Solved cant access any files and programs.

You will need to repeat the procedure previously used to run ComboFix, with the exception of using a CFScript to run ComboFix as outlined below.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your C:\ drive (where ComboFix.exe is located) as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
c:\windows\system32\myrundll.exe
c:\windows\system32\vapazefi.exe
Folder::
c:\program files\qfewbaf
c:\documents and settings\All Users.WINDOWS\Application Data\zmtcpyhu
c:\program files\cfexzjc

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

Ok. done and worked succesfully, but no changes... Still unable to run SubInACL...
Should I post the ComboFix log?

 

Yes, post the log as requested.

 

Sorry, its late and Im getting tired and frustrated!
Here is the log:

ComboFix 08-11-10.01 - Administrator 2008-11-15 22:27:20.6 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.793 [GMT 1:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\myrundll.exe
c:\windows\system32\vapazefi.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\zmtcpyhu
c:\program files\cfexzjc
c:\program files\qfewbaf
c:\windows\system32\myrundll.exe
c:\windows\system32\vapazefi.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 )))))))))))))))))))))))))))))))
.

2008-11-15 13:53 . 2008-11-15 13:53 <DIR> d-------- c:\documents and settings\Administrator.H-V6CG5K9NS9FZA\Application Data\WinPatrol
2008-11-14 22:38 . 2008-11-14 22:38 16,244 --a------ c:\windows\system32\rrt_is.wav
2008-11-14 22:38 . 2008-11-14 22:38 7,302 --a------ c:\windows\system32\rrt_vf.wav
2008-11-14 22:38 . 2008-11-14 22:38 7,148 --a------ c:\windows\system32\rrt_tv.wav
2008-11-14 22:38 . 2008-11-14 22:38 6,282 --a------ c:\windows\system32\rrt_tn.wav
2008-11-14 18:43 . 2008-11-14 18:43 <DIR> d-------- c:\documents and settings\Hugues1
2008-11-11 15:07 . 2008-11-11 15:06 3,044,628 -ra------ C:\ComboFix.exe
2008-11-09 20:37 . 2008-11-09 20:37 <DIR> d-------- C:\rsit
2008-11-09 18:30 . 2008-11-09 18:30 <DIR> d-------- c:\program files\Ace Utilities
2008-11-09 17:48 . 2008-11-09 17:48 <DIR> d-------- c:\documents and settings\Guest
2008-11-09 12:28 . 2004-08-04 00:56 33,280 --a------ c:\windows\system32\rundll32.exe
2008-10-28 17:46 . 2008-10-28 17:46 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-10-24 13:59 . 2008-10-15 17:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-17 03:03 . 2008-10-24 21:58 1,393 --a------ c:\windows\imsins.BAK
2008-10-16 09:42 . 2008-08-14 11:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-16 09:42 . 2008-08-14 11:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-16 09:42 . 2008-08-14 10:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-16 09:42 . 2008-08-14 10:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-16 09:42 . 2008-09-15 13:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-16 09:42 . 2008-09-08 11:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-14 17:59 --------- d-----w c:\program files\SPAMfighter
2008-11-13 21:09 --------- d-----w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\Apple Computer
2008-10-30 23:16 99,856 ----a-w c:\windows\system32\drivers\cmdguard.sys
2008-10-30 23:16 31,504 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2008-10-30 23:16 143,096 ----a-w c:\windows\system32\guard32.dll
2008-10-28 19:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-22 15:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 15:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-12 01:46 --------- d-----w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\BitTorrent
2008-10-03 14:48 --------- d-----w c:\program files\VDMSound
2008-09-28 22:27 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Comodo
2008-09-28 22:21 249,592 ----a-w c:\windows\system32\cssdll32.dll
2008-09-28 22:21 --------- d-----w c:\program files\COMODO
2008-09-28 22:21 --------- d-----w c:\program files\AskSBar
2008-09-28 22:20 --------- d-----w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\Comodo
2008-09-26 13:35 --------- d-----w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\SPAMfighter
2008-09-23 15:46 245,408 ----a-w c:\windows\system32\unicows.dll
2008-09-21 10:33 --------- d-----w c:\program files\Throttle
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-27 06:49 81,920 ----a-w c:\windows\system32\lgxypuzu.exe
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-06-28 21:47 22,328 ----a-w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\PnkBstrK.sys
2007-03-30 22:44 356,352 ----a-w c:\documents and settings\Hugues.HOME\cwshredder.dll
2006-10-08 13:36 81,920 -c--a-w c:\documents and settings\Hugues.HOME\Application Data\ezpinst.exe
2006-10-08 13:36 47,360 -c--a-w c:\documents and settings\Hugues.HOME\Application Data\pcouffin.sys
2006-01-31 15:28 85,428 -c--a-w c:\program files\Uninstal.exe
2006-01-21 14:45 302 -c--a-w c:\program files\Utils.ini
2006-01-21 13:28 1,655 -c--a-w c:\program files\Config.ini
2006-01-15 20:28 2,238 -c--a-w c:\program files\chawkizzico.ico
2005-09-09 18:55 7,155,864 -c--a-w c:\program files\NGhost10.msi
2005-09-09 18:55 37,766,164 -c--a-w c:\program files\Data1.cab
2005-09-09 18:55 35 -c--a-w c:\program files\SCSSDist.ini
2004-09-28 02:00 26,240 ----a-w c:\windows\inf\RAMDSK.SYS
2004-04-07 15:59 19 -c--a-w c:\program files\Answer.txt
2003-07-12 02:58 777 -c--a-w c:\program files\trial_setup.ini
2003-07-12 02:58 40,448 -c--a-w c:\program files\trial_setup.exe
2003-07-12 02:58 4,226,048 -c--a-w c:\program files\trial_setup.msi
2003-06-15 20:55 560 -c--a-w c:\program files\Global.sw
2003-04-17 08:16 447,616 ----a-w c:\windows\inf\EL2K_N64.sys
2003-04-17 08:15 147,328 ----a-w c:\windows\inf\EL2K_XP.sys
2003-04-17 08:15 147,200 ----a-w c:\windows\inf\EL2K_2K.sys
2001-06-03 07:35 395 -c--a-w c:\program files\Read_me_first.txt
2001-05-31 23:02 40,582 -c--a-w c:\program files\060101.seu
2001-05-31 23:01 8,198 -c--a-w c:\program files\Serials2000.nfo
2001-05-31 23:01 528 -c--a-w c:\program files\file_id.diz
.

