XP Hijackthis help

Hello,

I cannot see anything obvious from the HijackThis log. Could you please download ComboFix from: http://www.bleepingcomputer.com/combofix/how-to-use-combofix and save it with a different name like jabba.exe.

Then disable your antivirus protection and run it. After it finishes and creates a log, then send us that log. Reenable your antivirus protection and then run SuperAntiSpyware again followed by a scan with your existing antivirus.

this looks bad in the HJT log

O4 - HKCU\..\Run: [LoadWatcher] Test

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265YYUS
please try to uninstall the mywebsearch toolbar from add/remove programs first before trying fixing using HJT
also if you do not know otherwise , can you please upload the file C:\WINDOWS\SYSTEM32\cypherixsrv.exe
to www.virustotal.com to confirm whether it is legit or not.

Ok, ran ComboFix as suggested, it completed successfully.  Logfile attached.
Also, will address Admin3ks recommendations next.
Then will re-run superantispyware...

Thanks!
combofixlog.txt

Here's my understanding of this ComboFix log:

1. Could you upload these files on www.virustotal.com for a viruscheck?

c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe
c:\windows\system32\rdpclip.exe
c:\windows\system32\wscntfy.exe

@wartutle: the above files are all legit & related to Sql server, terminal services & Windows security center in the same order, I do not see a reason to think that they were patched or tampered with at this stage.
@amos5000 : the Combofix log shows it has removed a couple of files it found bad, one interesting finding is the first one 
[i] ADS - WINDOWS: deleted 24 bytes in 1 streams. [/i]
This usually means the presence of a rootkit , that was hiding its binaries using NTFS AFS(Alternate file stream) which is usually hidden from Windows explorer, Combofix detected the file presence & removed it , there are also another couple of deletions.
c:\docume~1\ANDYL~1\LOCALS~1\Temp\install_flash_player.exe
c:\windows\system32\mdm.exe


there maybe a leftover or more, so please let us know the outcome for SAS scan,and  provide a fresh Hijack this log after the last Combofix run if the problem persists.

I submitted the files suggested by both of you to virustotal.com and all passed clear.

After Combofix and fixing mywebsearch via HJT... SAS BSOD'd again.

Will re-run HJT then Combofix and report.

Thanks for all the help so far!

Could you try to post the exact system error from the computer eventviewer that was logged after the crash ?
start>run>eventvwr.msc>system
we need to know event id , source &error text

-Last system log ENTRY before crash on SAS @ 12:31:01PM
The IMAPI CD-Burning COM Service service entered the stopped state

-Last system log ERROR entry before crash @ 12:29:21PM
Unable to start a DCOM Server: {0C0A3666-30C9-11D0-8F20-00805F2CD064} as /. The error:
"The system cannot find the file specified. "
Happened while starting this command:
C:\WINDOWS\system32\MDM.EXE -Embedding

*Then I let the system sit blue until I returned from work...

-First system log ENTRY after crash @ 6:04:47PM
Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Multiprocessor Free.

-First system log ERROR entry after crash @6:05:11PM
The Cypherix service service terminated with the following error:
A device attached to the system is not functioning.

-Second system log ERROR entry@6:06:09PM
Error code 1000000a, parameter1 00000016, parameter2 0000001c, parameter3 00000000, parameter4 80502eaa.

-Third system log ERROR entry@6:06:17PM
Unable to start a DCOM Server: {0C0A3666-30C9-11D0-8F20-00805F2CD064} as /. The error:
"The system cannot find the file specified. "
Happened while starting this command:
C:\WINDOWS\system32\MDM.EXE -Embedding

-This ENTRY I found interesting @6:04:48PM
The computer has rebooted from a bugcheck.  The bugcheck was: 0x1000000a (0x00000016, 0x0000001c, 0x00000000, 0x80502eaa). A dump was saved in: C:\WINDOWS\Minidump\Mini051909-01.dmp.

Thanks!

I would suggest running a sfc /scannow on start->run. You might need the Windows XP CD for this to work.

This will ask Windows to check all system files and replace missing/corrupted files by fresh copies.

I ran sfc successfully.  Does it generate a log?  I don't know if it made any changes of if all was well?

Thanks.

Also just re ran Combofix.  Will post combofix and HJT logs then try SAS again.

Here are most recent HJT and Combofix logs..
Thanks
combofixlog2.txt
hijackthis2.log

Tried again, SAS is still BSOD

Thanks!

I'm struggling with a real view of the .dmp file using dumpchk, maybe I'm not so smart but I did see it finds  catchme.sys and can't load symbols for it or nx6000.sys. (then it finishes and closes the cmd window)..

Any fixes for catchme.sys?  Is it evil?  Where does it come from?

 Anybody want to see my dmp?

catchme.sys can be related to Combofix but there is also a known piece of malware by that name Please rename the .dmp file to .txt and attach here.

Here is the minidump renamed from .dmp to .txt

Thanks again!
Mini052009-01.txt

Tried the 'ol driver update but windows could not find a better driver than the one I am using... so I uninstalled the drivers and started SAS.  

SAS is running!  

I will post again when it completes the scan.

THANKS!

Superantispyware would not run until I uninstalled the microsoft nx-6000 life cam drivers from my 32bit XP system.

Next I will re-install fresh drivers for it and see if it will run.

Thanks for all the excellent help again!

Oh, by the way, SAS found just 5 adware cookies, nothing too nasty!

Thanks for staying with me on this!

Re-installed lifecam using version 2.07 from microsoft for XP32...

SAS still works!!!! SOLVED!

Glad it worked out ! .
cheers .