Posts by gerbil

REWORKED POST:
mmm... that autorun file is a leftover from your MAfee; because you are running Avast now it is safe to delete it.
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive Icons" /s >C:\showkey.txt
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive Icons" /f
start C:\showkey.txt

If that notepad is not empty then the red cross problem may be solved [you may have to restart...]. Otherwise could you then do that Combofix run?

mmm... that autorun file is a leftover from your MAfee; because you are running Avast now it is safe to delete it.
I am still searching for a solution to the cross - it does not seem to derive from a reg entry [although that red cross is one of the icons built into shell32.dll]... it must be a malware file still on your machine that is calling it. Could you pls delete your copy of Combofix and dl and run a fresh copy?
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

.

Found the icon in shell32!!
Ira, in an explorer window if you go Tools, Folder Options, View tab, uncheck Hide Protected Op SYS files, Apply and OK... do you have a C:\autorun.inf file? If so, drag it into an empty notepad and post it, please. Lastly, check that box again to hide those files.
If you do not have that C:\autorun.inf file then next search [as a word or phrase] your C: drive for :
shell32.dll,240 [stop the search when it gets to C:\Windows... a waste of time]
If it is not found go start, run, type regedit and OK.
Click on My Computer at top, then go Edit, find, type in..
shell32.dll,240
... and tell me the keys it occurs in.

Don't worry about reposting the hijackthis log, Hifi, just keep that formatting in mind for future notepad posts.
It appears that you have a vundo infection, or traces of one, so...
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If …

Hifi... could you please post that hijackthis log with Format Unwrapped in notepad, please?

Cheers, tony. Because that was a remote operating trojan if you do notice anything strange rerun Panda after a few days [CClean first, all accounts] and repost here.
If you do online banking, purchasing, emailing, it would be wise to change passwords now. I would. Just in case. Good luck out there.

Ira, if you carries out all the ops in my post above [cleared your restore points, deleted those four files, etc ...] then you should be clean?
To fix your icon get Powertoys for Windows Tweak UI [from M$ or whoever has it when you google for it]. Got it installed? Right, down the bottom to Repair, option you wnat is Rebuild Icons. This will reset your system to use the corect icons from Shell32.
Say how things are...

PSEXEC is a tool from Microsoft. Here: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
-see this::: PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools...
and this::: Note: some anti-virus scanners report that one or more of the tools are infected with a "remote admin" virus. None of the PsTools contain viruses, but they have been used by viruses...
My point is that it is a useful tool for a trojan to include. So if you don't do remote system operation like issuing Telnet commands or similar, amy I suggest that you search for and delete:
C:\WINDOWS\PSEXESVC.EXE
Now....

Nice work, Tony. No, the ads on BearShare do not lead to anything worse.
This is an important question, though:
PSEXEC - did YOU install this tool?
Cheers.

Mmmm... there's not so much to do now. First of, start Hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\nnnommj.dll (file missing)
O2 - BHO: (no name) - {9ABBF08B-E836-4BF0-B571-F20A3C6DA202} - C:\WINDOWS\system32\mlljj.dll
O4 - HKLM\..\Run: [BMffce3aeb] Rundll32.exe "C:\WINDOWS\system32\biopjvmw.dll",s
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: nnnommj - nnnommj.dll (file missing)

Good.
The Panda log explained [Panda Online Scan confines itself to removing viruses and worms, but it does point out other malware]:
-when you run CCleaner it only removes cookies from your account, hence some cookies from Patch's ac show in the log - if Patch runs CCleaner they will be removed [they are all benign..]. You can configure CCleaner to remove such items from all accounts if you so wish, it's fairly easy to set it but I won't go into it here.
-Bearshare. It has adware associated with it - savenow. I can remove that for you but doing so may break Bearshare - I don't know. If you go ahead and remove it and Bearshare stops working it is your choice whether to uninstall or reinstall BS.

==PSEXEC - did you load this? …

Ah, okay, a bit of history to the problem. Well, caper found you a good site; did you work through either of the two methods presented there? I only know a broad outline of how it works using a dynamic exception list to cull traffic from the stack, there is no way I can add to what is in that M$ article.
Yeah, I know, when something you don't actually want won't work it can still bug you.... it is a human frailty. ZoneAlarm is better... take a tablet or something until the niggle goes away.
:)

A worm is a program that can self replicate... make copies of itself... and send those to other computers on a network without any specific user action, such as you don't need to send an infected email or file cos the worm is capable of doing that itself. So if you made your anti-porn worm it would not stay in your business network, it would head out into the world. And that would make you a criminal, even if it was an anti-porn worm, cos porn is not illegal in most places, just perhaps undesirable. What you need is a site blocker, a net nanny, and there are lots of those pgms out there, free or paid.
Good luck.