((((((((((((((((((((((((((((( snapshot@2008-11-11_15.21.40.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-17 09:13:18 251,088 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-11-15 12:12:15 251,088 ----a-w c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"WinPatrol "= "c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"SPAMfighter Agent "= "c:\program files\SPAMfighter\SFAgent.exe" [2008-09-22 324232]
"COMODO SafeSurf "= "c:\program files\COMODO\SafeSurf\cssurf.exe" [2008-09-28 278264]
"COMODO Firewall Pro "= "c:\program files\COMODO\Firewall\cfp.exe" [2008-10-31 1797880]
"COMODO Internet Security "= "c:\program files\COMODO\Firewall\cfp.exe" [2008-10-31 1797880]
"Malwarebytes Anti-Malware (reboot) "= "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]
"RRT-Auto "= "c:\documents and settings\Administrator.H-V6CG5K9NS9FZA\My Documents\RRT\RRT.exe" [2008-09-07 140288]
"nwiz "= "nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]
"CTHelper "= "CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]
"CTxfiHlp "= "CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Hurtigstart.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 01:12 1695232 c:\program files\messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 21:46 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-28 09:33 1506544 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA "=2 (0x2)
"PACSPTISVR "=3 (0x3)
"MSCSPTISRV "=3 (0x3)
"IDriverT "=3 (0x3)
"IcVzMonLauncher "=3 (0x3)
"Bonjour Service "=2 (0x2)
"AcrSch2Svc "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\messenger\\msmsgs.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"c:\\Program Files\\BitTorrent\\bittorrent.exe "=

