Microsoft.WindowsSecurityCenter_disabled Problem virus

Did you run the scans in safe mode?

You also might have a rootkit.  Scan for rootkits using one of the tools reviewed in this article:

https://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html

You should scan with at least 3 anti-rootkit tools - they all detect differently.  IF you find and clean something be sure to scan again with regular anti-malware app.

OK, i ran the ComboFix and this is the report.  I still am unable to run the security center.

ComboFix 11-01-25.05 - Administrator 01/26/2011  15:13:06.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1015.647 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\install
c:\documents and settings\Administrator\Application Data\install_pal
c:\documents and settings\Administrator\Application Data\PriceGong
c:\documents and settings\Administrator\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Administrator\Application Data\uid_pal
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\User.ini
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_SSHNAS
-------\Service_6to4


(((((((((((((((((((((((((   Files Created from 2010-12-26 to 2011-01-26  )))))))))))))))))))))))))))))))
.

2011-01-26 19:14 . 2011-01-26 19:14      --------      d-----w-      C:\TDSSKiller_Quarantine
2011-01-26 18:53 . 2011-01-26 18:53      --------      d-----w-      c:\program files\Common Files\Java
2011-01-26 18:53 . 2010-11-13 00:53      472808      ----a-w-      c:\windows\system32\deployJava1.dll
2011-01-26 18:49 . 2010-12-23 01:45      2336384      ----a-w-      c:\windows\system32\BootMan.exe
2011-01-26 18:49 . 2010-07-15 14:44      86408      ----a-w-      c:\windows\system32\setupempdrv03.exe
2011-01-26 18:49 . 2010-07-15 14:44      8456      ----a-w-      c:\windows\system32\EuGdiDrv.sys
2011-01-26 18:49 . 2010-07-15 14:44      13192      ----a-w-      c:\windows\system32\epmntdrv.sys
2011-01-26 18:49 . 2010-07-15 14:44      14848      ----a-w-      c:\windows\system32\EuEpmGdi.dll
2011-01-26 18:41 . 2011-01-26 18:49      --------      d-----w-      c:\program files\EASEUS
2011-01-26 18:28 . 2008-04-14 01:11      21504      -c--a-w-      c:\windows\system32\dllcache\hidserv.dll
2011-01-26 18:28 . 2008-04-14 01:11      21504      ----a-w-      c:\windows\system32\hidserv.dll
2011-01-26 18:28 . 2008-04-13 19:39      14592      -c--a-w-      c:\windows\system32\dllcache\kbdhid.sys
2011-01-26 18:28 . 2008-04-13 19:39      14592      ----a-w-      c:\windows\system32\drivers\kbdhid.sys
2011-01-26 18:28 . 2008-04-13 19:45      32128      -c--a-w-      c:\windows\system32\dllcache\usbccgp.sys
2011-01-26 18:28 . 2008-04-13 19:45      32128      ----a-w-      c:\windows\system32\drivers\usbccgp.sys
2011-01-25 02:38 . 2010-06-16 14:59      5588304      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{07E9068C-999A-4B16-BE22-E7553328509D}\mpengine.dll
2011-01-25 02:35 . 2011-01-25 02:35      --------      d--h--w-      c:\windows\system32\GroupPolicy
2011-01-25 02:14 . 2011-01-25 02:14      --------      d-----w-      c:\windows\TempFEF64CCA-7CD1-DB4B-53AC-309D31BC8067-Signatures
2011-01-25 02:12 . 2011-01-25 02:41      --------      d-----w-      C:\de0d2a4396998aa3183a61fd35f4f9
2011-01-24 23:02 . 2011-01-24 23:02      79360      --sha-r-      c:\windows\system32\smime3N.dll
2011-01-24 22:53 . 2011-01-24 22:57      --------      d-----w-      c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-01-20 22:57 . 2011-01-20 22:57      --------      d-----w-      c:\windows\system32\%APPDATA%
2011-01-20 19:19 . 2011-01-20 19:19      --------      d-sh--w-      c:\windows\system32\config\systemprofile\IETldCache
2011-01-20 19:19 . 2011-01-20 19:19      18297      ----a-w-      c:\windows\system32\MAI4.tmp
2011-01-20 19:17 . 2011-01-20 19:20      --------      d-----w-      c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-01-20 19:00 . 2011-01-20 19:00      --------      d-----w-      C:\Temp
2011-01-15 14:23 . 2011-01-15 14:57      --------      d-----w-      c:\documents and settings\Administrator\.SSRB2

