BleepingComputer.com: XP Internet Security 2012 or similar disabled .exe

Hi,

I'm running XP Pro on a machine a friend built for me.

While browsing today Firefox suddenly disappeared and one of the fake anti-malware programs showed up and started running. Couldn't run Malwarebytes, RogueKiller, or DSSKiller. Rebooted into safe mode with networking, and tried various programs to see what worked and what came up in task manager. An unknown program (mvs.exe) kept popping up, so I stopped it via task manager. I searched for this and found it newly installed in Program Files, so shredded it with Window Washer. Couldn't shred the prefetch version, so deleted that and then shredded it in the recycle bin.

Now the rogue program no longer comes up when I try to start anything, but most programs won't run, at least from start. Each time I try, I get an error message stating it can't find firefox.exe, etc. This also happens when I try to run the program's executable from within Program Files. Oddly enough, some personal language and study programs are totally unaffected, also Thunderbird WILL run directly from Start menu. However, if I bring up a document/picture and click on it, it will open and bring up WordPerfect, Word, Excel, Foxit Reader, Photoshop, etc. (but this does not work with audio/video files and WMPlayer). Even firefox will come up if I click on a link embedded in a document/email, but again, I can't access it directly.

Tried downloading firefox from the computer I'm typing on, also mbam, and transferring each to the affected computer. When i try to install either, I get the "can't find .exe" message. Even tried renaming mbam install, but same issue (except it keeps stating that it is "mbam.exe.exe." (that's right, exe.exe, not a typo). Also can't right-click on Properties in My Computer, instead get an error message Windows cannot find 'rundll32.exe'

Should also mention that System Restore isn't functioning, nor is Checkdisk. Also, I don't have an XP CD to use, although I do have a copy of the UNINSTALLED program (XP Pro SP3) on a hard drive, which could be written to a disk with ActiveISOBurner, If I can figure out how to accomplish this (or if someone will instruct me), in order to use it to restore missing DLLs, etc.

Per your instructions, I downloaded Defogger, but it would not run (it’s an .exe file, which is mainly disabled, see above).

Next, I downloaded and successfully ran DDS. DDS log follows, and ATTACH file is attached.

Then, I downloaded GMER but was unable to run it (again, it's an .exe file).

Here's the DDS log:


.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_22
Run by Owner at 17:05:09 on 2011-12-03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1918.1574 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Watchtower\Watchtower Library 2010\E\WTLibrary.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\WordPerfect Office 12\Programs\wpwin12.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: iFinger plugin / Browser helper object: {a114d52b-870c-4f15-8021-b6d7f91a054b} - c:\progra~1\ifinger\plugins\IE.ifp
BHO: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
EB: iFinger: {0cbd5120-990b-11d3-8abd-00c04fa95ee0} - c:\windows\system32\SHDOCVW.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DesktopobjARM] rundll32.exe "c:\documents and settings\owner\local settings\application data\rasglmgmt\DesktopobjARM.dll",SystemobjRpl olePadServ
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
dRun: [EapMapUsb] rundll32.exe "c:\documents and settings\localservice\local settings\application data\quickuserserv\EapMapUsb.dll",SystemobjIde CvtMapInterval
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\watcht~1.lnk - c:\program files\watchtower\watchtower library 2010\e\WTLibrary.exe
uPolicies-explorer: NoFileAssociate = 0 (0x0)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {936E5D60-596C-11D3-BB96-00600816DF55} - {0CBD5120-990B-11D3-8ABD-00C04FA95EE0} - c:\windows\system32\SHDOCVW.DLL
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1307050131000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\pboz0262.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20111027&q=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\nitro pdf\reader\npdf.dll
FF - plugin: c:\program files\nitro pdf\reader\npnitromozilla.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
S0 kpioc;kpioc;c:\windows\system32\drivers\siqjxd.sys --> c:\windows\system32\drivers\siqjxd.sys [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2011-8-20 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2011-8-20 59664]
S0 wfrurqy;wfrurqy;c:\windows\system32\drivers\agjthtvu.sys --> c:\windows\system32\drivers\agjthtvu.sys [?]
S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2011-6-2 13696]
S2 srvB9C;srvB9C;c:\windows\system32\svchost.exe -k netsvcs [2011-6-2 12800]
S2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
S2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2011-6-6 598856]
S3 LP;LP;c:\docume~1\owner\locals~1\temp\lp.exe --> c:\docume~1\owner\locals~1\temp\LP.exe [?]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2011-8-20 33552]
S4 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService2.exe [2011-6-21 196912]
.
=============== File Associations ===============
.
.exe=ah
.
=============== Created Last 30 ================
.
2011-11-22 23:31:09 -------- d-----w- c:\documents and settings\owner\application data\Mozal
2011-11-22 23:31:09 -------- d-----w- c:\documents and settings\owner\application data\Ecasgeo
2011-11-21 16:25:29 1409 ----a-w- c:\windows\QTFont.for
2011-11-19 20:06:44 -------- d-----w- c:\documents and settings\all users\application data\CAT
2011-11-19 20:06:12 -------- d-----w- c:\windows\system32\CatRoot2
2011-11-18 21:46:41 33280 ----a-w- c:\windows\system32\esccm.dll
2011-11-18 21:46:41 32256 ----a-w- c:\windows\system32\escwiab.dll
2011-11-18 21:46:41 27648 ----a-w- c:\windows\system32\escimg.dll
2011-11-18 21:13:28 -------- d-----w- C:\EPSONREG
2011-11-14 20:23:08 -------- d-----w- c:\program files\common files\EzTools
2011-11-13 00:28:34 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
2011-11-13 00:28:26 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-13 00:28:23 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-13 00:28:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-12 19:11:16 -------- d-----w- c:\documents and settings\owner\application data\The Word
2011-11-12 19:11:16 -------- d-----w- c:\documents and settings\all users\application data\The Word
.
==================== Find3M ====================
.
2011-12-03 18:48:49 157056 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-01 03:37:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-29 15:03:22 131968 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-23 03:01:43 407552 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-11-12 17:16:52 62464 ----a-w- c:\windows\system32\drivers\serial.sys
2011-10-20 15:16:21 0 ----a-w- c:\windows\system32\svcgost.exe
2011-10-06 23:54:34 0 ----a-w- c:\windows\.exe
2011-10-03 20:27:54 295810 ----a-w- c:\windows\system32\shimg.dll
2011-09-05 05:07:54 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-06-06 06:14:32 37044224 ----a-w- c:\program files\e-Sword.msi
.
============= FINISH: 17:05:27.81 ===============

