0

I got hit with the windows police pro virus,and it has locked up everything,i cant get into control panel,task manager,hell not even the calculator,i have tried every command listed for restarting task manager or regedit,but cannt get access,i cant even log into safe mode,i dont know what else to try,now im posting on an old computer,I am completely stumped here,i was able to run a virus program that has deleted a lot of viruses,but I am still locked out please any help would be great,thanks

3
Contributors
34
Replies
35
Views
7 Years
Discussion Span
Last Post by tsjaj
0

-- Do you have a flash drive to transfer tools and scanlogs between computers?

-- Can you get a command prompt on ill machine?
START > RUN > type cmd > OK
or
START > RUN > type command.com > OK

Let me know.

PP :)

0

-- Do you have a flash drive to transfer tools and scanlogs between computers?

-- Can you get a command prompt on ill machine?
START > RUN > type cmd > OK
or
START > RUN > type command.com > OK

Let me know.

PP :)

yes to both questions

0

yes i can get the command promt and have a flash drive

0

yes to both questions

Allrightythen!

You'll need to put these tools on your flash drive:

http://ad13.geekstogo.com/Win32kDiag.exe
http://swandog46.geekstogo.com/avenger.zip
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
With combofix, what I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to working compy and put it on the flash drive.
FindWPP.zip
DDS by sUBs
http://download.sysinternals.com/Files/Junction.zip
http://www.raktor.net/exeHelper/exeHelper.com
http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe
SysProt Anti-Rootkit


Then, see if you are able to copy these to the desktop:
-- FindWPP.zip
-- Win32kDiag.exe
-- Combo-fix.exe

Let me know how you fare.

PP :)

Edited by PhilliePhan: The Usual. . . .

0

ok they are there,

With the three tools now on the Desktop, try this:

-- See if combofix will run. If not, try RightClick on it and Run As Administrator.

If it runs, let it finish and post the log.

If no combofix, then Extract the FindWPP folder from the FindWPP.ZIP
In the folder you'll find RunThis.bat
Run it and post me the log.

Let me know how you fare.

PP :)

0

With the three tools now on the Desktop, try this:

-- See if combofix will run. If not, try RightClick on it and Run As Administrator.

If it runs, let it finish and post the log.

If no combofix, then Extract the FindWPP folder from the FindWPP.ZIP
In the folder you'll find RunThis.bat
Run it and post me the log.

Let me know how you fare.

PP :)

ok doing it now

0

with both i get a message saying registry edit is disabled by administrator,

0

with both i get a message saying registry edit is disabled by administrator,

Open a command prompt and type %userprofile%\desktop\combo-fix.exe /KillAll ENTER
Note ther is a space here --> .exe<space>/KillAll

EDIT: Try using command.com to open prompt if that fails.

Edited by PhilliePhan: Added info

0

says combo-fix.exe is not a recognizeable command

Is combo-fix.exe on the desktop? You did rename it and it is not combofix (w/out dash)?

Click START > Run > type command.com to open the command prompt and then type:

cd %userprofile%\desktop ENTER
then type
combo-fix.exe /KillAll ENTER (or combofix.exe if not renamed)

It should run - let me know.

PP :)

0

now it says installation files for combofix are corrupted,i cannot get it to install at all

0

now it says installation files for combofix are corrupted,i cannot get it to install at all

OK - let's try something else for the time being:
RightClick on FindWPP.ZIP and Extract the FindWPP folder from the ZIP to the desktop.
In the FindWPP folder you'll find RunThis.bat
Run it and post me the log.

With any luck, that will work ok...

0

nope get a message saying registry editinf has been disabled by the administrator,this is making me feel dumb

0

nope get a message saying registry editinf has been disabled by the administrator,this is making me feel dumb

This is the worst malware I've seen in 6+ years of volunteering in forums . . . and I've seen some doozies!