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-21 00:09 . 2010-10-24 01:46      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-10-24 01:46      20952      ----a-w-      c:\windows\system32\drivers\mbam.sys
2010-12-13 19:01 . 2010-06-02 00:00      53632      ----a-w-      c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-13 19:01 . 2010-06-02 00:00      83360      ----a-w-      c:\windows\system32\LMIRfsClientNP.dll
2010-12-13 19:01 . 2010-06-02 00:00      29568      ----a-w-      c:\windows\system32\LMIport.dll
2010-12-13 19:01 . 2010-06-02 00:00      87424      ----a-w-      c:\windows\system32\LMIinit.dll
2010-11-18 18:12 . 2008-04-06 03:16      81920      ----a-w-      c:\windows\system32\isign32.dll
2010-11-12 22:34 . 2008-04-07 15:52      73728      ----a-w-      c:\windows\system32\javacpl.cpl
2010-11-10 04:33 . 2010-06-22 22:00      6273872      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-09 14:52 . 2004-08-04 12:00      249856      ----a-w-      c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 12:00      916480      ----a-w-      c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00      43520      ------w-      c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00      1469440      ------w-      c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 12:00      385024      ----a-w-      c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00      40960      ----a-w-      c:\windows\system32\drivers\ndproxy.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-08-13 00:46      194912      ------w-      c:\program files\Yontoo Layers Client\YontooIEClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"oddc"="c:\windows\system32\smime3N.dll" [2011-01-24 79360]

c:\documents and settings\admin\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Brock Hot Key.exe.lnk - c:\program files\Brock Supply Co\Brock Hotkey\Brock Hot Key.exe [2008-1-17 327680]
Car-Part.com Trading Partner Software.lnk - c:\car-part\CPKeySrv.exe [2009-9-21 446976]
Service Manager.lnk - c:\program files\MICROSOFT SQL SERVER\80\TOOLS\BINN\sqlmangr.exe [2005-5-3 81920]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2009-12-1 393216]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2009-12-1 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-13 19:01      87424      ----a-w-      c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagull Drivers]
ssdal_nc.exe startup [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15      40368      ----a-w-      c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbdfawep]
2007-04-25 19:28      954368      ----a-w-      c:\program files\HP\Dfawep\bin\hpbdfawep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NA1Messenger]
2009-12-02 02:36      24576      ----a-w-      c:\ups\WSTD\UPSNA1Msgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPPOLL]
2005-03-02 22:12      24576      ----a-w-      c:\program files\Topro\tppoll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6160:TCP"= 6160:TCP:Seagull Driver Networking

R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 9:28 AM 204800]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/13/2010 11:29 AM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]
S3 DCamUSBIntel;Digi-Microscope;c:\windows\system32\drivers\TP6800.sys [4/8/2008 9:36 AM 211680]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [1/26/2011 12:49 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [1/26/2011 12:49 PM 8456]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]
.
Contents of the 'Scheduled Tasks' folder

2011-01-26 c:\windows\Tasks\User_Feed_Synchronization-{67A22DCE-2AE1-42B8-80D0-FCC1A2018453}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 10:31]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} - hxxp://69.21.158.138/WinWebPush.cab
DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} - hxxp://cflive.audatex.us/cf1live/static/weblaunch/weblaunch2.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
MSConfigStartUp-Adobe Updater - c:\windows\system32\AdbUpdater.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-26 15:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,fc,65,15,a2,f7,dc,49,9d,71,86,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,fc,65,15,a2,f7,dc,49,9d,71,86,\

[HKEY_USERS\S-1-5-21-1659004503-1409082233-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d2,3f,e9,54,1a,5e,bd,47,96,85,8f,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(2448)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\java.exe
c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2011-01-26  15:24:16 - machine was rebooted
ComboFix-quarantined-files.txt  2011-01-26 21:24

Pre-Run: 67,614,236,672 bytes free
Post-Run: 67,736,350,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30

- - End Of File - - CD0A6BE910B4ABB2A98294C2753210DA


Hope this helps.  and Thanks

Also, i just tried to reinstall Security Essentials and after it tries to install it gives error code: 0x80070643  (not a BSOD code)

thanks

You could try this: http://support.microsoft.com/kb/958052

Here is an article related to your issue as well: http://social.answers.microsoft.com/Forums/en-US/msestart/thread/908fad3e-f9fc-4d8a-be83-ae7d3bc48db5

Looks like the rootkit is still there.  Try a scan with Unhackme:

http://www.greatis.com/unhackme/download.htm

Download and install the trial version. Click on "Check me now!" - if it says no Trojan is found, click OK, then select "Test Windows boot process". Agree the reboot. The pc will reboot.
The program will now load and run before your desktop loads. Then it will say "You have a number of suspicious programs." Click on "Fix Programs".
It will set a restore point, then give you a list of boot processes. For each one, you can select "Get it out!", "False positive" or "I'm not sure..." which gives you a report on how bad/good the program may be.
I usually terminate anything assessed to be over 30% "bad".
The app. will then need to reboot.
Once the pc is clean, you should uninstall Unhackme - it is a very intrusive program.