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/430588 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

• If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  
• A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
  
  • Please do this even if you have previously posted logs for us.
    
  • If you were unable to produce the logs originally please try once more.
    
  • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    
  • If you are unsure about any of these characteristics just post what you can and we will guide you.
  
  
• Please tell us if you have your original Windows CD/DVD available.
  
• Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

• Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:



As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

Your instructions were that I should not attempt to get help on other forums, nor attempt to run any programs to repair my problem, as this would cause a problem in your attempts to assist me. I have followed your instructions. Now you ask whether I still need help. Yes, I do. My situation is exactly the same as when I posted the first time:

I am running XP Pro on a machine a friend built for me.

While browsing last Saturday Firefox suddenly disappeared and one of the fake anti-malware programs (XP Internet Security 2012, or similar - I stopped it as soon as it came up, so didn't note the name, but probably this one) showed up and started running. Couldn't run Malwarebytes, RogueKiller, or DSSKiller. Rebooted into safe mode with networking, and tried various programs to see what worked and what came up in task manager. An unknown program (mvs.exe) kept popping up, so I stopped it via task manager. I searched for this and found it newly installed in Program Files, so shredded it with Window Washer. Couldn't shred the prefetch version, so deleted that and shredded everything in recycle bin.

Now it no longer comes up when I try to start anything, but most programs won't run when I attempt to launch them. Each time I get an error message stating it can't find firefox.exe, etc. This also happens when I try to run the program's executable from within Program Files, or as firefox.exe (or other program) using "Run". Oddly enough, Thunderbird will run directly from Start menu. Also, if I bring up a document/picture and click on it, it will open in WordPerfect, Word, Excel, Foxit Reader, Photoshop, etc. (but not WMPlayer). Even firefox will come up if I click on a link embedded in a document/email, but again, I can't access it directly. So the programs are still there, and in the main, functional. Just can't use the standard path to access them. Although Task Manager, which is still operable, still shows each one that runs as "thunderbird.exe", etc.

Tried downloading firefox from the other computer (the one I'm typing on), also mbam, and transferring each to the affected computer. When i try to install either, I get the "can't find .exe" message. Even tried renaming mbam install, but same issue (except it keeps stating that it is "mbam.exe.exe. (yes, .exe.exe is there exactly as I wrote it) Also can't right-click on Properties in My Computer, instead get an error message Windows cannot find 'rundll32.exe'


I do NOT have an original XP Pro cd/dvd, although I have an UNINSTALLED copy of XP Pro SP3 sitting on a hard drive, ready to put onto a cd using ActiveIsoBurner, if someone could guide me through doing so. I do also have valid
XP Pro keys/codes.