You have ZoneAlarm Firewall running - it will automatically switch off Windows Fire Alarm [disallow it]. There is a checkbox.... actually ZoneAlarm seems to cancel WFW when ZA is started but then it should be possible to turn on WFW even though ZA is running, but you should not, they may conflict and traffic will be slower. Next time ZA starts it will turn off WFW.
Use hijackthis to fix these while you are on the job... nothing bad, just a cleanup:
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

And since you now have AVG Fre and not McAfee... go Start, Run and enter these lines:

sc delete McShield
sc delete McSysmon

Sorted?

The easiest way to kill the html is to go Select All, Copy, an paste it into a notepad.

Sounds like fun... but your computer will work just fine without explorer.exe, it's just a little harder to control it without that nice user interface.
And none of us are young enough to search for trojans from the C:\ prompt. What follows assumes that you got to Daniweb from another machine. Fine, but back to yours now.
Let's avoid using explorer for a while. Task manager has nothing to do with it so you can use it to launch pgms, you just go File > New Task(Run) and enter: iexplore.exe
From your C prompt [you mean a black cmd window?] it would be [paste this in]:
C:\"Program Files\Internet Explorer\iexplore.exe"
And either way an IE browser window should pop open. Now the neat thing is the quite large amount of interchangeability between IE and Windows Explorer - you can surf from WE and you can navigate about your folders from IE. So...
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder in your Program Files. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
[For future quick temp …

It does sound like you have a trojan in there feeding you malware. Ok, let's do this [in this order...]to see what shows up:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the …

mmm... nothing to worry about with those cookies. Using CCLeaner every couple weeks fixes those. How about the points I mentioned in my last post?
After all this cleaning etc it may pay you to run a check on your precious system files. Go start, run, paste in..
sfc /scannow
..and load your XP disk.

That is a bit ugly.... These are the most unsafe of the entries in that log. We can clear the remainder of them easily.
Id Description Type Active Severity Disinfectable Disinfected Location
====================================================
00034463 adware/wupd Adware No 0 Yes No c:\windows\downloaded program files\mediagatewayx.dll
00034463 adware/wupd Adware No 0 Yes No hkey_classes_root\mediagatewayx.installer
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\enum\root\legacy_cmdservice
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\services\cmdservice
00248329 adware/toolbarpartner Adware No 0 Yes No c:\$$$_.log
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Irving Glemaud\Cookies\irving_glemaud@enhance[1].txt
02909334 Rootkit/Agent.IKR Virus/Trojan No 0 Yes No C:\WINDOWS\SYSTEM32\DRIVERS\Tablet2kk.sys
02909339 Adware/Maxifiles Adware No 1 Yes No C:\WINDOWS\SYSTEM32\extz1\lovstadcom2.exe

Delete C:\QooBox\
Delete these files:
c:\windows\downloaded program files\mediagatewayx.dll
c:\$$$_.log
C:\WINDOWS\SYSTEM32\DRIVERS\Tablet2kk.sys
C:\WINDOWS\SYSTEM32\extz1\lovstadcom2.exe

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00

[-hkey_classes_root\mediagatewayx.installer]
[-hkey_local_machine\system\controlset001\enum\root\legacy_cmdservice]
[-hkey_local_machine\system\controlset001\services\cmdservice]
_________________________________________________________
Now if all those files above deleted successfully:
==You SHOULD clear all your system restore points because some have been infected.... So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is …

Hang on, have gone thru that list fully, will post a better procedure inside an hour..

="So run this point clearance procedure again...[toggling system restore off/on clears all old points..]" - I hope you did this bit also, tsahi.
=SetupDTSB.exe - this has already been deleted by BitDefender. It is an optional Searchbar installed with Daemon Tools [you get the chance to stop its installation during DT setup]. So don't worry about it.
=3 boot sectors. If you had a third party bootmanager and 3 OS's on your hd[s] I would expect this, but if you only have XP then, umm, no. I don't know how your tech managed to get 3 on if you only have XP.... if you had 98 and XP [and no boot manager] XP would overwrite the 98 boot sector with its own code, so still only one boot sector....
If you do have only XP then, well, it is simpler to just ignore the other two. I could remove them for you [or tell you how to do it] but it involves software with a lot of err... destructive power. Really, the extras [if that is the case] can do no harm.
We'll have a go at fixing remote assistance if Panda gets thru ok. Rest easy.