-- Were you able to extract the FindWPP folder from the ZIP?
If so:
Click START > Run > type command.com to open the command prompt and then type:

cd %userprofile%\desktop\FindWPP ENTER
then type
RunThis.bat ENTER


If that doesn't work:
Click START > Run > type command.com to open the command prompt and then type:

cd %userprofile%\desktop ENTER
then type
Win32kDiag.exe ENTER

If that runs, allow it to run until it finishes (it will say "finished")
Post the log.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

If no joy with any of the above, move Inherit.exe from your flash drive to the Desktop.
Then, drag and drop Win32kDiag.exe onto Inhereit.exe on the desktop. After a few seconds, a dialog box should pop up saying "OK"
If that works, try to run Win32kDiag.exe again.

PP :)

Edited by PhilliePhan: n/a

0

ok ill try that,lol told ya this was bad

I've seen a lot of this baddie - It comes in different flavors and different degrees of difficulty.
Most of the compys I see this on have a lot of P2P apps.....

0

Win32kDiag ran,but didnt list anything,just said warning could not get backup privileges and dragging and dropping onto inhereit did nothing at all

0

Win32kDiag ran,but didnt list anything,just said warning could not get backup privileges and dragging and dropping onto inhereit did nothing at all

It takes a while to run - Try it again.

Let it run until it says "Finished. Press any key . . . ."
The log will be on the desktop.

PP :)

0

have to go pick up the ole lady from work,ill be back in a while

0

have to go pick up the ole lady from work,ill be back in a while

No worries - heading out for a bit myself.

-- The win32kdiag log will say "Finished!" at the bottom if it completed.
If not, run it again - let it run while you are away. Should be plenty of time.

PP :)

Edited by PhilliePhan: n/a

0

heres is the entire log from the Win32Diag dont laugh,lol

Running from: C:\Documents and Settings\Owner\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!


thats it

0

heres is the entire log from the Win32Diag dont laugh,lol

Not laughing - that is actually good.

Delete your copy of combofix and download a fresh one and see if it runs. Maybe the last DL really was corrrupted?

PP :)

0

combo-fix finally ran,here is the log,let me know if i'm ok,or if there is still a problem,I am posting this from the infected comp,lol so i have made some progress

ComboFix 09-10-22.01 - Owner 10/23/2009 15:54.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1034 [GMT -5:00]
Running from: K:\Combo-Fix.exe
AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Windows Police Pro
c:\recycler\S-1-5-21-1410423812-864733819-4253876692-1003
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\schtml
c:\windows\system32\skynet.dat
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\yajqpcnyz.dll
c:\windows\TEMP\mta13187.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-23 19:51 . 2009-10-23 20:01 -------- d-----w- C:\Combo-Fix
2009-10-23 19:28 . 2009-10-23 20:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-22 00:07 . 2009-10-22 00:07 -------- d-----w- C:\PKBTEMP
2009-10-21 04:50 . 2009-10-21 04:50 -------- d-----w- C:\Virus Removal Tool3
2009-10-21 04:50 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\82378402.sys
2009-10-21 04:25 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\74731399.sys
2009-10-21 04:08 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\53482418.sys
2009-10-20 22:52 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\66422679.sys
2009-10-20 20:25 . 2009-10-23 21:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-20 19:57 . 2009-10-20 19:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Sammsoft
2009-10-20 19:57 . 2009-10-20 19:57 -------- d-----w- c:\program files\MemTurbo 4
2009-10-20 19:56 . 2009-10-20 19:56 -------- d-----w- c:\program files\Advanced Registry Optimizer
2009-10-20 19:36 . 2009-10-20 19:36 1152 ----a-w- c:\windows\system32\windrv.sys
2009-10-20 19:36 . 2009-10-20 19:39 -------- d-----w- c:\program files\SpyNoMore
2009-10-20 05:13 . 2009-10-20 05:13 -------- d-----w- C:\temp
2009-10-19 22:11 . 2009-10-23 17:57 0 ----a-w- c:\windows\Egituvovepurifum.bin
2009-10-19 22:11 . 2009-10-19 22:11 120 ----a-w- c:\windows\Xfikocif.dat
2009-10-19 22:11 . 2009-10-19 22:11 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{F3FC9B77-9787-4438-A46D-310B483E5F58}
2009-10-19 22:08 . 2009-10-20 04:14 58 ----a-w- c:\windows\wp4.dat
2009-10-19 22:08 . 2009-10-20 04:14 3 ----a-w- c:\windows\wp3.dat
2009-10-19 22:08 . 2009-10-20 03:57 577024 ----a-w- c:\windows\system32\plugie.dll
2009-10-19 22:07 . 2009-10-19 22:07 248320 ----a-w- C:\dtacmawh.exe
2009-10-19 22:07 . 2009-10-19 22:07 50688 ----a-w- C:\buxuhto.exe
2009-10-14 17:33 . 2009-10-14 17:33 -------- d-----w- C:\users
2009-10-05 19:49 . 2009-10-05 19:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Acreon
2009-10-05 19:49 . 2009-10-05 20:03 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\._Revolution_