And if none of that works a fresh install is always a good route ;)

I have tried the microsoft fixit tool.  No luck.  I tried the scan with unhack me and it didnt come up with anything dangerous.  All the files if looked at are my normal program files.  

I am about ready to do a complete reinstall, but this computer is for a business and that is only an absolute last result as there are lots of files that would take days to redo.

Any other suggestions??  I am all ears.  

Lets hear some thoughts on doing a Repair install of windows?????  Do you think that could solve it?

I know, i am grasping at straws.

thanks for all the suggestions thus far.

imho an attempt to Repair install is unlikely to improve the situation, but others may not agree....i appreciate a reformat is your last resort.

Another possible option is to select "Request Attention" top right of this thread, and request that this question is also entered in the HijackThis TA where hopefully rpggamergirl(if she's around) can expertly analyse your ComboFix log and provide a small script for a ComboFix re-run.

Speaking of which ....have a look under sub-heading "Scan for rootkits" in one of her articles & you'll see Gmer and RootRepeal, they're worth trying >> 

https://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/A_1979-THINGS-YOU-NEED-TO-DO-WHEN-YOUR-PC-IS-INFECTED.html

Ok all, i have done all of the recommendations as listed.  I am still fighting it.   I know it can be fixed as when i run RKill at least i am able  start and update security essentials.  However it is right back after a restart.  I tried to run all available scans to find the culprit after the Rkill as well.

I have also cloned the drive now.  I am willing to do some riskier tricks to get this thng cured as i know i have backup if i get carried away.

Thanks for all the suggestions thus far.

  >>willing to do some riskier tricks<<

Okay ..well, have recognised two nasties at least, in the ComboFix log.   Will compose a script, & get back to you within the hour hopefully.

Some malware is so much of a moving target that no anti-malware can fix it.  Even the best anti-virus only catches about 95%.  Yours may be that 5%.  There's probably some undetected part of malware that is re-installing the rest of the malware, so even if you clean it it'll come back.

Understand that an in-place reinstall won't remedy the issue, because by it's very nature, an inplace reinstall retains the user settings AND all the programs that have been added to the OS, it only replaces the OS files themselves.

You might try under Safe Mode to use System Restore to put the system back to the way it was up to 30 days ago IF whenever that was before this infestation hooked itself into the OS/registry.  But there's still a risk that some other portion will re-add itself.  No firewall will stop it because it is not an intrusion intiated from outside, it is inside reaching out to get it.

You probably have to build a new box/hard drive, and then migrate the user's documents, purchased downloads, photos, and the often forgotten: favorites, email local storage, address book, (some email, hotmail gmail yahoo or exchange server kept on the server anyway).  Make an inventory list of all the programs that are needed to be put on, maybe they don't all have to go on today necessarily.  Keep the old drive on a shelf in case something was forgotten it can be obtained.

You've likely now exceeded the time required to rebuild trying to fix it, and you've already done a more than very thorough attempt.  I know it seems like you've almost got it, but you may be stuck at "almost" forever.

Besides, the risk to the rest of the machines on the enterprise side of the firewall is too great.

If you're still willing to run a script, here we are.   Have included the appropriate instructions>


1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
======================================================

File::
c:\windows\system32\EuEpmGdi.dll
c:\windows\system32\EuGdiDrv.sys
c:\windows\system32\epmntdrv.sys

Folder::
c:\windows\system32\EuGdiDrv.sys
c:\windows\system32\epmntdrv.sys


==================================================
3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix & hopefully remove the problem.

Then, quickly re-run HitmanPro or Malwarebytes, the aim being to remove any remaining Malware fragments, *before* you reboot the computer again.

5. Finally, please attach the newComboFix logfile.

Worth a try i believe ...& good luck.

My last comment was obviously done in a hurry, & it may not catch everything ...worth trying nevertheless!
May i suggest you run 2 or 3 of the best scanners you were given earlier, *before* you re-boot or re-start.

These last comments are with great respect for the last posting by ocanada_tec… , which i agree does sound logical if theres a serious time constraint.