Ah, yes, that did a job. Some malware was detected in your Restore points. If you did those operations I listed in my last post in order given then your new restore point got infected too. So run this point clearance procedure again...[toggling system restore off/on clears all old points..]
=In case you are tempted to do a system restore we must clear all your system restore points because some have been infected.... So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
[[the quick way to System Restore is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]

Ah, DAEMON Tools was picked up earlier but I ignored it - I do not know what yours was but legit versions are safer.
You have 3 boot sectors? Seems like a lot....
H:\rthrw.com.. by any chance have you used a plugin of some sort, eg a USB device like a thumbdrive? That would explain the mountpoints2 entry in your registry [Windows remembers every USB device you ever plug in..]. Anyway, that device is infected. Delete its contents and format it.
Just as a point of …

This lil batch file will query what entry is currently in the key resposible for launching explorer.exe as your shell at startup; it will then replace whatever exists with the correct value. Please mention if the notepad that opens is empty.
==Copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Shell >C:\showkey.txt
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Shell /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Shell /t REG_SZ /d explorer.exe /f
start C:\showkey.txt
__________________________________________________________

Configure IE to allow Active-X's from trusted sites [you did use IE, right? It works by ActiveX component installation [a small application] so you must use IE and no other browser], plus Avast to accept PandaActiveScan.
I just tested the scan site; it worked/commenced loading.

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA" /f
reg delete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b995f78-6e3d-11db-9c36-0014858a3979}" /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AXX5-00401C648513}" /f
reg query "HKEY_LOCAL_MACHINE\SYSTEM" >C:\showkey.txt
start C:\showkey.txt
__________________________________________________________

=Delete file:
H:\rthrw.com
=Empty your Recycle bin.
=In case you are tempted to do a system restore we must clear all your system restore points because some have been infected.... So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
[[the quick way to System Restore is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]

There appears to be a backdoor trojan operating; I cannot yet pinpoint what is disrupting Panda and Combofix.
A trace of malware does show in that Panda log fragment, this scan should work on it:
==Bitdefender Online Scan using IE only from http://www.bitdefender.com/

Hi, Ira, no, you do not need to delete fwdrv.err - it is an error log from your Sunbelt firewall.
I have had problems viewing this website with FF, missing sections of posts and so forth, so I now use Opera. It performs best with IE but I avoid using that unless a requisite of some websites.
The hijackthis log is clean, RenV applied the fix and reported no further spoofed files [they were those files in the Combofix logs with an incrementing number of spaces in the filename].
Is this file still extant?: C:\windows\system32\drivers\core.cache.dsk
If it will not delete in safe mode you could try this tool:
=This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
...or does it get regenerated?
Assuming that it is gone....
-your Windows\fonts files.... I don't know how to remove the bad ones except by arranging them by Modified order and seeing if that helps you select the block of incorrect files. The zip files ... try rclicking the headings border, and selecting View, List by Similarity.
- are your icons still incorrect?
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for …

Please go Start, run and paste in these commands:
sc stop srosa
sc delete srosa
sc stop Megadrv3
sc delete Megadrv3
Good. The combofix /u instruction : I guessed that you had tried to install it on your desktop [it did not run so I could not see its location] - this cmd would have uninstalled it and its components, but you can do it manually- delete C:\Qoobox and combofix.exe, there may also be a folder beside combofix.exe containing its extracted files.
It looks like your Norton GhostTray.exe was infected, Combofix isolated it and Kaspersky found the quarantined file to be infected also. You will have to get an uninfected app and reinstall it; your ghost may be okay, though:
C:\QooBox\Quarantine\C\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe.vir Infected: Trojan-Downloader.Win32.Bagle.ma skipped

Even after you deleted system32\driver\down directory it was recreated - Combofix found it again and quarantined two files. Kaspersky detected those:
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\667187.exe.vir Infected: Trojan.Win32.Pakes.ciw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\704687.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped

Run CCleaner.
Run Panda online scan. http://www.pandasoftware.com/products/activescan?
Dl a fresh copy of Combofix and run it, I'd like to see the remaining Recent Files list which did not show in the last scan. http://download.bleepingcomputer.com/sUBs/ComboFix.exe
And provide a fresh hijackthis scan from normal mode also.