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 21:01 . 2009-10-20 20:26 -------- d-----w- c:\program files\Spyware Doctor
2009-09-11 14:18 . 2004-08-26 16:12 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-26 16:12 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 14:45 . 2009-10-20 20:26 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-29 07:36 . 2004-08-26 16:12 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-26 16:11 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-26 16:12 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 18:53 . 2009-08-25 18:53 -------- d-----w- c:\program files\Curse
2009-08-25 07:02 . 2009-08-25 07:02 138784 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-25 06:46 . 2009-08-25 06:46 -------- d-----w- c:\documents and settings\Owner\Application Data\You've Got Pictures Screensaver
2009-08-05 09:01 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-26 16:12 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 05:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{472734EA-242A-422B-ADF8-83D1E48CC825}"= "c:\program files\Spyware Doctor\BDT\PCTBrowserDefender.dll" [2009-10-08 395216]

[HKEY_CLASSES_ROOT\clsid\{472734ea-242a-422b-adf8-83d1e48cc825}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{175B7885-28AB-4D18-8773-7A13A99980A4}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-06-08 1934336]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [2008-08-22 2084480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="c:\progra~1\McAfee.com\Agent\McUpdate.exe" [2004-10-03 184320]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-18 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"MCAgentExe"="c:\progra~1\McAfee.com\Agent\McAgent.exe" [2004-08-18 245760]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"_AntiSpyware"="c:\program files\McAfee\McAfee AntiSpyware\MssCli.exe" [2004-10-19 114688]
"SNM"="c:\program files\SpyNoMore\SNM.exe" [2009-10-08 1067472]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-09-22 1243088]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
is-EG980.lnk - c:\virus removal tool3\is-EG980\startup.exe [2009-10-20 65536]
is-PF3E8.lnk - c:\documents and settings\Owner\Desktop\Virus Removal Tool\is-PF3E8\startup.exe [2009-10-20 65536]
is-T85FS.lnk - c:\documents and settings\Owner\Desktop\Virus Removal Tool2\is-T85FS\startup.exe [2009-10-20 65536]
is-VGQHM.lnk - c:\documents and settings\Owner\Desktop\Virus Removal Tool1\is-VGQHM\startup.exe [2009-10-20 65536]
MemTurbo.lnk - c:\program files\MemTurbo 4\MemTurbo.exe [2009-10-20 3121760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2006-12-17 1742384]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"= "c:\program files\McAfee\McAfee AntiSpyware\MssShell.dll" [2004-10-19 86016]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli inexmprx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Parallel Arbitrator]
@="Driver Group"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccSetMgr.exe"=
"c:\\Program Files\\Norton AntiVirus\\navapsvc.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Norton AntiVirus\\IWP\\NPFMntor.exe"=
"c:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4453:TCP"= 4453:TCP:Ventrilo

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/20/2009 3:26 PM 207280]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [10/20/2009 3:26 PM 112592]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/26/2004 11:12 AM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/4/2004 2:00 PM 94720]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/20/2009 3:26 PM 358600]
S3 bfastfao;bfastfao;\??\c:\docume~1\Owner\LOCALS~1\Temp\bfastfao.sys --> c:\docume~1\Owner\LOCALS~1\Temp\bfastfao.sys [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2/10/2009 9:09 PM 17149]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [8/8/2009 1:38 AM 152576]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BTWSRV
*Deregistered* - PCTSDInjDriver32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-10-17 c:\windows\Tasks\McAfee AntiSpyware.job
- c:\progra~1\McAfee\MCAFEE~1\McSpy.exe [2004-10-19 09:00]