New version of script will be with you in 5 minutes.

1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
======================================================

File::
c:\windows\system32\EuEpmGdi.dll
c:\windows\system32\EuGdiDrv.sys
c:\windows\system32\epmntdrv.sys

Folder::
c:\windows\system32\EuGdiDrv.sys
c:\windows\system32\epmntdrv.sys

Drivers::
\Legacy_6TO4
\Legacy_SSHNAS
\Service_6to4

Services::
\Legacy_6TO4
\Legacy_SSHNAS
\Service_6to4


==================================================
3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix & hopefully remove the problem.

Then, quickly re-run HitmanPro or Malwarebytes, the aim being to remove any remaining Malware fragments, *before* you reboot the computer again.

5. Finally, please attach the newComboFix logfile.

ok, i will run the script.  Be back with results shortly.

ok here is the report after running the script.  Unfortunately still the same result.  I have to run Rkill to get security essentials to startup and run.  

ComboFix 11-01-27.01 - testing 01/27/2011  14:42:00.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1015.685 [GMT -6:00]
Running from: c:\documents and settings\testing\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\testing\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FILE ::
"c:\windows\system32\epmntdrv.sys"
"c:\windows\system32\EuEpmGdi.dll"
"c:\windows\system32\EuGdiDrv.sys"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\epmntdrv.sys
c:\windows\system32\EuEpmGdi.dll
c:\windows\system32\EuGdiDrv.sys

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_epmntdrv
-------\Legacy_EuGdiDrv
-------\Service_epmntdrv
-------\Service_EuGdiDrv


(((((((((((((((((((((((((   Files Created from 2010-12-27 to 2011-01-27  )))))))))))))))))))))))))))))))
.

