Hi ryoumi241,
You could fix the following using hijackthis:
O4 - HKCU..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O20 - Winlogon Notify: yayxwxu - yayxwxu.dll (file missing) because it is not functional anymore
Here I would first upload to virustotal and check the results- could be a WinLogon SAS file:
O20 - AppInit_DLLs: c:\windows\system32\ddabxxw.dll
The filename is associated with the malware group KAVKOP:Trojan-A.
These files have no vendor, product or version information specified in the file header.
CKVO.EXE has been seen to perform the following behavior(s):
* The Process is packed and/or encrypted using a software packing process
* Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
* Adds Products to the system registry
* Modifies Windows Security Policies to restrict/expand User Privileges on the machine
* Writes to another Process's Virtual Memory (Process Hijacking)
* This Process Deletes Other Processes From Disk
* This Process Creates Other Processes On Disk
* Adds a Registry Key (RUN) to auto start Programs on system start up
* Can communicate with other computer systems using HTTP protocols
* Executes a Process
* Injects code into other processes
* Registers a Dynamic Link Library File
* Creates a new Background Service on the machine
* Disables safe mode on your PC
* Uses DNS to retrieve the IP address for web sites
* Visits web sites on your PC without you knowing
* Copies files
* The Process is polymorphic and can change its structure
* Loads and Executes a System Driver File
CKVO.EXE has been the subject of the following behavior(s):
* Created as a process on disk
* Executed as a Process
* Has code inserted into its Virtual Memory space by other programs
* Added as a Registry auto start to load Program on Boot up
* Deleted as a process from disk
* Copied to multiple locations on the system
* This program is often downloaded from the web
* Downloaded from covert web sites without the user knowing
* Registered as a Dynamic Link Library File
CKVO.EXE can also use the following file names:
* XQF.COM
* HELP.EXE
* DPTTQI~1.COM
* 95029408.SVD
* EGBJF.CMD
* DPTRNE~1.COM
* J.COM
* 26184453.SVD
* DDR.EXE
* N.COM
* 6.BAT
* 21949015.EXE
* 07565785.EXE
* K.COM
* 22785238.SVD
* 30990614.EXE
* 07720104.EXE
* 17541991.COM
* FI.CMD
* 65802616.DAT
* L63SNN8.EXE
* 66252322.SVD
* 51783003.EXE
Info from Virus, Spyware & Malware Center
For the other problem, you encountered, try this solution:
Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here:
http://cid-6aaab341ce47c5c2.skydrive.live.com/self.aspx/Public/FixPolicies.exe
* Double-click FixPolicies.exe.
* Click the “Install” button on the bottom toolbar of the box that will open.
* The program will create a new Folder called FixPolicies.
* Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
* A black box will briefly appear and then close.
* This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
After running FixPolicies, logoff and restart system, and try logging in to normal mode. Let me know if you can,
polonus