Hello!

Okay, I'll try this again. I had a long message typed out and was attaching the DDS reports and I got the blue screen. So long story short, this is my kids computer so I have no idea what happened or how long it has been going on but I got curious a few days ago when I realized none of my kids had been on the computer for a long time. I get on and it is chaos. Fake antivirus messages popping up everywhere, error messages, it was impossible to function. My real antivirus (McAfee) was rendered useless so. Apparently the virus got to that too. I got on safe mode and downloaded MalwareBytes. It found 99 issues including worm.koobface and the following trojans: .Vundo.H, .Hiloti, .BHO, .Ertfor, .Agent, .Zbot, .Dropper, .FakeAlert, and .Banker.

I quarantined everything and deleted it all. I thought my problem was fixed but when I restarted it was worse than before. I tried running MalwareBytes again but it is not working correctly now. I uninstalled it, ran mbam clean, and reinstalled it and it still wont work. During this process I thought maybe my McAfee antivirus was causing the problem so I uninstalled it, it wasn't working anyway. I tried downloading MANY other antivirus programs when I realized I wasnt going to get mbam to work. NONE of them will run. I tried doing an online virus scan, that won't work properly either. Even RootRepeal wont work properly so I don't have that report. When I try to run it the box comes up that says it is initializing for a while then I get the Windows blue screen. Heres the reports I did get. Any help will be very appreciated! Thanks bunches! Jen

PS It wont let me upload the attach file. Let me know if you need it, I'll try to do it from my laptop.

DDS:


DDS (Ver_09-06-26.01) - NTFSx86 NETWORK
Run by Wenninger at 23:45:41.12 on Tue 11/03/2009
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uDefault_Page_URL = hxxp://www.dellnet.com
uDefault_Search_URL = hxxp://search.msn.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: FCToolbarURLSearchHook Class: {19a0f032-27d7-4227-bbb5-51aa9e5904f5} -
uURLSearchHooks: H - No File
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: This BHO has been enabled by BHODemon. - No File
TB: Dogpile Toolbar: {c53fe659-316a-4f56-a194-a5be491be866} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AOL Fast Start] "c:\program files\aol 9.1\AOL.EXE" -b
uRun: [rundll32.exe]
uRun: [WAB] c:\documents and settings\wenninger\application data\macromedia\common\ec0fe01c19.exe
uRun: [SYSDLL] SYSDLL
uRun: [svchost] c:\documents and settings\wenninger\application data\svcst.exe
uRun: [mserv] c:\documents and settings\wenninger\application data\svcst.exe
uRunOnce: [<NO NAME>] "c:\program files\internet explorer\iexplore.exe" http://www.symantec.com/techsupp/servlet/P...000028.000000D8
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; IEMB3; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; NET_mmhpset)" -"http://www.cartoonnetwork.com/games/tj/cheesechase/index.html"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [New.net Startup] rundll32 c:\progra~1\newdot~1\NEWDOT~2.DLL,NewDotNetStartup
mRun: [MyWebSearch Plugin] rundll32 c:\progra~1\mywebs~1\bar\2.bin\M3PLUGIN.DLL,UPF
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HostManager] c:\program files\common files\aol\1157574114\ee\AOLSoftware.exe
mRun: [DwlClient] "c:\program files\common files\dell\eusw\Support.exe"
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [WildTangent CDA] RUNDLL32.exe "c:\program files\wildtangent\apps\cda\cdaEngine0400.dll",cdaEngineMain
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [Microsoft Works Update Detection] "c:\program files\common files\microsoft shared\works shared\WkUFind.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [LimeShop] wjview /cp:p "c:\program files\limeshop\system\code" main lp: "c:\program files\LimeShop"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [Detect Kbd Daemon] SK2000DM.EXE
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-explorer: <NO NAME> =
IE:
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\v5.windowsupdate
Trusted Zone: windowsupdate.com
DPF: Aces Up! by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/aces/aces-en_US.cab
DPF: Backgammon by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/backgammon/backgammon-en_US.cab
DPF: Bingo Luau by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/freebingo/freebingo-en_US.cab
DPF: Blackjack by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/blackjack/blackjack-en_US.cab
DPF: Blackjack Carnival by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/vbjack2/vbjack2-en_US.cab
DPF: Blooop by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/cascade/cascade-en_US.cab
DPF: Canasta by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/canasta/canasta-en_US.cab
DPF: Checkers by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/checkers2/checkers-en_US.cab
DPF: Chess by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/chess2/chess2-en_US.cab
DPF: Dice City Roller by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/ytz/ytz-en_US.cab
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Dominoes by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/domino/domino-en_US.cab
DPF: Double Deuce Poker by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/videopoker2/doubledeuce-en_US.cab
DPF: Fortune Bingo by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/superbingo/superbingo-en_US.cab
DPF: Hangman Hijinks by pogo - hxxp://game3.pogo.com/v/8.1.8.10/applet/hangman/hangman-en_US.cab
DPF: Hearts by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/hearts/hearts-en_US.cab
DPF: High Stakes Poker by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/drawpoker/drawpoker-en_US.cab
DPF: High Stakes Pool by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/pool2/pool-en_US.cab
DPF: Hog Heaven Slots by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/fancy/fancy-en_US.cab
DPF: Jungle Gin by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/gin2/gin2-en_US.cab
DPF: Lost Temple Poker by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/mhpoker/mhpoker-en_US.cab
DPF: Lottso by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/lottso/lottso-en_US.cab
DPF: Makeover Madness by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/shoes/shoes-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: NASCAR Web Racing by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/nascar/nascar-en_US.cab
DPF: No-Limit Texas Hold'em by pogo - hxxp://game1.pogo.com/v/8.1.1.21/applet/allin/allin-en_US.cab
DPF: Pai Gow by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/paigow/paigow-en_US.cab
DPF: Payday Freecell Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/freecell2/freecell2-en_US.cab
DPF: Perfect Pair Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/waterwheel/waterwheel-en_US.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/flinger/flinger-en_US.cab
DPF: Poppit by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/poppit2/poppit2-en_US.cab
DPF: Quick Quack by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/hotstreak/hotstreak-en_US.cab
DPF: QWERTY by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/squares/squares-en_US.cab
DPF: Ride The Tide by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/ride/ride-en_US.cab
DPF: Showbiz Slots by pogo - hxxp://game1.pogo.com/v/8.1.0.24/applet/slots/showbiz-en_US.cab
DPF: Spooky Slots - hxxp://game1.pogo.com/v/8.1.1.35/applet/spooky/spooky-en_US.cab
DPF: Squelchies by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/squelchies/squelchies-en_US.cab
DPF: Stax by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/stax/stax-en_US.cab
DPF: Sweet Tooth TM by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/sweettooth/sweettooth-en_US.cab
DPF: Thousand Island Solitaire by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/millbrae/millbrae-en_US.cab
DPF: Turbo 21 v2 by pogo - hxxp://game1.pogo.com/v/8.1.9.7/applet/turbo22/turbo22-en_US.cab
DPF: Wonderland Memories by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/memories/memories-en_US.cab
DPF: Word Search Daily by pogo - hxxp://game3.pogo.com/v/8.1.9.4/applet/wordsearch/wordsearch-en_US.cab
DPF: Word Whomp by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/wordwhomp2/whomp2-en_US.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104984549012
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157565582500
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {F55C25D3-D16A-11D3-81DF-00A0C91F5E7D} - hxxp://www.kiddonet.com/kiddonet/GtekPrt.ocx
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = :\windows\system32\srrstr.dll cli scecli