2011-01-27 20:31 . 2008-04-14 01:12      116224      -c--a-w-      c:\windows\system32\dllcache\xrxwiadr.dll
2011-01-27 20:31 . 2001-08-18 04:36      23040      -c--a-w-      c:\windows\system32\dllcache\xrxwbtmp.dll
2011-01-27 20:31 . 2008-04-14 01:12      18944      -c--a-w-      c:\windows\system32\dllcache\xrxscnui.dll
2011-01-27 20:31 . 2001-08-18 04:37      27648      -c--a-w-      c:\windows\system32\dllcache\xrxftplt.exe
2011-01-27 20:31 . 2001-08-18 04:37      4608      -c--a-w-      c:\windows\system32\dllcache\xrxflnch.exe
2011-01-27 20:31 . 2001-08-18 04:37      99865      -c--a-w-      c:\windows\system32\dllcache\xlog.exe
2011-01-27 20:31 . 2001-08-17 18:11      16970      -c--a-w-      c:\windows\system32\dllcache\xem336n5.sys
2011-01-27 20:31 . 2004-08-04 04:29      19455      -c--a-w-      c:\windows\system32\dllcache\wvchntxx.sys
2011-01-27 20:30 . 2004-08-04 04:29      12063      -c--a-w-      c:\windows\system32\dllcache\wsiintxx.sys
2011-01-27 20:30 . 2008-04-14 01:12      8192      -c--a-w-      c:\windows\system32\dllcache\wshirda.dll
2011-01-27 20:30 . 2008-04-13 19:36      8832      -c--a-w-      c:\windows\system32\dllcache\wmiacpi.sys
2011-01-27 20:30 . 2004-08-04 04:31      154624      -c--a-w-      c:\windows\system32\dllcache\wlluc48.sys
2011-01-27 20:30 . 2001-08-17 18:12      34890      -c--a-w-      c:\windows\system32\dllcache\wlandrv2.sys
2011-01-27 20:30 . 2001-08-17 19:28      771581      -c--a-w-      c:\windows\system32\dllcache\winacisa.sys
2011-01-27 20:30 . 2001-08-18 04:36      53760      -c--a-w-      c:\windows\system32\dllcache\wiamsmud.dll
2011-01-27 20:28 . 2001-08-17 19:28      604253      -c--a-w-      c:\windows\system32\dllcache\vmodem.sys
2011-01-27 20:27 . 2001-08-18 04:36      94720      -c--a-w-      c:\windows\system32\dllcache\umaxud32.dll
2011-01-27 20:26 . 2001-08-17 18:51      159232      -c--a-w-      c:\windows\system32\dllcache\tridkbm.sys
2011-01-27 20:25 . 2001-08-17 18:13      17129      -c--a-w-      c:\windows\system32\dllcache\tdkcd31.sys
2011-01-27 20:24 . 2001-08-18 04:36      41472      -c--a-w-      c:\windows\system32\dllcache\sw_effct.dll
2011-01-27 20:23 . 2001-08-17 19:53      9600      -c--a-w-      c:\windows\system32\dllcache\sonymc.sys
2011-01-27 20:22 . 2001-08-17 18:12      91294      -c--a-w-      c:\windows\system32\dllcache\skfpwin.sys
2011-01-27 20:21 . 2001-08-17 19:48      17664      -c--a-w-      c:\windows\system32\dllcache\sermouse.sys
2011-01-27 20:20 . 2001-08-18 04:36      62496      -c--a-w-      c:\windows\system32\dllcache\s3mtrio.dll
2011-01-27 20:19 . 2001-08-17 19:51      19584      -c--a-w-      c:\windows\system32\dllcache\rasirda.sys
2011-01-27 20:18 . 2001-08-18 04:36      35328      -c--a-w-      c:\windows\system32\dllcache\psisload.dll
2011-01-27 20:17 . 2001-08-17 20:07      27296      -c--a-w-      c:\windows\system32\dllcache\perc2.sys
2011-01-27 20:16 . 2001-08-17 20:05      25088      -c--a-w-      c:\windows\system32\dllcache\ovca.sys
2011-01-27 20:15 . 2001-08-17 18:12      32840      -c--a-w-      c:\windows\system32\dllcache\ngrpci.sys
2011-01-27 20:14 . 2001-08-17 19:50      21888      -c--a-w-      c:\windows\system32\dllcache\mxcard.sys
2011-01-27 20:14 . 2001-08-17 18:50      103296      -c--a-w-      c:\windows\system32\dllcache\mtxvideo.sys
2011-01-27 20:14 . 2008-04-13 19:46      49024      -c--a-w-      c:\windows\system32\dllcache\mstape.sys
2011-01-27 20:14 . 2001-08-17 19:48      12416      -c--a-w-      c:\windows\system32\dllcache\msriffwv.sys
2011-01-27 20:14 . 2001-08-17 20:00      2944      -c--a-w-      c:\windows\system32\dllcache\msmpu401.sys
2011-01-27 20:14 . 2008-04-13 19:54      22016      -c--a-w-      c:\windows\system32\dllcache\msircomm.sys
2011-01-27 20:14 . 2001-08-17 20:02      35200      -c--a-w-      c:\windows\system32\dllcache\msgame.sys
2011-01-27 20:14 . 2001-08-17 19:48      6016      -c--a-w-      c:\windows\system32\dllcache\msfsio.sys
2011-01-27 20:14 . 2008-04-13 19:46      51200      -c--a-w-      c:\windows\system32\dllcache\msdv.sys
2011-01-27 20:13 . 2001-08-17 19:52      17280      -c--a-w-      c:\windows\system32\dllcache\mraid35x.sys
2011-01-27 20:13 . 2008-04-13 19:46      15232      -c--a-w-      c:\windows\system32\dllcache\mpe.sys
2011-01-27 20:13 . 2001-08-17 19:57      16128      -c--a-w-      c:\windows\system32\dllcache\modemcsa.sys
2011-01-27 20:13 . 2001-08-17 19:52      6528      -c--a-w-      c:\windows\system32\dllcache\miniqic.sys
2011-01-27 20:13 . 2001-08-17 18:50      320384      -c--a-w-      c:\windows\system32\dllcache\mgaum.sys
2011-01-27 20:13 . 2001-08-17 20:56      235648      -c--a-w-      c:\windows\system32\dllcache\mgaud.dll
2011-01-27 20:13 . 2008-04-13 19:41      26112      -c--a-w-      c:\windows\system32\dllcache\memstpci.sys
2011-01-27 20:13 . 2001-08-18 04:36      47616      -c--a-w-      c:\windows\system32\dllcache\memgrp.dll
2011-01-27 20:13 . 2001-08-17 19:58      8320      -c--a-w-      c:\windows\system32\dllcache\memcard.sys
2011-01-27 20:13 . 2001-08-17 18:12      164586      -c--a-w-      c:\windows\system32\dllcache\mdgndis5.sys
2011-01-27 20:11 . 2001-08-17 18:12      19016      -c--a-w-      c:\windows\system32\dllcache\ktc111.sys
2011-01-27 20:11 . 2001-08-18 04:36      37376      -c--a-w-      c:\windows\system32\dllcache\kousd.dll
2011-01-27 20:11 . 2008-04-14 01:11      253952      -c--a-w-      c:\windows\system32\dllcache\kdsusd.dll
2011-01-27 20:11 . 2008-04-14 01:11      48640      -c--a-w-      c:\windows\system32\dllcache\kdsui.dll
2011-01-27 20:11 . 2001-08-17 19:49      26624      -c--a-w-      c:\windows\system32\dllcache\irstusb.sys