2009-10-23 c:\windows\Tasks\McAfee.com Update Check (YOUR-9BF74649F1-Owner).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2006-12-18 00:34]

2006-12-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-12-18 01:26]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - c:\documents and settings\Owner\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{A2234B15-23F2-42AD-F4E4-00AAC39C0004} - c:\windows\system32\yajqpcnyz.dll
BHO-{da2da561-7dfe-421f-92d5-fb719a21110c} - lazenuhu.dll
HKLM-Run-Svetokuyepebeham - c:\windows\eqinuhec.dll
HKLM-Run-fesikiyuz - c:\windows\system32\nawafivo.dll
HKLM-Run-behizamelo - dahowoze.dll
SharedTaskScheduler-{183d6915-328c-4dde-99dc-e6cf19b8436c} - c:\windows\system32\nawafivo.dll
SharedTaskScheduler-{A2234B15-23F2-42AD-F4E4-00AAC39C0004} - c:\windows\system32\yajqpcnyz.dll
SSODL-labenikuz-{183d6915-328c-4dde-99dc-e6cf19b8436c} - c:\windows\system32\nawafivo.dll
SafeBoot-AloPar.sys
AddRemove-AOL Toolbar - c:\program files\AOL Toolbar\UNWISE.EXE
AddRemove-CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1 - c:\program files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE
AddRemove-Gamevance - c:\program files\Gamevance\gvun.exe
AddRemove-SystemRequirementsLab - c:\program files\SystemRequirementsLab\Uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 16:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-115497888-4204467973-748799179-1003\*! V*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:b6,c5,bd,39,ba,c4,8d,00

[HKEY_USERS\S-1-5-21-115497888-4204467973-748799179-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:59,ed,15,8f,78,72,f9,ba,ea,90,b5,d6,e5,59,5c,8b,35,a6,fe,80,4a,c3,07,
27,9b,2c,08,9e,59,10,23,48,2e,39,27,ff,40,ea,ac,10,87,9a,76,1e,41,37,a0,70,\
"??"=hex:eb,1f,2d,b0,11,61,84,98,d8,d0,2d,fb,cd,d2,c6,97
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(788)
c:\windows\inexmprx.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1840)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\inexmprx.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\combo-fix10925c\CF30493.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\McAfee AntiSpyware\Msssrv.exe
c:\program files\Norton AntiVirus\navapsvc.exe
c:\program files\Norton AntiVirus\IWP\NPFMntor.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wmdtc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\Rundll32.exe
c:\windows\system32\Rundll32.exe
c:\program files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
c:\program files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
c:\program files\Logitech\G-series Software\Applets\LCDMedia.exe
c:\program files\Logitech\G-series Software\Applets\LCDClock.exe
c:\virus removal tool3\is-EG980\is-EG980.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\lsm32.sys
c:\combo-fix10925c\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-23 16:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-23 21:10

Pre-Run: 136,423,444,480 bytes free
Post-Run: 136,324,411,392 bytes free

- - End Of File - - DCF65DC9F77F0F8BFEAF3074F7C47532

0

combo-fix finally ran,here is the log,let me know if i'm ok,or if there is still a problem,I am posting this from the infected comp,lol so i have made some progress

Running from: K:\Combo-Fix.exe


The is still a lot to be done - You made some good progress, though.

-- Looks like you ran combofix from the flash drive. That's fine, but now we need to download a fresh copy to the Desktop of ill machine. I'm just going to copy&paste my standard instructions:

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to your Desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Post me that log and we'll go from there.

PP :)

0

ok daownloaded it to the infected computer and ran it again,i have ful access to everything but wanna be sure that the virus is gone,here is the second log you asked for

ComboFix 09-10-23.01 - Owner 10/24/2009 10:49.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.992 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\TEMP\mta13187.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 )))))))))))))))))))))))))))))))
.