R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-10-31 31504]
S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [2007-04-29 4224]
S0 rhpxenoo;rhpxenoo;c:\windows\system32\drivers\gsmw.sys [ ]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-29 97928]
S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-10-31 99856]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-29 875288]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
S2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-07-03 76040]
S2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\SPAMfighter\sfus.exe [2008-09-22 184968]
S3 HWV;HWV;c:\docume~1\HUGUES~1.H-V\LOCALS~1\Temp\HWV.exe [ ]
S3 ICScsiSV;Image Converter SCSI Service;c:\program files\Sony\IMAGE CONVERTER 3\ICScsiSV.exe [2007-01-26 75952]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;c:\program files\Sony\IMAGE CONVERTER 3\IcVzMon.exe [2007-01-26 43184]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\DRIVERS\MovRVDrv32.sys [2007-12-14 3768]
S3 MRUHNY;MRUHNY;c:\docume~1\HUGUES~1.H-V\LOCALS~1\Temp\MRUHNY.exe [ ]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S3 SndTDriverV32;SndTDriverV32;c:\windows\system32\drivers\SndTDriverV32.sys [2007-12-14 513152]
S4 IcVzMonLauncher;IcVzMonLauncher;c:\program files\Sony\IMAGE CONVERTER 3\IcVzMonLauncher.exe [2007-01-26 67760]
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-10-07 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2004-08-04 00:56]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-15 22:32:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-15 22:33:41
ComboFix-quarantined-files.txt 2008-11-15 21:33:37
ComboFix2.txt 2008-11-11 19:45:29
ComboFix3.txt 2008-11-11 14:22:13
ComboFix4.txt 2008-11-09 11:38:28
ComboFix5.txt 2008-11-15 21:26:11

Pre-Run: 11,086,909,440 bytes free
Post-Run: 11,144,421,376 bytes free

196


By the way, I have found this, wich can let you see what I see when I am looking on my administrators rights, it might help you getting a clue...

http://windowsnetworking.com/articles_tutorials/wxppfsec.html

Picture seven shows a security window, with the administrator highlighted and all his possibilities marked (crossed?) but shaded...

 

Looks as though we are making progress, though I know it may not seem that way to you. There are things showing up now that previously did not. Try this from your account, safe mode again only if necessary.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it next to ComboFix.exe as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

c:\windows\system32\lgxypuzu.exe
c:\windows\system32\rrt_is.wav
c:\windows\system32\rrt_vf.wav
c:\windows\system32\rrt_tv.wav
c:\windows\system32\rrt_tn.wav
Rootkit::
c:\windows\system32\drivers\gsmw.sys
Driver::
rhpxenoo

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

Well I must say ComboFix is an amazing program... It restarted my computer and i forgot that the scan was done in safe mode (tryied after last ComboFix to start in normal mode, with the same result) and the computer restarted in normal mode. I had to restart the computer from the task manager (Im not allowed to shut down the computer either!) and went in safe mode. And Combofix was there, generating the log! Amazing...

Anyway.. Here is the last log:

ComboFix 08-11-10.01 - Hugues 2008-11-16 1:50:39.7 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.794 [GMT 1:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_rhpxenoo