2011-01-27 20:11 . 2001-08-17 19:51      18688      -c--a-w-      c:\windows\system32\dllcache\irsir.sys
2011-01-27 20:11 . 2008-04-14 01:11      28160      -c--a-w-      c:\windows\system32\dllcache\irmon.dll
2011-01-27 20:11 . 2001-08-17 19:49      23552      -c--a-w-      c:\windows\system32\dllcache\irmk7.sys
2011-01-27 20:11 . 2008-04-14 01:12      151552      -c--a-w-      c:\windows\system32\dllcache\irftp.exe
2011-01-27 20:11 . 2008-04-13 19:54      88192      -c--a-w-      c:\windows\system32\dllcache\irda.sys
2011-01-27 20:11 . 2001-08-17 18:12      45632      -c--a-w-      c:\windows\system32\dllcache\ip5515.sys
2011-01-27 20:10 . 2001-08-18 04:36      90200      -c--a-w-      c:\windows\system32\dllcache\io8ports.dll
2011-01-27 20:10 . 2001-08-17 19:50      38784      -c--a-w-      c:\windows\system32\dllcache\io8.sys
2011-01-27 20:10 . 2001-08-17 19:47      13056      -c--a-w-      c:\windows\system32\dllcache\inport.sys
2011-01-27 20:10 . 2001-08-17 19:52      16000      -c--a-w-      c:\windows\system32\dllcache\ini910u.sys
2011-01-27 20:10 . 2001-08-18 04:36      372824      -c--a-w-      c:\windows\system32\dllcache\iconf32.dll
2011-01-27 20:10 . 2001-08-17 20:06      100992      -c--a-w-      c:\windows\system32\dllcache\icam5usb.sys
2011-01-27 20:10 . 2001-08-18 04:36      20480      -c--a-w-      c:\windows\system32\dllcache\icam5ext.dll
2011-01-27 20:10 . 2001-08-18 04:36      45056      -c--a-w-      c:\windows\system32\dllcache\icam5com.dll
2011-01-27 20:10 . 2001-08-17 20:06      154496      -c--a-w-      c:\windows\system32\dllcache\icam4usb.sys
2011-01-27 20:08 . 2001-08-17 19:28      488383      -c--a-w-      c:\windows\system32\dllcache\hsf_v124.sys
2011-01-27 20:07 . 2001-08-18 04:36      126976      -c--a-w-      c:\windows\system32\dllcache\hpgt34tk.dll
2011-01-27 20:06 . 2001-08-18 04:36      92160      -c--a-w-      c:\windows\system32\dllcache\fuusd.dll
2011-01-27 20:05 . 2004-08-04 04:32      137088      -c--a-w-      c:\windows\system32\dllcache\essm2e.sys
2011-01-27 20:04 . 2001-08-17 18:12      19594      -c--a-w-      c:\windows\system32\dllcache\e100isa4.sys
2011-01-27 20:03 . 2001-08-18 04:36      419357      -c--a-w-      c:\windows\system32\dllcache\dgconfig.dll
2011-01-27 20:02 . 2008-04-13 19:36      10240      -c--a-w-      c:\windows\system32\dllcache\compbatt.sys
2011-01-27 20:01 . 2001-08-17 19:51      13824      -c--a-w-      c:\windows\system32\dllcache\bulltlp3.sys
2011-01-27 20:00 . 2001-08-17 18:49      26624      -c--a-w-      c:\windows\system32\dllcache\ativxbar.sys
2011-01-27 19:59 . 2001-08-17 20:56      66048      -c--a-w-      c:\windows\system32\dllcache\s3legacy.dll
2011-01-27 17:59 . 2011-01-13 07:41      5890896      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C0B4DEB8-89B1-40AF-972B-CE30B7299DA7}\mpengine.dll
2011-01-27 02:27 . 2011-01-27 02:27      2      --shatr-      c:\windows\winstart.bat
2011-01-27 02:27 . 2011-01-27 02:35      --------      d-----w-      c:\program files\UnHackMe
2011-01-27 02:21 . 2011-01-27 02:22      --------      d-----w-      c:\documents and settings\testing
2011-01-27 02:17 . 2011-01-27 02:18      --------      d-----w-      c:\program files\Microsoft Security Client
2011-01-26 21:40 . 2011-01-26 21:40      --------      d-----w-      c:\program files\Sophos
2011-01-26 18:53 . 2011-01-26 18:53      --------      d-----w-      c:\program files\Common Files\Java
2011-01-26 18:53 . 2010-11-13 00:53      472808      ----a-w-      c:\windows\system32\deployJava1.dll
2011-01-26 18:49 . 2010-12-23 01:45      2336384      ----a-w-      c:\windows\system32\BootMan.exe
2011-01-26 18:49 . 2010-07-15 14:44      86408      ----a-w-      c:\windows\system32\setupempdrv03.exe
2011-01-26 18:41 . 2011-01-26 18:49      --------      d-----w-      c:\program files\EASEUS
2011-01-26 18:28 . 2008-04-14 01:11      21504      -c--a-w-      c:\windows\system32\dllcache\hidserv.dll
2011-01-26 18:28 . 2008-04-14 01:11      21504      ----a-w-      c:\windows\system32\hidserv.dll
2011-01-26 18:28 . 2008-04-13 19:39      14592      -c--a-w-      c:\windows\system32\dllcache\kbdhid.sys
2011-01-26 18:28 . 2008-04-13 19:39      14592      ----a-w-      c:\windows\system32\drivers\kbdhid.sys
2011-01-26 18:28 . 2008-04-13 19:45      32128      -c--a-w-      c:\windows\system32\dllcache\usbccgp.sys
2011-01-26 18:28 . 2008-04-13 19:45      32128      ----a-w-      c:\windows\system32\drivers\usbccgp.sys
2011-01-25 02:35 . 2011-01-25 02:35      --------      d--h--w-      c:\windows\system32\GroupPolicy
2011-01-25 02:14 . 2011-01-25 02:14      --------      d-----w-      c:\windows\TempFEF64CCA-7CD1-DB4B-53AC-309D31BC8067-Signatures
2011-01-25 02:12 . 2011-01-27 02:50      --------      d-----w-      C:\junk
2011-01-24 23:02 . 2011-01-24 23:02      79360      --sha-r-      c:\windows\system32\smime3N.dll
2011-01-24 22:53 . 2011-01-24 22:57      --------      d-----w-      c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-01-20 22:57 . 2011-01-20 22:57      --------      d-----w-      c:\windows\system32\%APPDATA%
2011-01-20 19:19 . 2011-01-20 19:19      --------      d-sh--w-      c:\windows\system32\config\systemprofile\IETldCache
2011-01-20 19:19 . 2011-01-20 19:19      18297      ----a-w-      c:\windows\system32\MAI4.tmp
2011-01-20 19:17 . 2011-01-20 19:20      --------      d-----w-      c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-01-20 19:00 . 2011-01-20 19:00      --------      d-----w-      C:\Temp
2011-01-15 14:23 . 2011-01-15 14:57      --------      d-----w-      c:\documents and settings\Administrator\.SSRB2