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-11-03 22:57 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 22:57 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-03 22:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-11-03 21:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-11-03 01:23 <DIR> --d----- c:\docume~1\wennin~1\applic~1\AVG8
2009-11-03 00:34 <DIR> --d----- c:\windows\LastGood.Tmp
2009-11-02 14:32 <DIR> --d----- c:\program files\Panda Security
2009-11-02 05:07 18,525 a------- c:\windows\system32\wifigewor.db
2009-11-02 05:07 17,607 a------- c:\program files\common files\emytecos.bin
2009-11-02 05:07 13,103 a------- c:\windows\izotepoz.reg
2009-11-02 05:07 17,671 a------- c:\windows\ezihojekiv.exe
2009-11-02 05:07 17,495 a------- c:\windows\ixozak.ban
2009-11-02 05:07 14,396 a------- c:\windows\ajogiz.vbs
2009-11-02 05:07 13,015 a------- c:\windows\ycizuxyk._sy
2009-11-02 05:07 17,974 a------- c:\windows\system32\ubohinake.lib
2009-11-02 05:07 16,269 a------- c:\windows\system32\imukyboq.db
2009-11-02 05:07 11,462 a------- c:\windows\bevepotah.dat
2009-11-02 05:07 13,387 a------- c:\windows\linusimypo.dat
2009-11-02 02:16 <DIR> --d----- c:\docume~1\wennin~1\applic~1\Malwarebytes
2009-11-01 23:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-01 10:12 36 a------- c:\windows\rasqervy.dll
2009-11-01 10:12 8 a------- c:\windows\sdfinacs.dll
2009-11-01 10:12 5 a------- c:\windows\sdfixwcs.dll
2009-11-01 02:40 552 a------- c:\windows\system32\d3d8caps.dat
2009-10-31 22:56 12,211 a------- c:\windows\abipy.lib
2009-10-31 22:56 10,668 a------- c:\windows\tepavil.pif
2009-10-31 22:56 14,450 a------- c:\docume~1\wennin~1\applic~1\emosican.com
2009-10-31 22:56 19,953 a------- c:\windows\system32\wifaru.db
2009-10-31 22:56 14,266 a------- c:\program files\common files\jewicelimu.scr
2009-10-31 22:56 16,692 a------- c:\windows\ipuba.ban
2009-10-31 22:56 16,032 a------- c:\docume~1\alluse~1\applic~1\xobexoq.scr
2009-10-31 22:56 12,117 a------- c:\docume~1\wennin~1\applic~1\usewygi.dll

==================== Find3M ====================

2009-11-02 05:07 13,365 a------- c:\program files\common files\itawiqimy._sy
2009-11-02 05:07 18,281 a------- c:\program files\common files\ijeq.dl
2009-10-31 22:56 13,578 a------- c:\program files\common files\abawogyrob.lib
2008-12-16 16:22 139,112 ac------ c:\docume~1\wennin~1\applic~1\GDIPFONTCACHEV1.DAT
2004-12-25 19:47 35,121,138 a------- c:\program files\NIS_Retail.EXE
2003-12-10 20:39 457 a------- c:\program files\INSTALL.LOG
2008-10-17 01:18 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101720081018\index.dat

============= FINISH: 0:01:57.87 ===============

Ok, as it is in a Temp folder lets try this,

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Then re try it

I decided to try to update MalwareBytes rigfht after I posted my last post. It actually updated correctly!! So I decided to run it. I did a full system scan and it actually ran all the way through without a problem! It ran FOREVER and found 85 items and successfully deleted them. I think we may have gotten somewhere! Here's the log. :-)

Malwarebytes' Anti-Malware 1.41
Database version: 3147
Windows 5.1.2600 Service Pack 3

11/11/2009 6:15:46 PM
mbam-log-2009-11-11 (18-15-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 286343
Time elapsed: 6 hour(s), 7 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 8
Folders Infected: 1
Files Infected: 74