2009-10-23 21:08 . 2009-10-23 21:08 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{F3FC9B77-9787-4438-A46D-310B483E5F58}
2009-10-23 20:53 . 2009-10-23 21:11 -------- d-----w- C:\Combo-Fix10925C
2009-10-23 19:51 . 2009-10-23 20:01 -------- d-----w- C:\Combo-Fix
2009-10-23 19:28 . 2009-10-23 20:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-22 00:07 . 2009-10-22 00:07 -------- d-----w- C:\PKBTEMP
2009-10-21 04:50 . 2009-10-21 04:50 -------- d-----w- C:\Virus Removal Tool3
2009-10-21 04:50 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\82378402.sys
2009-10-21 04:25 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\74731399.sys
2009-10-21 04:08 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\53482418.sys
2009-10-20 22:52 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\66422679.sys
2009-10-20 20:25 . 2009-10-24 06:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-20 19:57 . 2009-10-20 19:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Sammsoft
2009-10-20 19:57 . 2009-10-20 19:57 -------- d-----w- c:\program files\MemTurbo 4
2009-10-20 19:56 . 2009-10-20 19:56 -------- d-----w- c:\program files\Advanced Registry Optimizer
2009-10-20 19:36 . 2009-10-20 19:36 1152 ----a-w- c:\windows\system32\windrv.sys
2009-10-20 05:13 . 2009-10-20 05:13 -------- d-----w- C:\temp
2009-10-19 22:11 . 2009-10-23 17:57 0 ----a-w- c:\windows\Egituvovepurifum.bin
2009-10-19 22:11 . 2009-10-23 21:08 120 ----a-w- c:\windows\Xfikocif.dat
2009-10-19 22:08 . 2009-10-20 04:14 58 ----a-w- c:\windows\wp4.dat
2009-10-19 22:08 . 2009-10-20 04:14 3 ----a-w- c:\windows\wp3.dat
2009-10-19 22:08 . 2009-10-20 03:57 577024 ----a-w- c:\windows\system32\plugie.dll
2009-10-19 22:07 . 2009-10-19 22:07 248320 ----a-w- C:\dtacmawh.exe
2009-10-19 22:07 . 2009-10-19 22:07 50688 ----a-w- C:\buxuhto.exe
2009-10-14 17:33 . 2009-10-14 17:33 -------- d-----w- C:\users
2009-10-05 19:49 . 2009-10-05 19:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Acreon
2009-10-05 19:49 . 2009-10-05 20:03 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\._Revolution_

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-20 05:10 . 2008-05-01 01:56 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-13 03:26 . 2006-08-25 01:32 -------- d-----w- c:\program files\World of Warcraft
2009-09-11 14:18 . 2004-08-26 16:12 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-26 16:12 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-26 16:12 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-26 16:11 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-26 16:12 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 18:53 . 2009-08-25 18:53 -------- d-----w- c:\program files\Curse
2009-08-25 07:02 . 2009-08-25 07:02 138784 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-05 09:01 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-26 16:12 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 05:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-23_21.03.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-24 15:57 . 2009-10-24 15:57 16384 c:\windows\temp\Perflib_Perfdata_dec.dat
+ 2009-10-24 15:56 . 2009-10-24 15:56 16384 c:\windows\temp\Perflib_Perfdata_770.dat
+ 2004-08-04 19:00 . 2004-08-04 19:00 93696 c:\windows\system32\FastNetSrv.exe
+ 2004-08-04 19:00 . 2004-08-04 19:00 46592 c:\windows\system32\BtwSrv.dll
+ 2004-08-04 19:00 . 2004-08-04 19:00 131072 c:\windows\system32\wmdtc.exe
+ 2004-08-04 19:00 . 2004-08-04 19:00 131072 c:\windows\system32\opeia.exe
+ 2004-08-26 16:12 . 2008-04-14 00:12 162304 c:\windows\onokeyib.dll
+ 2009-10-24 15:57 . 2009-08-29 07:36 1168384 c:\windows\temp\x1c27014.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-06-08 1934336]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [2008-08-22 2084480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="c:\progra~1\McAfee.com\Agent\McUpdate.exe" [2004-10-03 184320]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-18 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"MCAgentExe"="c:\progra~1\McAfee.com\Agent\McAgent.exe" [2004-08-18 245760]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"_AntiSpyware"="c:\program files\McAfee\McAfee AntiSpyware\MssCli.exe" [2004-10-19 114688]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
is-EG980.lnk - c:\virus removal tool3\is-EG980\startup.exe [2009-10-20 65536]
is-PF3E8.lnk - c:\documents and settings\Owner\Desktop\Virus Removal Tool\is-PF3E8\startup.exe [2009-10-20 65536]
is-T85FS.lnk - c:\documents and settings\Owner\Desktop\Virus Removal Tool2\is-T85FS\startup.exe [2009-10-20 65536]
is-VGQHM.lnk - c:\documents and settings\Owner\Desktop\Virus Removal Tool1\is-VGQHM\startup.exe [2009-10-20 65536]
MemTurbo.lnk - c:\program files\MemTurbo 4\MemTurbo.exe [2009-10-20 3121760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2006-12-17 1742384]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"= "c:\program files\McAfee\McAfee AntiSpyware\MssShell.dll" [2004-10-19 86016]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli inexmprx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Parallel Arbitrator]
@="Driver Group"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccSetMgr.exe"=
"c:\\Program Files\\Norton AntiVirus\\navapsvc.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Norton AntiVirus\\IWP\\NPFMntor.exe"=
"c:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4453:TCP"= 4453:TCP:Ventrilo