Was able to run DDS and create the logs. Couldn't run GMER. as it's an executable, and, as stated above, my machine won't run anything (except Thunderbird?) that has a .exe

Please give me whatever assistance you can.

I've attached the "attach.txt" file.

Here's the new dds.txt:

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_22
Run by Owner at 16:34:33 on 2011-12-09
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1918.375 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: iFinger plugin / Browser helper object: {a114d52b-870c-4f15-8021-b6d7f91a054b} - c:\progra~1\ifinger\plugins\IE.ifp
BHO: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
EB: iFinger: {0cbd5120-990b-11d3-8abd-00c04fa95ee0} - c:\windows\system32\SHDOCVW.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DesktopobjARM] rundll32.exe "c:\documents and settings\owner\local settings\application data\rasglmgmt\DesktopobjARM.dll",SystemobjRpl olePadServ
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11c_Plugin.exe -update plugin
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
dRun: [EapMapUsb] rundll32.exe "c:\documents and settings\localservice\local settings\application data\quickuserserv\EapMapUsb.dll",SystemobjIde CvtMapInterval
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\watcht~1.lnk - c:\program files\watchtower\watchtower library 2010\e\WTLibrary.exe
uPolicies-explorer: NoFileAssociate = 0 (0x0)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {936E5D60-596C-11D3-BB96-00600816DF55} - {0CBD5120-990B-11D3-8ABD-00C04FA95EE0} - c:\windows\system32\SHDOCVW.DLL
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1307050131000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{E97A7529-3C11-4209-A56E-C5C1B2CC722D} : DhcpNameServer = 192.168.1.254
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\pboz0262.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20111027&q=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\nitro pdf\reader\npdf.dll
FF - plugin: c:\program files\nitro pdf\reader\npnitromozilla.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2011-8-20 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2011-8-20 59664]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2011-6-2 13696]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2011-6-6 598856]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2011-8-20 33552]
S0 kpioc;kpioc;c:\windows\system32\drivers\siqjxd.sys --> c:\windows\system32\drivers\siqjxd.sys [?]
S0 wfrurqy;wfrurqy;c:\windows\system32\drivers\agjthtvu.sys --> c:\windows\system32\drivers\agjthtvu.sys [?]
S2 srvB9C;srvB9C;c:\windows\system32\svchost.exe -k netsvcs [2011-6-2 12800]
S3 LP;LP;c:\docume~1\owner\locals~1\temp\lp.exe --> c:\docume~1\owner\locals~1\temp\LP.exe [?]
S4 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService2.exe [2011-6-21 196912]
.
=============== File Associations ===============
.
.exe=ah
.
=============== Created Last 30 ================
.
2011-11-22 23:31:09 -------- d-----w- c:\documents and settings\owner\application data\Mozal
2011-11-22 23:31:09 -------- d-----w- c:\documents and settings\owner\application data\Ecasgeo
2011-11-21 16:25:29 1409 ----a-w- c:\windows\QTFont.for
2011-11-19 20:06:44 -------- d-----w- c:\documents and settings\all users\application data\CAT
2011-11-19 20:06:12 -------- d-----w- c:\windows\system32\CatRoot2
2011-11-18 21:46:41 33280 ----a-w- c:\windows\system32\esccm.dll
2011-11-18 21:46:41 32256 ----a-w- c:\windows\system32\escwiab.dll
2011-11-18 21:46:41 27648 ----a-w- c:\windows\system32\escimg.dll
2011-11-18 21:13:28 -------- d-----w- C:\EPSONREG
2011-11-14 20:23:08 -------- d-----w- c:\program files\common files\EzTools
2011-11-13 00:28:34 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
2011-11-13 00:28:26 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-13 00:28:23 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-13 00:28:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-12 19:11:16 -------- d-----w- c:\documents and settings\owner\application data\The Word
2011-11-12 19:11:16 -------- d-----w- c:\documents and settings\all users\application data\The Word
.
==================== Find3M ====================
.
2011-12-03 18:48:49 157056 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-01 03:37:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-29 15:03:22 131968 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-23 03:01:43 407552 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-11-12 17:16:52 62464 ----a-w- c:\windows\system32\drivers\serial.sys
2011-10-20 15:16:21 0 ----a-w- c:\windows\system32\svcgost.exe
2011-10-06 23:54:34 0 ----a-w- c:\windows\.exe
2011-10-03 20:27:54 295810 ----a-w- c:\windows\system32\shimg.dll
2011-06-06 06:14:32 37044224 ----a-w- c:\program files\e-Sword.msi
.
============= FINISH: 16:36:48.37 ===============

Hi,

BitTorrent

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.



Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
  Remember to re-enable them afterwards.
  
  
  
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.