((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-15 23:30 . 2008-11-15 23:30 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-15 23:30 . 2008-11-15 23:34 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-11-15 13:53 . 2008-11-15 13:53 <DIR> d-------- c:\documents and settings\Administrator.H-V6CG5K9NS9FZA\Application Data\WinPatrol
2008-11-14 22:38 . 2008-11-14 22:38 16,244 --a------ c:\windows\system32\rrt_is.wav
2008-11-14 22:38 . 2008-11-14 22:38 7,302 --a------ c:\windows\system32\rrt_vf.wav
2008-11-14 22:38 . 2008-11-14 22:38 7,148 --a------ c:\windows\system32\rrt_tv.wav
2008-11-14 22:38 . 2008-11-14 22:38 6,282 --a------ c:\windows\system32\rrt_tn.wav
2008-11-14 18:43 . 2008-11-14 18:43 <DIR> d-------- c:\documents and settings\Hugues1
2008-11-11 15:07 . 2008-11-11 15:06 3,044,628 -ra------ C:\ComboFix.exe
2008-11-09 20:37 . 2008-11-09 20:37 <DIR> d-------- C:\rsit
2008-11-09 18:30 . 2008-11-09 18:30 <DIR> d-------- c:\program files\Ace Utilities
2008-11-09 17:48 . 2008-11-09 17:48 <DIR> d-------- c:\documents and settings\Guest
2008-11-09 12:28 . 2004-08-04 00:56 33,280 --a------ c:\windows\system32\rundll32.exe
2008-10-28 17:46 . 2008-10-28 17:46 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-10-24 13:59 . 2008-10-15 17:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-17 03:03 . 2008-10-24 21:58 1,393 --a------ c:\windows\imsins.BAK
2008-10-16 09:42 . 2008-08-14 11:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-16 09:42 . 2008-08-14 11:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-16 09:42 . 2008-08-14 10:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-16 09:42 . 2008-08-14 10:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-16 09:42 . 2008-09-15 13:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-16 09:42 . 2008-09-08 11:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 00:57 --------- d-----w c:\program files\SPAMfighter
2008-11-13 21:09 --------- d-----w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\Apple Computer
2008-10-30 23:16 99,856 ----a-w c:\windows\system32\drivers\cmdguard.sys
2008-10-30 23:16 31,504 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2008-10-28 19:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-22 15:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 15:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-12 01:46 --------- d-----w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\BitTorrent
2008-10-03 14:48 --------- d-----w c:\program files\VDMSound
2008-09-28 22:27 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Comodo
2008-09-28 22:21 --------- d-----w c:\program files\COMODO
2008-09-28 22:21 --------- d-----w c:\program files\AskSBar
2008-09-28 22:20 --------- d-----w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\Comodo
2008-09-26 13:35 --------- d-----w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\SPAMfighter
2008-09-21 10:33 --------- d-----w c:\program files\Throttle
2008-06-28 21:47 22,328 ----a-w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\PnkBstrK.sys
2007-03-30 22:44 356,352 ----a-w c:\documents and settings\Hugues.HOME\cwshredder.dll
2006-10-08 13:36 81,920 -c--a-w c:\documents and settings\Hugues.HOME\Application Data\ezpinst.exe
2006-10-08 13:36 47,360 -c--a-w c:\documents and settings\Hugues.HOME\Application Data\pcouffin.sys
2006-01-31 15:28 85,428 -c--a-w c:\program files\Uninstal.exe
2006-01-21 14:45 302 -c--a-w c:\program files\Utils.ini
2006-01-21 13:28 1,655 -c--a-w c:\program files\Config.ini
2006-01-15 20:28 2,238 -c--a-w c:\program files\chawkizzico.ico
2005-09-09 18:55 7,155,864 -c--a-w c:\program files\NGhost10.msi
2005-09-09 18:55 37,766,164 -c--a-w c:\program files\Data1.cab
2005-09-09 18:55 35 -c--a-w c:\program files\SCSSDist.ini
2004-04-07 15:59 19 -c--a-w c:\program files\Answer.txt
2003-07-12 02:58 777 -c--a-w c:\program files\trial_setup.ini
2003-07-12 02:58 40,448 -c--a-w c:\program files\trial_setup.exe
2003-07-12 02:58 4,226,048 -c--a-w c:\program files\trial_setup.msi
2003-06-15 20:55 560 -c--a-w c:\program files\Global.sw
2001-06-03 07:35 395 -c--a-w c:\program files\Read_me_first.txt
2001-05-31 23:02 40,582 -c--a-w c:\program files\060101.seu
2001-05-31 23:01 8,198 -c--a-w c:\program files\Serials2000.nfo
2001-05-31 23:01 528 -c--a-w c:\program files\file_id.diz
.

