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.167,93.188.161.171 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b19879ed-eb14-4c56-a4f1-6378e911a908}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.167,93.188.161.171 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Brundell\Desktop\Click to Find and Fix Errors.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Windows\System32\WORK.DAT (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\wupd.dat (Malware.Trace) -> Quarantined and deleted successfully.

Hi.

Could you please try updating now?

i sure did!


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4369

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18904

7/30/2010 5:42:27 AM
mbam-log-2010-07-30 (05-42-27).txt

Scan type: Quick scan
Objects scanned: 152645
Time elapsed: 15 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=679f3f1f06b1714ea127ca936ce14ab7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-02 11:58:59
# local_time=2010-08-02 07:58:59 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=1024 16777215 100 0 41553306 41553306 0 0
# compatibility_mode=2304 16777215 100 0 0 0 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776638 100 95 78974518 117386555 0 0
# compatibility_mode=8192 67108863 100 0 165785 165785 0 0
# scanned=179801
# found=9
# cleaned=9
# scan_time=14632
C:\Qoobox\Quarantine\C\Windows\PRAGMApoeprniosp\pragmabbr.dll.vir a variant of Win32/Kryptik.ENE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\PRAGMApoeprniosp\PRAGMAd.sys.vir a variant of Win32/Rootkit.Kryptik.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\PRAGMApoeprniosp\pragmaserf.dll.vir a variant of Win32/Kryptik.ENE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\system32\0042.DLL.vir a variant of Win32/Witkinat.Q trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\system32\0044.DLL.vir Win32/Witkinat.P trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Brundell\AppData\Local\temp\Av-test.txt Eicar test file (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Brundell\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\7cc87393-37544718 Java/TrojanDownloader.Agent.NAM trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Brundell\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\63937d7a-64cbbd81 Java/TrojanDownloader.Agent.NBE trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Greg\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3252080c-1be57f9f multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

Hi.

How is your computer running now?

it's running pretty good. and i don't think i need to re-install vista, either. very good, sir. thank you very much...