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 07:41 . 2010-06-22 22:00      5890896      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-12-21 00:09 . 2010-10-24 01:46      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-10-24 01:46      20952      ----a-w-      c:\windows\system32\drivers\mbam.sys
2010-12-13 19:01 . 2010-06-02 00:00      53632      ----a-w-      c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-13 19:01 . 2010-06-02 00:00      83360      ----a-w-      c:\windows\system32\LMIRfsClientNP.dll
2010-12-13 19:01 . 2010-06-02 00:00      29568      ----a-w-      c:\windows\system32\LMIport.dll
2010-12-13 19:01 . 2010-06-02 00:00      87424      ----a-w-      c:\windows\system32\LMIinit.dll
2010-11-18 18:12 . 2008-04-06 03:16      81920      ----a-w-      c:\windows\system32\isign32.dll
2010-11-12 22:34 . 2008-04-07 15:52      73728      ----a-w-      c:\windows\system32\javacpl.cpl
2010-11-09 14:52 . 2004-08-04 12:00      249856      ----a-w-      c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 12:00      916480      ----a-w-      c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00      43520      ------w-      c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00      1469440      ------w-      c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 12:00      385024      ----a-w-      c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00      40960      ----a-w-      c:\windows\system32\drivers\ndproxy.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-08-13 00:46      194912      ------w-      c:\program files\Yontoo Layers Client\YontooIEClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"oddc"="c:\windows\system32\smime3N.dll" [2011-01-24 79360]