R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/26/2004 11:12 AM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/4/2004 2:00 PM 47104]
S3 bfastfao;bfastfao;\??\c:\docume~1\Owner\LOCALS~1\Temp\bfastfao.sys --> c:\docume~1\Owner\LOCALS~1\Temp\bfastfao.sys [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2/10/2009 9:09 PM 17149]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [8/8/2009 1:38 AM 152576]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BTWSRV

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-10-24 c:\windows\Tasks\McAfee.com Update Check (YOUR-9BF74649F1-Owner).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2006-12-18 00:34]

2006-12-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-12-18 01:26]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - c:\documents and settings\Owner\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-24 10:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-115497888-4204467973-748799179-1003\*! V*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:b6,c5,bd,39,ba,c4,8d,00

[HKEY_USERS\S-1-5-21-115497888-4204467973-748799179-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:59,ed,15,8f,78,72,f9,ba,ea,90,b5,d6,e5,59,5c,8b,35,a6,fe,80,4a,c3,07,
27,9b,2c,08,9e,59,10,23,48,2e,39,27,ff,40,ea,ac,10,87,9a,76,1e,41,37,a0,70,\
"??"=hex:eb,1f,2d,b0,11,61,84,98,d8,d0,2d,fb,cd,d2,c6,97
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(756)
c:\windows\inexmprx.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2936)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\inexmprx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\combo-fix2721c\CF29044.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\McAfee AntiSpyware\Msssrv.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\Norton AntiVirus\navapsvc.exe
c:\program files\Norton AntiVirus\IWP\NPFMntor.exe
c:\program files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
c:\program files\Logitech\G-series Software\Applets\LCDClock.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\opeia.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\lsm32.sys
c:\combo-fix2721c\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-24 11:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-24 16:01
ComboFix2.txt 2009-10-23 21:10

Pre-Run: 136,396,533,760 bytes free
Post-Run: 136,354,582,528 bytes free

- - End Of File - - 37BD30F1DF1598BEEE7B51839DD93147

0

ok daownloaded it to the infected computer and ran it again,i have ful access to everything but wanna be sure that the virus is gone,here is the second log you asked for

There are still a lot of baddies showing that combofix will normally remove.
It appears you did not install the recovery console or disable Anti-virus as directed in the "how to run combofix" link.

This is a particularly nasty malware - you really need to do everything exactly and precisely. And, even then, it is sometimes not enough.

Keep the ill computer offline until I can work up the next step - busy weekend ahead of me, but will try to have it posted sometime this evening.

PP :)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.