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wab (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\HelpAssistant\Start Menu\Programs\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\HelpAssistant\Application Data\Macromedia\Common\ec0fe01c19.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000001.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000006.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000086.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000088.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000272.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000519.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001516.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001548.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002516.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002548.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002888.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002889.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002890.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002893.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002917.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002949.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0004129.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0004153.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0004185.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0004511.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0004551.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0004607.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0005575.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0006575.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0007575.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0007607.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0008575.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0008607.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0009575.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0009607.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0009978.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0009984.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0009990.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0010200.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0010213.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0010255.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0010618.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0010620.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0010635.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0011208.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0011239.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0012208.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0012240.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0012582.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0012614.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0012958.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0012984.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0013018.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0013084.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0013490.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0013523.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0013834.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0014225.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0014264.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0015203.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0015235.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0015595.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0015690.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0015774.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0015836.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0015849.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0015861.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0015876.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0015896.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0016055.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0016095.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0016103.exe (Trojan.Riern) -> Quarantined and deleted successfully.
C:\Combo-Fix\Combo-Fix.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Application Data\Macromedia\Common\ec0fe01c1.dll (Hijack.Sound) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c1.dll (Hijack.Sound) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Okay, I just ran ATF then tried to run OTS again. I got the same error as last time. :-( One step forward two steps back haha. Also, I have the little yellow shield in the task bar that says I need to install updates for the computer. Should I do that?

Ok,

Delete the copy of ComboFix that you have and then redownload it. Run it again and post the log back here.

ComboFix ran without a hitch as well! :-)

*Edited to add that Windows updated and restarted by itself last night after I went to bed. Just thought you should know that.

Here's the log:

ComboFix 09-11-11.02 - Wenninger 11/12/2009 10:32.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.253 [GMT -5:00]
Running from: c:\documents and settings\Wenninger\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-11 23:30 . 2009-11-12 16:05 16384 ----a-w- c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe
2009-11-11 23:30 . 2009-11-11 23:30 103424 ----a-w- c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c1.dll
2009-11-10 18:51 . 2009-11-10 18:51 7168 ----a-w- c:\windows\system32\drivers\utqxodiz.sys
2009-11-08 02:58 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 02:58 . 2009-11-08 02:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 02:58 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 04:50 . 2009-11-05 04:50 -------- d-----w- c:\program files\ESET
2009-11-05 03:32 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-05 03:29 . 2009-11-05 03:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-11-04 21:16 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-04 18:48 . 2009-11-04 22:11 -------- d-----w- C:\Combo-Fix
2009-11-04 04:35 . 2009-11-04 04:35 -------- d-----w- c:\program files\ERUNT
2009-11-04 02:38 . 2009-11-04 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-04 02:32 . 2009-11-04 02:32 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-03 06:23 . 2009-11-03 06:23 -------- d-----w- c:\documents and settings\Wenninger\Application Data\AVG8
2009-11-03 03:30 . 2009-11-03 03:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AOL
2009-11-02 19:32 . 2009-11-03 04:00 -------- d-----w- c:\program files\Panda Security
2009-11-02 09:37 . 2009-11-02 09:37 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\AOL
2009-11-02 07:16 . 2009-11-07 20:34 -------- d-----w- c:\documents and settings\Wenninger\Application Data\Malwarebytes
2009-11-02 04:30 . 2009-11-02 04:30 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Application Data\Malwarebytes
2009-11-02 04:29 . 2009-11-07 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-02 04:22 . 2009-11-02 04:22 -------- d-sh--w- c:\documents and settings\Administrator.ALEVISSA\PrivacIE
2009-11-01 23:15 . 2009-11-02 01:30 -------- d-----w- c:\windows\BDOSCAN8
2009-11-01 07:40 . 2009-11-01 07:40 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-01 06:41 . 2009-11-01 06:41 -------- d-sh--w- c:\documents and settings\Administrator.ALEVISSA\IETldCache
2009-11-01 05:49 . 2009-11-01 05:49 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\Shareaza
2009-11-01 05:49 . 2009-11-01 05:49 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Application Data\Shareaza
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 04:05 . 2008-06-25 18:15 -------- d-----w- c:\program files\Freecell Buddy Pogo
2009-11-03 04:02 . 2008-02-15 19:49 -------- d-----w- c:\program files\PokerStars
2009-11-03 02:41 . 2003-06-11 00:45 -------- d-----w- c:\program files\Common Files\aol
2009-11-02 09:59 . 2008-02-09 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-02 09:41 . 2005-11-17 22:25 139112 -c--a-w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2008-10-16 04:59 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-09-03 16:44 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-24 00:32 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-09-03 17:05 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 20:09 . 2009-08-20 20:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2004-12-26 00:47 . 2004-12-26 00:47 35121138 ----a-w- c:\program files\NIS_Retail.EXE
.

