Active Desktop Recovery Script Error

Here is the DDS Attach.

Your MBA-M program is way, way out of date. Current database version is 5060, yours is listed as 4052. Please update the program and run a new Full Scan. Have it remove all items found, Reboot the computer and then come back here and post that new log.
Judy

Turns out there were a quite a few viruses left unfound.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5063

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/11/2010 9:56:44 AM
mbam-log-2010-11-07 (09-56-44).txt

Scan type: Full scan (C:\|)
Objects scanned: 198743
Time elapsed: 1 hour(s), 12 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\wnxmal (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xrsonrvh (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xrsonrvh (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bar (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Michi\Local Settings\Application Data\osdkofqoj\yeweexxshdw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michi\Application Data\8E6ED150F29ADB7C0DE18704A486C61E\secureapp70700.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michi\Application Data\8E6ED150F29ADB7C0DE18704A486C61E\upd_debug.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michi\Local Settings\Temp\ukdoi.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michi\Local Settings\Temp\umqkpf.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michi\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.

"Turns out there were a quite a few viruses left unfound."

That's because your MBA-M program was so far out of date. Now please do the following:

Please Run the ESET Online Scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14
* You will need to allow an Active X to be installed.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Be sure to REBOOT the computer after running the scan. Post back here with that log.

Sorry, I disabled my anti-virus but I can't install the scanner. It says "Can not get update. Is proxy configured?"

Do you have a proxy configured?

I'm not sure. My firefox has been set to 'automatic proxy configuration url'.

Change that to No Proxy

I did that but it just comes up with the same message.

Try this one:
http://housecall.trendmicro.com/

It failed again. I got this message: Unable to complete the download. Please ensure you have Internet connection and please try again. My internet is working fine though.

Ok, see if you can do this:
Note to others reading this thread, these instructions are for THIS computer ONLY. This tool is NEVER to be used unless first instructed to do so by a helper.

Unless you have access to another computer during the program run please print out these instructions for reference as you will not be able to refer to them while this program is running.

Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop

• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

I ran CF and left it alone to do its job. Came back 20 minutes later and my comp had restarted itself. So I guess it was unable to create a log. But as per your instructions, I only ran it once.

HJT Log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:53:15 PM, on 7/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\PLFSetL.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\DOCUME~1\Michi\LOCALS~1\Temp\RtkBtMnt.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Michi\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0309&m=aoa150
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0309&m=aoa150
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0309&m=aoa150
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0309&m=aoa150
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [PLFSetL] C:\WINDOWS\PLFSetL.exe
O4 - HKLM\..\Run: [Wgoremero] rundll32.exe "C:\WINDOWS\ukecaxozabocu.dll",Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Qdisitu] rundll32.exe "C:\WINDOWS\wsentlig.dll",Startup
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\PEV.cfxxe
O23 - Service: SeaPort - Unknown owner - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (file missing)

--
End of file - 8677 bytes

Oh also it had frozen on the blue welcome screen. I had to force restart it. But it did come up with the black screen and the two options from the installation of CF as it loaded.

Log should be located here; C:\ComboFix.txt.

When I click on C:\, there is a file titled ComboFix. It is not a text file. The ComboFix icon looks like the My Computer icon except with a tower case and when I try to click on it, it actually takes me to the My Computer folder.

Clean out your temp files, fill out as much personal info as you feel necessary at this link and follow the directions here. You have obviously have something very different on there.

http://www.sophos.com/products/free-...i-rootkit.html

* Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
* Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
* A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
* Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
* If the scan did not start automatically, make sure the following are checked:
o Running processes
o Windows Registry
o Local Hard Drives
* Click Start scan.
* Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
* When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
* Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
o Files tagged as Removable: No are not marked for removal and cannot be removed.
o Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
o Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
* Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
* A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
* After reboot, a dialog box displays the files you selected for removal and the action taken.
* Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
* When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
* This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
__________________

Sorry but the link goes to a page that can't be found.

Sorry about that. Try this one;

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

I used ATFCleaner because I thought it would get rid of everything and ran the Sophos AntiRootkit.

Sophos Anti-Rootkit Version 1.5.4 (c) 2009 Sophos Plc
Started logging on 8/11/2010 at 9:01:40 AM
User "Michi" on computer "RIO"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\I386\AUTOFMT.EXE
Hidden: file C:\Documents and Settings\Michi\Local Settings\Application Data\Mozilla\Firefox\Profiles\yqtxvy5w.default\Cache\0A275C5Dd01
Hidden: file C:\Documents and Settings\Michi\Local Settings\Application Data\Mozilla\Firefox\Profiles\yqtxvy5w.default\Cache\C74DD863d01
Hidden: file C:\Documents and Settings\Michi\Local Settings\Application Data\Mozilla\Firefox\Profiles\yqtxvy5w.default\Cache\937978FAd01
Hidden: file C:\Documents and Settings\Michi\Local Settings\Application Data\Mozilla\Firefox\Profiles\yqtxvy5w.default\Cache\B8AA37EFd01
Hidden: file C:\Documents and Settings\Michi\Local Settings\Application Data\Mozilla\Firefox\Profiles\yqtxvy5w.default\Cache\2CB8D629d01
Hidden: file C:\Documents and Settings\Michi\Local Settings\Application Data\Mozilla\Firefox\Profiles\yqtxvy5w.default\Cache\E2594051d01
Hidden: file C:\Documents and Settings\Michi\Local Settings\Application Data\Mozilla\Firefox\Profiles\yqtxvy5w.default\Cache\773901D6d01
Hidden: file C:\Documents and Settings\Michi\Local Settings\Application Data\Mozilla\Firefox\Profiles\yqtxvy5w.default\Cache\537034BAd01
Hidden: file C:\Documents and Settings\Michi\Local Settings\Application Data\Mozilla\Firefox\Profiles\yqtxvy5w.default\Cache\91FD8655d01
Hidden: file C:\Documents and Settings\Michi\Local Settings\Application Data\Mozilla\Firefox\Profiles\yqtxvy5w.default\Cache\6F37B64Ed01
Hidden: file C:\Documents and Settings\Michi\Local Settings\Application Data\Mozilla\Firefox\Profiles\yqtxvy5w.default\Cache\63F3AA01d01
Stopped logging on 8/11/2010 at 9:21:44 AM

Sophos Anti-Rootkit Version 1.5.4 (c) 2009 Sophos Plc
Started logging on 8/11/2010 at 9:24:22 AM
User "Michi" on computer "RIO"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Stopped logging on 8/11/2010 at 9:42:56 AM

None of the items were recommended to be removed. I deleted all the stuff(Cookies, cache etc) on Firefox. And ran AntiRootkit again. This time no items were found.

This all is quite strange really. Check your Internet Options in the control panel. Go to the Connections Tab, click the LAN button and make sure there are NO check marks in there under Proxy Server and try ESET once more.

After I ran ESETscanner, it did find several viruses. I rebooted my laptop and came back only to find it just keep resetting itself. It loads fine until it goes to the blue screen of death. It doesn't even get to the Windows welcome screen before it dies. It may have deleted some really vital files. I think I might have to send it in to get fixed or just bin it. :(

@JHolland1964 - Thank you anyway for your patience and advice.

Well all I can say is I'm sorry. Wish the results had been better.