c:\documents and settings\admin\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Brock Hot Key.exe.lnk - c:\program files\Brock Supply Co\Brock Hotkey\Brock Hot Key.exe [2008-1-17 327680]
Car-Part.com Trading Partner Software.lnk - c:\car-part\CPKeySrv.exe [2009-9-21 446976]
Service Manager.lnk - c:\program files\MICROSOFT SQL SERVER\80\TOOLS\BINN\sqlmangr.exe [2005-5-3 81920]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2009-12-1 393216]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2009-12-1 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-13 19:01      87424      ----a-w-      c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagull Drivers]
ssdal_nc.exe startup [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15      40368      ----a-w-      c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbdfawep]
2007-04-25 19:28      954368      ----a-w-      c:\program files\HP\Dfawep\bin\hpbdfawep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NA1Messenger]
2009-12-02 02:36      24576      ----a-w-      c:\ups\WSTD\UPSNA1Msgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPPOLL]
2005-03-02 22:12      24576      ----a-w-      c:\program files\Topro\tppoll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6160:TCP"= 6160:TCP:Seagull Driver Networking

R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 9:28 AM 204800]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/13/2010 11:29 AM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]
S3 DCamUSBIntel;Digi-Microscope;c:\windows\system32\drivers\TP6800.sys [4/8/2008 9:36 AM 211680]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\35.tmp --> c:\windows\system32\35.tmp [?]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]
.
Contents of the 'Scheduled Tasks' folder

2011-01-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]

2011-01-27 c:\windows\Tasks\User_Feed_Synchronization-{67A22DCE-2AE1-42B8-80D0-FCC1A2018453}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 10:31]
.
.
------- Supplementary Scan -------
.
DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} - hxxp://69.21.158.138/WinWebPush.cab
DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} - hxxp://cflive.audatex.us/cf1live/static/weblaunch/weblaunch2.cab
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-27 14:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\35.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,fc,65,15,a2,f7,dc,49,9d,71,86,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,fc,65,15,a2,f7,dc,49,9d,71,86,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3372)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\windows\system32\java.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2011-01-27  14:53:49 - machine was rebooted
ComboFix-quarantined-files.txt  2011-01-27 20:53

Pre-Run: 66,960,146,432 bytes free
Post-Run: 66,977,177,600 bytes free

- - End Of File - - 61B406892BBD060A1477547BE601D139


It is looking more and more like i will have to start over with a new drive.

Thanks for all the help and suggestions.    At least now the system is managable with Rkill.  

Pity the script writing wasn't successful.   So good luck with the new drive.

@speednutt,
You had a lot of great advice, but I didn't see anywhere that you had cleaned all of the Temp/Junk files from the normal user's account.

Malware will very often reside in those folders and continually re-infect the system.

A very simple (and free) tool I use is from www.ccleaner.com - but it needs to be run from each profile on the computer.

There is another good cleaner program out there (the name escapes me) that will clear all profiles with one run.

Well everyone, i would call this one a wrap.  We tried everything mentioned ( i mean everything) and i still came up a bit short.  Thats the breaks.  I did learn a great deal from all that contributed though so that is worth something.

I am going to do a fresh install on a new dri ve and take a look back at this drive in a couple weeks or so.  Maybe something will give then.  

The next question, how is it recommended that i apply the points that i offered for your help?  I know that there were several that contributed and some answers were more in depth than others so i would like to apply the points the best way possible.  if there were only a couple responses it would be a lot easier.

I do appreciate everyones help and that is why i pay my monthly fees even though i havent used the service as much as i probably should.

Thanks much.

speednutt,
Glad to help, but wish we could have resolved it!  

Suggest the points are equally shared between those you feel contributed something of use for your future troubleshooting, as well as our attempts at restoring the drive.  Rkill obviously contributed something, but i'll go along with whatever you all decide.

Have to logoff now for ~48 hours, so i'm taking the easy way out!
Its over to the others for their thoughts ....!!

Distribute the points the way you see fit.  The posts that have information that benefits you in the future are sure to earn something.  I wish we could have helped.  There was a lot of effort and good suggestions.

Thanks for all the help.  Also, thanks for being so quick in your response times.  If there were a way to give the points to everyone i would have done that.

Just wanted to update everyone that the problem has finally been solved.  I ran Hitman Pro 3.5 for a second time and if found the rootkit and successfully cleared it out.  Mission accomplished and thanks so much for everyones help in this matter.  I didnt have to wipe the drive and all the data was saved.

I cant thank you all enough.

Its very rewarding for us all to get this kind of feedback ...thank you!
Glad you were able to recover all data.

Glad to hear than your problem is resolved.