((((((((((((((((((((((((((((( snapshot@2008-11-11_15.21.40.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-15 12:45:06 170,956 ----a-w c:\windows\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1033.dat
+ 2008-11-15 12:45:06 170,956 ----a-w c:\windows\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1033.dat.bak
- 2008-10-17 09:13:18 251,088 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-11-15 12:12:15 251,088 ----a-w c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"NVIDIA nTune "= "c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-04-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"WinPatrol "= "c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"SPAMfighter Agent "= "c:\program files\SPAMfighter\SFAgent.exe" [2008-09-22 324232]
"COMODO SafeSurf "= "c:\program files\COMODO\SafeSurf\cssurf.exe" [2008-09-28 278264]
"COMODO Firewall Pro "= "c:\program files\COMODO\Firewall\cfp.exe" [2008-10-31 1797880]
"COMODO Internet Security "= "c:\program files\COMODO\Firewall\cfp.exe" [2008-10-31 1797880]
"Malwarebytes Anti-Malware (reboot) "= "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]
"RRT-Auto "= "c:\documents and settings\Administrator.H-V6CG5K9NS9FZA\My Documents\RRT\RRT.exe" [2008-09-07 140288]
"nwiz "= "nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]
"CTHelper "= "CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]
"CTxfiHlp "= "CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Hurtigstart.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 01:12 1695232 c:\program files\messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 21:46 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-28 09:33 1506544 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA "=2 (0x2)
"PACSPTISVR "=3 (0x3)
"MSCSPTISRV "=3 (0x3)
"IDriverT "=3 (0x3)
"IcVzMonLauncher "=3 (0x3)
"Bonjour Service "=2 (0x2)
"AcrSch2Svc "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\messenger\\msmsgs.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"c:\\Program Files\\BitTorrent\\bittorrent.exe "=

R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-10-31 31504]
S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [2007-04-29 4224]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-29 97928]
S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-10-31 99856]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-29 875288]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
S2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-07-03 76040]
S2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\SPAMfighter\sfus.exe [2008-09-22 184968]
S3 HWV;HWV;c:\docume~1\HUGUES~1.H-V\LOCALS~1\Temp\HWV.exe [ ]
S3 ICScsiSV;Image Converter SCSI Service;c:\program files\Sony\IMAGE CONVERTER 3\ICScsiSV.exe [2007-01-26 75952]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;c:\program files\Sony\IMAGE CONVERTER 3\IcVzMon.exe [2007-01-26 43184]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\DRIVERS\MovRVDrv32.sys [2007-12-14 3768]
S3 MRUHNY;MRUHNY;c:\docume~1\HUGUES~1.H-V\LOCALS~1\Temp\MRUHNY.exe [ ]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S3 SndTDriverV32;SndTDriverV32;c:\windows\system32\drivers\SndTDriverV32.sys [2007-12-14 513152]
S4 IcVzMonLauncher;IcVzMonLauncher;c:\program files\Sony\IMAGE CONVERTER 3\IcVzMonLauncher.exe [2007-01-26 67760]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3e8e338-0747-11dd-b614-000c6e411f09}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-10-07 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2004-08-04 00:56]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 02:03:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-16 2:08:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-16 01:08:39
ComboFix2.txt 2008-11-11 19:45:29
ComboFix3.txt 2008-11-11 14:22:13
ComboFix4.txt 2008-11-09 11:38:28
ComboFix5.txt 2008-11-15 21:26:11

Pre-Run: 11.069.775.872 bytes free
Post-Run: 11,058,991,104 bytes free

187

 

ComboFix, when run, is account specific on restart.

Do you recognize this? Is it a valid account name on the computer?
c:\documents and settings\Hugues1

 

Yes, it is an account I have tryied to create to regain control on my computer, but without luck...

 

Appears the last CFScript was not correct or something. It does not show the files as having been targeted. Please run this one from your account.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it next to ComboFix.exe as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

KillAll::
File::
c:\windows\system32\rrt_is.wav
c:\windows\system32\rrt_vf.wav
c:\windows\system32\rrt_tv.wav
c:\windows\system32\rrt_tn.wav
c:\windows\Tasks\ParetoLogic Registration.job
Driver::
MRUHNY
HWV
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3e8e338-0747-11dd-b614-000c6e411f09}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Malwarebytes Anti-Malware (reboot) "=-

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

 

I saw it as well after I posted the log! I did a new scan, but the deleted entries didnt showed up.....