((((((((((((((((((((((((((((( SnapShot_2009-11-07_18.21.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-09-30 10:11 . 2009-11-12 08:05 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2002-09-30 10:15 . 2009-11-12 08:12 411880 c:\windows\SYSTEM32\FNTCACHE.DAT
- 2002-09-30 10:15 . 2009-08-14 08:12 411880 c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2009-11-07 22:49 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-07 22:49 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2008-10-16 04:59 . 2009-08-14 13:21 1850624 c:\windows\SYSTEM32\win32k.sys
+ 2004-10-25 15:39 . 2009-10-22 09:19 5939712 c:\windows\SYSTEM32\mshtml.dll
+ 2008-10-14 17:48 . 2009-08-14 13:21 1850624 c:\windows\SYSTEM32\DLLCACHE\win32k.sys
+ 2006-05-19 15:08 . 2009-10-22 09:19 5939712 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2009-09-30 20:11 . 2009-09-30 20:11 8409088 c:\windows\Installer\1df230c.msp
+ 2009-11-07 22:49 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
+ 2005-05-11 09:00 . 2009-11-05 17:36 26768832 c:\windows\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAB"="c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe" [2009-11-12 16384]
"rundll32.exe"="" [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
backup=c:\windows\pss\Free WebSite Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Kazaa Upgrade Suite3.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online.lnk]
backup=c:\windows\pss\Verizon Online.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TBPSSvc"=2 (0x2)
"WinToolsSvc"=2 (0x2)
"MyWebSearchService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1157574114\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\1157574114\\EE\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

S3 SKUSBKBF;USB Keyboard Filter Driver;c:\windows\SYSTEM32\DRIVERS\skusbkbf.sys [7/27/2001 8:25 AM 14048]
S3 utqxodiz;AVZ Kernel Driver;c:\windows\SYSTEM32\DRIVERS\utqxodiz.sys [11/10/2009 1:51 PM 7168]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - mbr
*Deregistered* - PROCEXP113

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
{C62C59F5-FD1B-4823-805FE6BFD520860D}
.
Contents of the 'Scheduled Tasks' folder

2009-11-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]

