MB wont run and HTJ wont remove anything

[CrashRoX]

I seem to have a nasty rootkit destroying my machine. It removed all admin access from my main profile and the main admin account. Kapursky was unable to do anything but detect the problem. I ran HJT but every time I click fix the files return again. Malwarebytes wont run because the malware is killing it (iv seen it popup for a second or two). Please help!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:11:09 PM, on 2/22/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrss.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogon.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msinits.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\cmd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: C:\WINDOWS\system32\mqrfko.dll - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\mqrfko.dll

O4 - HKLM\..\Run: [ultraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [wemitegat] Rundll32.exe "c:\windows\system32\yihaguta.dll",a

O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win32.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\mqrfko.dll, HUI_proc

O4 - Global Startup: Jungle Disk Desktop.lnk = C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: Companion.JS - {0402343A-B530-482b-AA27-A61CEC3E4D2E} - C:\Program Files\Core Services\Companion.JS\CompanionJS.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200111902500

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{268E7731-4DA2-45B3-B435-8908DF5B9CDE}: NameServer = 83.149.115.157,4.2.2.1

O17 - HKLM\System\CCS\Services\Tcpip\..\{34DC55FA-0233-4261-9551-787402E18839}: NameServer = 83.149.115.157,4.2.2.1,8.8.8.8 8.8.4.4 208.59.247.45 208.59.247.46 192.168.1.1 8.8.8.8 8.8.4.4 8.8.8.8 8.8.4.4 208.59.247.45 208.59.247.46

O17 - HKLM\System\CCS\Services\Tcpip\..\{AD869E3D-526B-4EB1-8CDE-08721D6BFF95}: NameServer = 83.149.115.157,4.2.2.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{268E7731-4DA2-45B3-B435-8908DF5B9CDE}: NameServer = 83.149.115.157,4.2.2.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{268E7731-4DA2-45B3-B435-8908DF5B9CDE}: NameServer = 83.149.115.157,4.2.2.1

O17 - HKLM\System\CS3\Services\Tcpip\..\{268E7731-4DA2-45B3-B435-8908DF5B9CDE}: NameServer = 83.149.115.157,4.2.2.1

O20 - AppInit_DLLs: c:\windows\system32\yihaguta.dll

O21 - SSODL: bejebomef - {9ae44cd0-06af-412f-be20-608a52385e8a} - c:\windows\system32\yihaguta.dll

O22 - SharedTaskScheduler: 7whfiudhf8s7f3oifhif7syfdhsof - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\mqrfko.dll

O22 - SharedTaskScheduler: mujuzedij - {9ae44cd0-06af-412f-be20-608a52385e8a} - c:\windows\system32\yihaguta.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

O23 - Service: BitKinex File Transfer Service (BitKinex) - Unknown owner - C:\Program Files\BitKinex\bitkinexsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: JungleDiskService - Jungle Disk, Inc. - C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe

O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe

O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe

O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe

O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe

O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--

End of file - 7176 bytes

[Firefox]

Hello CrashRoX, and welcome to Malwarebytes.org

Yes it does seem like you are infected indeed, you can follow the below instructions and have an Expert help you.

Hello , and welcome to Malwarebytes.org

We don't work on Malware removal in the general forums.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

If you are a corporate customer please send an email to corporate-support@malwarebytes.org. (NOTE: An order number is required for corporate support.)