Ill run the new script right away and post the log.

 

This time the script worked.
Here is the log:

ComboFix 08-11-10.01 - Hugues 2008-11-16 2:55:44.10 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.744 [GMT 1:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\rrt_is.wav
c:\windows\system32\rrt_tn.wav
c:\windows\system32\rrt_tv.wav
c:\windows\system32\rrt_vf.wav
c:\windows\Tasks\ParetoLogic Registration.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\rrt_is.wav
c:\windows\system32\rrt_tn.wav
c:\windows\system32\rrt_tv.wav
c:\windows\system32\rrt_vf.wav
c:\windows\Tasks\ParetoLogic Registration.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HWV
-------\Legacy_MRUHNY
-------\Service_HWV
-------\Service_MRUHNY


((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-15 23:30 . 2008-11-15 23:30 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-15 23:30 . 2008-11-15 23:34 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-11-15 13:53 . 2008-11-15 13:53 <DIR> d-------- c:\documents and settings\Administrator.H-V6CG5K9NS9FZA\Application Data\WinPatrol
2008-11-14 18:43 . 2008-11-14 18:43 <DIR> d-------- c:\documents and settings\Hugues1
2008-11-11 15:07 . 2008-11-11 15:06 3,044,628 -ra------ C:\ComboFix.exe
2008-11-09 20:37 . 2008-11-09 20:37 <DIR> d-------- C:\rsit
2008-11-09 18:30 . 2008-11-09 18:30 <DIR> d-------- c:\program files\Ace Utilities
2008-11-09 17:48 . 2008-11-09 17:48 <DIR> d-------- c:\documents and settings\Guest
2008-11-09 12:28 . 2004-08-04 00:56 33,280 --a------ c:\windows\system32\rundll32.exe
2008-10-28 17:46 . 2008-10-28 17:46 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-10-24 13:59 . 2008-10-15 17:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-17 03:03 . 2008-10-24 21:58 1,393 --a------ c:\windows\imsins.BAK
2008-10-16 09:42 . 2008-08-14 11:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-16 09:42 . 2008-08-14 11:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-16 09:42 . 2008-08-14 10:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-16 09:42 . 2008-08-14 10:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-16 09:42 . 2008-09-15 13:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-16 09:42 . 2008-09-08 11:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 00:57 --------- d-----w c:\program files\SPAMfighter
2008-11-13 21:09 --------- d-----w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\Apple Computer
2008-10-30 23:16 99,856 ----a-w c:\windows\system32\drivers\cmdguard.sys
2008-10-30 23:16 31,504 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2008-10-28 19:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-22 15:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 15:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-12 01:46 --------- d-----w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\BitTorrent
2008-10-03 14:48 --------- d-----w c:\program files\VDMSound
2008-09-28 22:27 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Comodo
2008-09-28 22:21 --------- d-----w c:\program files\COMODO
2008-09-28 22:21 --------- d-----w c:\program files\AskSBar
2008-09-28 22:20 --------- d-----w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\Comodo
2008-09-26 13:35 --------- d-----w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\SPAMfighter
2008-09-21 10:33 --------- d-----w c:\program files\Throttle
2008-06-28 21:47 22,328 ----a-w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\PnkBstrK.sys
2007-03-30 22:44 356,352 ----a-w c:\documents and settings\Hugues.HOME\cwshredder.dll
2006-10-08 13:36 81,920 -c--a-w c:\documents and settings\Hugues.HOME\Application Data\ezpinst.exe
2006-10-08 13:36 47,360 -c--a-w c:\documents and settings\Hugues.HOME\Application Data\pcouffin.sys
2006-01-31 15:28 85,428 -c--a-w c:\program files\Uninstal.exe
2006-01-21 14:45 302 -c--a-w c:\program files\Utils.ini
2006-01-21 13:28 1,655 -c--a-w c:\program files\Config.ini
2006-01-15 20:28 2,238 -c--a-w c:\program files\chawkizzico.ico
2005-09-09 18:55 7,155,864 -c--a-w c:\program files\NGhost10.msi
2005-09-09 18:55 37,766,164 -c--a-w c:\program files\Data1.cab
2005-09-09 18:55 35 -c--a-w c:\program files\SCSSDist.ini
2004-04-07 15:59 19 -c--a-w c:\program files\Answer.txt
2003-07-12 02:58 777 -c--a-w c:\program files\trial_setup.ini
2003-07-12 02:58 40,448 -c--a-w c:\program files\trial_setup.exe
2003-07-12 02:58 4,226,048 -c--a-w c:\program files\trial_setup.msi
2003-06-15 20:55 560 -c--a-w c:\program files\Global.sw
2003-04-17 08:16 447,616 ----a-w c:\windows\inf\EL2K_N64.sys
2003-04-17 08:15 147,328 ----a-w c:\windows\inf\EL2K_XP.sys
2003-04-17 08:15 147,200 ----a-w c:\windows\inf\EL2K_2K.sys
2001-06-03 07:35 395 -c--a-w c:\program files\Read_me_first.txt
2001-05-31 23:02 40,582 -c--a-w c:\program files\060101.seu
2001-05-31 23:01 8,198 -c--a-w c:\program files\Serials2000.nfo
2001-05-31 23:01 528 -c--a-w c:\program files\file_id.diz
.