2009-11-12 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uDefault_Search_URL = hxxp://search.msn.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
IE:
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\v5.windowsupdate
Trusted Zone: windowsupdate.com
DPF: Aces Up! by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/aces/aces-en_US.cab
DPF: Backgammon by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/backgammon/backgammon-en_US.cab
DPF: Bingo Luau by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/freebingo/freebingo-en_US.cab
DPF: Blackjack by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/blackjack/blackjack-en_US.cab
DPF: Blackjack Carnival by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/vbjack2/vbjack2-en_US.cab
DPF: Blooop by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/cascade/cascade-en_US.cab
DPF: Canasta by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/canasta/canasta-en_US.cab
DPF: Checkers by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/checkers2/checkers-en_US.cab
DPF: Chess by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/chess2/chess2-en_US.cab
DPF: Dice City Roller by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/ytz/ytz-en_US.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Dominoes by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/domino/domino-en_US.cab
DPF: Double Deuce Poker by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/videopoker2/doubledeuce-en_US.cab
DPF: Fortune Bingo by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/superbingo/superbingo-en_US.cab
DPF: Hangman Hijinks by pogo - hxxp://game3.pogo.com/v/8.1.8.10/applet/hangman/hangman-en_US.cab
DPF: Hearts by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/hearts/hearts-en_US.cab
DPF: High Stakes Poker by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/drawpoker/drawpoker-en_US.cab
DPF: High Stakes Pool by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/pool2/pool-en_US.cab
DPF: Hog Heaven Slots by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/fancy/fancy-en_US.cab
DPF: Jungle Gin by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/gin2/gin2-en_US.cab
DPF: Lost Temple Poker by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/mhpoker/mhpoker-en_US.cab
DPF: Lottso by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/lottso/lottso-en_US.cab
DPF: Makeover Madness by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/shoes/shoes-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: NASCAR Web Racing by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/nascar/nascar-en_US.cab
DPF: No-Limit Texas Hold'em by pogo - hxxp://game1.pogo.com/v/8.1.1.21/applet/allin/allin-en_US.cab
DPF: Pai Gow by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/paigow/paigow-en_US.cab
DPF: Payday Freecell Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/freecell2/freecell2-en_US.cab
DPF: Perfect Pair Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/waterwheel/waterwheel-en_US.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/flinger/flinger-en_US.cab
DPF: Poppit by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/poppit2/poppit2-en_US.cab
DPF: Quick Quack by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/hotstreak/hotstreak-en_US.cab
DPF: QWERTY by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/squares/squares-en_US.cab
DPF: Ride The Tide by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/ride/ride-en_US.cab
DPF: Showbiz Slots by pogo - hxxp://game1.pogo.com/v/8.1.0.24/applet/slots/showbiz-en_US.cab
DPF: Spooky Slots - hxxp://game1.pogo.com/v/8.1.1.35/applet/spooky/spooky-en_US.cab
DPF: Squelchies by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/squelchies/squelchies-en_US.cab
DPF: Stax by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/stax/stax-en_US.cab
DPF: Sweet Tooth TM by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/sweettooth/sweettooth-en_US.cab
DPF: Thousand Island Solitaire by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/millbrae/millbrae-en_US.cab
DPF: Turbo 21 v2 by pogo - hxxp://game1.pogo.com/v/8.1.9.7/applet/turbo22/turbo22-en_US.cab
DPF: Wonderland Memories by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/memories/memories-en_US.cab
DPF: Word Search Daily by pogo - hxxp://game3.pogo.com/v/8.1.9.4/applet/wordsearch/wordsearch-en_US.cab
DPF: Word Whomp by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/wordwhomp2/whomp2-en_US.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 11:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2624249815-826661598-447150811-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2624249815-826661598-447150811-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-2624249815-826661598-447150811-1006)
@Allowed: (Read) (S-1-5-21-2624249815-826661598-447150811-1006)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\wininet.dll
c:\windows\System32\ctmp3.acm
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\msms001.vwp
c:\windows\system32\mvoice.vwp

- - - - - - - > 'explorer.exe'(508)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\System32\ctmp3.acm
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\msms001.vwp
c:\windows\system32\mvoice.vwp
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-12 11:22
ComboFix-quarantined-files.txt 2009-11-12 16:21
ComboFix2.txt 2009-11-08 01:01
ComboFix3.txt 2009-11-07 19:02
ComboFix4.txt 2009-11-06 20:42

Pre-Run: 14,401,196,032 bytes free
Post-Run: 14,349,197,312 bytes free

- - End Of File - - 7AF2B16A13D014DF5145F18E16BDBF6F

This post has been edited by StormyHaze: Nov 12 2009, 10:27 AM

Hi,

Good to know about the updates.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Another thing went right! This is getting good! haha Heres the log:

ComboFix 09-11-13.02 - Wenninger 11/12/2009 15:32.6.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.176 [GMT -5:00]
Running from: c:\documents and settings\Wenninger\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Wenninger\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\msacm32.drv
c:\windows\sdfixwcs.dll
c:\windows\wuasirvy.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-11 23:30 . 2009-11-12 21:54 16384 ----a-w- c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe
2009-11-11 23:30 . 2009-11-11 23:30 103424 ----a-w- c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c1.dll
2009-11-10 18:51 . 2009-11-10 18:51 7168 ----a-w- c:\windows\system32\drivers\utqxodiz.sys
2009-11-08 02:58 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 02:58 . 2009-11-08 02:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 02:58 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 04:50 . 2009-11-05 04:50 -------- d-----w- c:\program files\ESET
2009-11-05 03:32 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-05 03:29 . 2009-11-05 03:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-11-04 21:16 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-04 18:48 . 2009-11-04 22:11 -------- d-----w- C:\Combo-Fix
2009-11-04 04:35 . 2009-11-04 04:35 -------- d-----w- c:\program files\ERUNT
2009-11-04 02:38 . 2009-11-04 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-04 02:32 . 2009-11-04 02:32 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-03 06:23 . 2009-11-03 06:23 -------- d-----w- c:\documents and settings\Wenninger\Application Data\AVG8
2009-11-03 03:30 . 2009-11-03 03:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AOL
2009-11-02 19:32 . 2009-11-03 04:00 -------- d-----w- c:\program files\Panda Security
2009-11-02 09:37 . 2009-11-02 09:37 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\AOL
2009-11-02 07:16 . 2009-11-07 20:34 -------- d-----w- c:\documents and settings\Wenninger\Application Data\Malwarebytes
2009-11-02 04:30 . 2009-11-02 04:30 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Application Data\Malwarebytes
2009-11-02 04:29 . 2009-11-07 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-02 04:22 . 2009-11-02 04:22 -------- d-sh--w- c:\documents and settings\Administrator.ALEVISSA\PrivacIE
2009-11-01 23:15 . 2009-11-02 01:30 -------- d-----w- c:\windows\BDOSCAN8
2009-11-01 07:40 . 2009-11-01 07:40 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-01 06:41 . 2009-11-01 06:41 -------- d-sh--w- c:\documents and settings\Administrator.ALEVISSA\IETldCache
2009-11-01 05:49 . 2009-11-01 05:49 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\Shareaza
2009-11-01 05:49 . 2009-11-01 05:49 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Application Data\Shareaza
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 04:05 . 2008-06-25 18:15 -------- d-----w- c:\program files\Freecell Buddy Pogo
2009-11-03 04:02 . 2008-02-15 19:49 -------- d-----w- c:\program files\PokerStars
2009-11-03 02:41 . 2003-06-11 00:45 -------- d-----w- c:\program files\Common Files\aol
2009-11-02 09:59 . 2008-02-09 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-02 09:41 . 2005-11-17 22:25 139112 -c--a-w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2008-10-16 04:59 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-09-03 16:44 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-24 00:32 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-09-03 17:05 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 20:09 . 2009-08-20 20:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2004-12-26 00:47 . 2004-12-26 00:47 35121138 ----a-w- c:\program files\NIS_Retail.EXE
.

((((((((((((((((((((((((((((( SnapShot_2009-11-07_18.21.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-09-30 10:11 . 2009-11-12 08:05 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2002-09-30 10:15 . 2009-11-12 08:12 411880 c:\windows\SYSTEM32\FNTCACHE.DAT
- 2002-09-30 10:15 . 2009-08-14 08:12 411880 c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2009-11-07 22:49 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-07 22:49 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2008-10-16 04:59 . 2009-08-14 13:21 1850624 c:\windows\SYSTEM32\win32k.sys
+ 2004-10-25 15:39 . 2009-10-22 09:19 5939712 c:\windows\SYSTEM32\mshtml.dll
+ 2008-10-14 17:48 . 2009-08-14 13:21 1850624 c:\windows\SYSTEM32\DLLCACHE\win32k.sys
+ 2006-05-19 15:08 . 2009-10-22 09:19 5939712 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2009-09-30 20:11 . 2009-09-30 20:11 8409088 c:\windows\Installer\1df230c.msp
+ 2009-11-07 22:49 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
+ 2005-05-11 09:00 . 2009-11-05 17:36 26768832 c:\windows\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAB"="c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe" [2009-11-12 16384]
"rundll32.exe"="" [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"midi1"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"mixer1"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"wave2"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"midi2"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"aux2"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"mixer2"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"aux1"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
backup=c:\windows\pss\Free WebSite Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Kazaa Upgrade Suite3.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online.lnk]
backup=c:\windows\pss\Verizon Online.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1157574114\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\1157574114\\EE\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