Ira, I probably confused you with my troubles with smileys interferring with text. However I it is important that you finish the remainder of my post #9. [vundofix and RenV]
Next, restart in Safe Mode then search for:
C:\windows\system32\drivers\core.cache.dsk
Order the files in drivers\ by date modified or date created and see if any other files were created at the same time - please post their entries here. Some other file is regenerating/protecting core.cache.dsk.
One may be core.sys, but I doubt it because Combofix would have found it... if it is, delete both core.sys and core.cache.dsk.
Delete...
C:\WINDOWS\SYSTEM32\modvlaff.ini
C:\WINDOWS\SYSTEM32\MRT.INI

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Core" /s >>C:\showkey.txt
start C:\showkey.txt
__________________________________________________________
-if it returns a blank notepad just say so - it means that that service I was querying for did not exist.

Ira, could you also please do the parts referring to Vundofix, and RenV involving the zipped file Log.txt please?

Hmmm, tsahi, Panda is usually supreme in removing Bagle. Let's try a different attack. Because Combofix will not run, even in Safe Mode please go Start, run and paste in ..
combofix /u
Okay, in Safe Mode with Networking:
Search for and delete this folder if it exists: C:\Windows\system32\drivers\down
-now go back to this site: http://download.bleepingcomputer.com/sUBs/ComboFix.exe -and instead of downloading click the Open box and see if it runs.
Try Panda once more; if it stalls then try this scan:
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....
or, if no success, this one:
==Bitdefender Online Scan using IE only from http://www.bitdefender.com/

I searched, but I cannot find a comreps.dll registered, so I have the feeling your sys has been whacked by a pest of some description, and it is probably Look2Me.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then...
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
If you wish to go with my educated guess then you can also do this:
==Download Look2Me-Destroyer: http://www.atribune.org/downloads/l2mfix.exe
Save the file to your desktop; dclick l2mfix.exe to start extraction/installation.
Close any programs you have open and then open the l2mfix folder on your desktop, dclick l2mfix.bat and select option #2.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and then present a log.
Run HT and post both logs, and tell of any problems you may still be having.

Ira, skip the post above... I have taken a lesson in smiley annhilation and smiley "code" and now know what the line should be... please use THIS new line to replace the bottom line in CFScript.txt.

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

Actually, here is the whole CFScript thing reposted to eliminate error:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.

__________________________________________________________
Killall::

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\SYSTEM32\utxhpiev.dll
C:\WINDOWS\SYSTEM32\vqdduwgj.dll
C:\WINDOWS\SYSTEM32\ooamstjb.dll
C:\WINDOWS\SYSTEM32\rhrxhuva.dll
C:\WINDOWS\SYSTEM32\fwtatqob.dll
C:\WINDOWS\SYSTEM32\lphvwlaf.dll
C:\WINDOWS\SYSTEM32\lxpngupc.dll
C:\PROGRA~1\McAfee.com\Agent\MC7B14~1 .EX
C:\PROGRA~1\McAfee.com\Agent
C:\Documents and Settings\Irving Glemaud\My Documents\?ppPatch\m?hta.exe

Folder::
C:\Temp\tn3

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fengpef"=-

[-HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
__________________________________________________________

Ira, because of the icons appearing in my text, you will have to edit the line where they appear as follows-
-please replace the three "*" in the line below with colons ":" and use the new line to replace the bottom line in CFScript.txt.
"3389:TCP"= 3389:TCP*LocalSubNet*Disabled*@xpsp2res.dll,-22009

It looks like Combofix was not too happy with that workload - it may not have appreciated the way or what I fed it [actually the formatting on this webpage alters filenames...], so we shall try again and also use another specialised tool that should remove your multiplying infection.
Also you have a lot of open ports on your machine - we shall close those.
=Please go to Scheduled Tasks and remove this :
C:\WINDOWS\Tasks\McAfee.com Update Check (D8QVF341-Irving Glemaud).job
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
=Restart your system in Safe Mode.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] …

On second thoughts, get rid of these files - just delete them:
C:\Documents and Settings\Osnat\Desktop\emule config files\EvID4226Patch.exe
C:\Documents and Settings\Osnat\Desktop\emule_patch\EvID4226Patch.exe
C:\Documents and Settings\Osnat\Desktop\emule_patch\EvID4226Patch223d-en.zip[EvID4226Patch.exe]
Panda is saying they contain a virus:W32/Bagle.RP.worm... and since you copped the effects of the Bagle worm I would say that they could be the source - a worm is some bit of malware you must download and install by your own actions.
The advantage of more ports is not worth the trouble.

Okay, I see they should be benign... the patch removes SP2's TCP/IP stack limit.

Nice effort. We have some leads from that.