((((((((((((((((((((((((((((( snapshot@2008-11-11_15.21.40.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-15 12:45:06 170,956 ----a-w c:\windows\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1033.dat
+ 2008-11-15 12:45:06 170,956 ----a-w c:\windows\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1033.dat.bak
- 2008-10-17 09:13:18 251,088 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-11-15 12:12:15 251,088 ----a-w c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"NVIDIA nTune "= "c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-04-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"WinPatrol "= "c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"SPAMfighter Agent "= "c:\program files\SPAMfighter\SFAgent.exe" [2008-09-22 324232]
"COMODO SafeSurf "= "c:\program files\COMODO\SafeSurf\cssurf.exe" [2008-09-28 278264]
"COMODO Firewall Pro "= "c:\program files\COMODO\Firewall\cfp.exe" [2008-10-31 1797880]
"COMODO Internet Security "= "c:\program files\COMODO\Firewall\cfp.exe" [2008-10-31 1797880]
"RRT-Auto "= "c:\documents and settings\Administrator.H-V6CG5K9NS9FZA\My Documents\RRT\RRT.exe" [2008-09-07 140288]
"nwiz "= "nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]
"CTHelper "= "CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]
"CTxfiHlp "= "CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Hurtigstart.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 01:12 1695232 c:\program files\messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 21:46 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-28 09:33 1506544 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA "=2 (0x2)
"PACSPTISVR "=3 (0x3)
"MSCSPTISRV "=3 (0x3)
"IDriverT "=3 (0x3)
"IcVzMonLauncher "=3 (0x3)
"Bonjour Service "=2 (0x2)
"AcrSch2Svc "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\messenger\\msmsgs.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"c:\\Program Files\\BitTorrent\\bittorrent.exe "=

R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-10-31 31504]
S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [2007-04-29 4224]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-29 97928]
S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-10-31 99856]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-29 875288]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
S2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-07-03 76040]
S2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\SPAMfighter\sfus.exe [2008-09-22 184968]
S3 ICScsiSV;Image Converter SCSI Service;c:\program files\Sony\IMAGE CONVERTER 3\ICScsiSV.exe [2007-01-26 75952]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;c:\program files\Sony\IMAGE CONVERTER 3\IcVzMon.exe [2007-01-26 43184]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\DRIVERS\MovRVDrv32.sys [2007-12-14 3768]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S3 SndTDriverV32;SndTDriverV32;c:\windows\system32\drivers\SndTDriverV32.sys [2007-12-14 513152]
S4 IcVzMonLauncher;IcVzMonLauncher;c:\program files\Sony\IMAGE CONVERTER 3\IcVzMonLauncher.exe [2007-01-26 67760]
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 02:59:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-16 3:05:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-16 02:05:31
ComboFix2.txt 2008-11-16 01:46:27
ComboFix3.txt 2008-11-11 19:45:29
ComboFix4.txt 2008-11-11 14:22:13
ComboFix5.txt 2008-11-16 01:55:13

Pre-Run: 11.069.599.744 bytes free
Post-Run: 11,050,176,512 bytes free

193

 

Appears that ran from your account in normal mode. Is that correct? If so, can we call this progress?

Can you install SubInACL now, or do you still get an error? Error is about lacking permissions?

 

Still same error. And yes it seems to be about lacking permissions... :-(

 

Please go here and in the right cloumn there is a link to Download Runsubinacl for IE7. Save that to your drive and run it, then reboot.

Restart again after you've logged on, then go to safe mode, Administrator account.
Open User Accounts and change yours to Limited.
Restart and logon to your account.
Restart and go back to safe mode - Admin and change your account to Administrator, then see if there's any change in normal mode.

Do you have Winrar?

 

Well this time the program worked... I just did as you wrote, but when i came back to safe mode, and tryied to change my accounts properties, my account was gone! Well its still gone in fact. I can see it through My computer>Properties>Advanced>Users profiles-settings and thats it! Hmmm.. What went wrong I really dont know...

 

Gone?
From the User Profiles dialog, what type and status does it show to be?
Is the other account you created still showing in User Accounts?
Please verify that your user profile folder still resides in C:\Documents and Settings. See if you can copy the entire folder to C:\

Highlight and copy the contents of the code box below.

Code:

reg query HKLM\SOFTWARE\Policies /s>check.txt
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy" /s>>check.txt
start notepad check.txt
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own and a log will open. Post the contents of that log.

 

From the user profil dialog theres only the administrtor and the user i have created..
Ill try the next step you showed me and post the log as soon as I can.. Right now I am mad! lol All my passwords are in this users folder!

 

Please copy and paste the contents of the code box below into a command window and post the resulting text file.

Code:

reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot>safe.txt
reg query  "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment ">>safe.txt
reg query HKCU\Environment>>safe.txt
start notepad safe.txt
exit
cls

 

Here is the result:


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell REG_SZ cmd.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
ComSpec REG_EXPAND_SZ %SystemRoot%\system32\cmd.exe
Path REG_EXPAND_SZ %systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\VDMSound
windir REG_EXPAND_SZ %SystemRoot%
OS REG_SZ Windows_NT
PROCESSOR_ARCHITECTURE REG_SZ x86
PROCESSOR_LEVEL REG_SZ 15
PROCESSOR_IDENTIFIER REG_SZ x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_REVISION REG_SZ 0209
NUMBER_OF_PROCESSORS REG_SZ 2
PATHEXT REG_SZ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
TEMP REG_EXPAND_SZ %SystemRoot%\TEMP
TMP REG_EXPAND_SZ %SystemRoot%\TEMP
FP_NO_HOST_CHECK REG_SZ NO
CLASSPATH REG_SZ .;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
QTJAVA REG_SZ C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
VDMSPath REG_EXPAND_SZ C:\Program Files\VDMSound
SAFEBOOT_OPTION REG_SZ NETWORK

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Environment
TEMP REG_EXPAND_SZ %USERPROFILE%\Local Settings\Temp
TMP REG_EXPAND_SZ %USERPROFILE%\Local Settings\Temp

 

Highlight and copy the contents of the code box below to a blank notepad. Save it to the desktop as;

Filename: fix.reg
Save as type: All Files (*.*)

Code:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
 "SAFEBOOT_OPTION "=-

Double click fix.reg and allow it to merge with the registry, then delete fix.reg.


Right click My Computer and select Properties
Select the Advanced tab
Click Environment Variables button
Scroll through the list and look for an entry that says SAFEBOOT_OPTION
If found, delete the SAFEBOOT_OPTION entry (and only that entry).

Restart the machine and see if things appear to be normal again.