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"drvsyskit"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"german.exe"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"hldrrr" = -
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hldrrr" = -
[HKEY_CURRENT_USER\Software\FirstRRun]
"FirstRRRun" = -
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ssgrate.exe" = -
__________________________________________________________

In safe mode, delete [if they exist]:

C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sy
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\1.exe
C:\WINDOWS\system32\forõ.exe
C:\WINDOWS\system32\noat.exe

Try now to restart your AV [switch to normal mode].
Then dl a fresh copy of Combofix and try to run it, safe or normal mode, but the latter would be more convenient. Run Panda again, also.

I have no idea what this is [from Panda rpt...]:
emule config files\EvID4226Patch.exe
or this: emule_patch\EvID4226Patch.exe
or this:emule_patch\EvID4226Patch223d-en.zip[EvID4226Patch.exe].

Correction to the order of things. Would you please perform this section of the fix detailed above last ie aftre the CFScript/Combofix run?

=Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\MC75C2~1.EXE
O4 - HKCU\..\Run: [Fengpef] "C:\Documents and Settings\Irving Glemaud\My Documents\?ppPatch\m?hta.exe"
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZK
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

==Go Start, run, type or paste this line into the run text box and press Enter:
sc delete mcupdmgr.exe
Search for and delete this file:
C:\Documents and Settings\Irving Glemaud\My Documents\?ppPatch\m?hta.exe
What is in this folder?:
C:\Program Files\Incomplete
Delete this folder:
C:\PROGRA~1\McAfee.com
C:\Documents and Settings\All Users\Application Data\McAfee.com
==Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.6.0.5 is current....
Good-oh.

Just how did you uninstall Mcafee? There are traces of it everywhere.
=Uninstall [Add/Remove pgms] Yazzle and any other pgm that contains "Oin" eg Yazzle by Oin.
=Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\MC75C2~1.EXE
O4 - HKCU\..\Run: [Fengpef] "C:\Documents and Settings\Irving Glemaud\My Documents\?ppPatch\m?hta.exe"
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZK
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

==Go Start, run, type or paste this line into the run text box and press Enter:
sc delete mcupdmgr.exe
Search for and delete this file:
C:\Documents and Settings\Irving Glemaud\My Documents\?ppPatch\m?hta.exe
What is in this folder?:
C:\Program Files\Incomplete
Delete this folder:
C:\PROGRA~1\McAfee.com
C:\Documents and Settings\All Users\Application Data\McAfee.com
==Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.6.0.5 is current....

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a …

Oh dear... this will take me a while to check.

tsahima, then please apply what i set out in post #7 first - it will restore your safe mode; you may then be able to run combofix in safe mode, then try the others in normal mode... [you may need to delete combofix and dl a fresh copy].

Your system speaker? In CP, go to Sounds and Audio devices > Sounds, and select No Sounds...

When you have finished that procedure above I would like you to run this reg file I have zipped and attached. It will repair your SP2 safe boot key plus remove a couple of mapped drive entries in mountpoints2 that I do not like the look of.... one is recalling deleted files?
Just unzip the file and dclick it to run, agree to merge with your registry.
Come back with those logs.

Okay, I can see why some of your security softwares and scanners were disabled - you picked up the Bagle worm; it does that. You are quite badly infected otherwise. And at the moment you cannot enter Safe Mode because some registry entries have been altered - we will fix that later.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs …

Mobos have only low voltage power... you would not hear it "clicking" if it did arc over because most circuits on em are current limited anyway... and the dust would have to be moist and... most of the board's conductive points are varnished.... the only high V is in the PSU which has a back end of about 380vDC.. and ud only hear it click once.
Still, mobos do die.

Hello, Ira, for a start let's see where this takes us:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply with a fresh hijackthis log too.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Tricky. Was the eagle file meant to be of the actual warplane? Anyway, try running those scans in Safe mode.... and if they work there you might try running hijackthis again in normal mode - if it does then post that log [hijackthis run in safe mode leaves us a little blind because some processes are not started there]

Yep, each core has 1 or 2 MB on chip for speed buffering, but not much will happen without some RAM.

Ok, try just one 512MB stick... if it works just keep adding sticks and restarting, if it does not work try another....
I'm not going to try to second guess your mobo type... it's not one that has RAM dedicated to each processor is it?

That error code is indicates a kernel-mode application generated a memory access violation. I see that you have two RAM sticks so try pulling one, then swapping with the other [put the single stick in the first RAM slot..].
On the other hand it could be the actual application at fault - drivers. Can you try starting in Safe Mode.... note the last driver listed.