S3 SKUSBKBF;USB Keyboard Filter Driver;c:\windows\SYSTEM32\DRIVERS\skusbkbf.sys [7/27/2001 8:25 AM 14048]
S3 utqxodiz;AVZ Kernel Driver;c:\windows\SYSTEM32\DRIVERS\utqxodiz.sys [11/10/2009 1:51 PM 7168]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/19/2009 4:51 PM 24652]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
{C62C59F5-FD1B-4823-805FE6BFD520860D}
.
Contents of the 'Scheduled Tasks' folder

2009-11-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]

2009-11-12 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uDefault_Search_URL = hxxp://search.msn.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
IE:
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\v5.windowsupdate
Trusted Zone: windowsupdate.com
DPF: Aces Up! by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/aces/aces-en_US.cab
DPF: Backgammon by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/backgammon/backgammon-en_US.cab
DPF: Bingo Luau by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/freebingo/freebingo-en_US.cab
DPF: Blackjack by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/blackjack/blackjack-en_US.cab
DPF: Blackjack Carnival by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/vbjack2/vbjack2-en_US.cab
DPF: Blooop by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/cascade/cascade-en_US.cab
DPF: Canasta by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/canasta/canasta-en_US.cab
DPF: Checkers by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/checkers2/checkers-en_US.cab
DPF: Chess by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/chess2/chess2-en_US.cab
DPF: Dice City Roller by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/ytz/ytz-en_US.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Dominoes by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/domino/domino-en_US.cab
DPF: Double Deuce Poker by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/videopoker2/doubledeuce-en_US.cab
DPF: Fortune Bingo by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/superbingo/superbingo-en_US.cab
DPF: Hangman Hijinks by pogo - hxxp://game3.pogo.com/v/8.1.8.10/applet/hangman/hangman-en_US.cab
DPF: Hearts by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/hearts/hearts-en_US.cab
DPF: High Stakes Poker by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/drawpoker/drawpoker-en_US.cab
DPF: High Stakes Pool by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/pool2/pool-en_US.cab
DPF: Hog Heaven Slots by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/fancy/fancy-en_US.cab
DPF: Jungle Gin by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/gin2/gin2-en_US.cab
DPF: Lost Temple Poker by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/mhpoker/mhpoker-en_US.cab
DPF: Lottso by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/lottso/lottso-en_US.cab
DPF: Makeover Madness by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/shoes/shoes-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: NASCAR Web Racing by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/nascar/nascar-en_US.cab
DPF: No-Limit Texas Hold'em by pogo - hxxp://game1.pogo.com/v/8.1.1.21/applet/allin/allin-en_US.cab
DPF: Pai Gow by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/paigow/paigow-en_US.cab
DPF: Payday Freecell Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/freecell2/freecell2-en_US.cab
DPF: Perfect Pair Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/waterwheel/waterwheel-en_US.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/flinger/flinger-en_US.cab
DPF: Poppit by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/poppit2/poppit2-en_US.cab
DPF: Quick Quack by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/hotstreak/hotstreak-en_US.cab
DPF: QWERTY by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/squares/squares-en_US.cab
DPF: Ride The Tide by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/ride/ride-en_US.cab
DPF: Showbiz Slots by pogo - hxxp://game1.pogo.com/v/8.1.0.24/applet/slots/showbiz-en_US.cab
DPF: Spooky Slots - hxxp://game1.pogo.com/v/8.1.1.35/applet/spooky/spooky-en_US.cab
DPF: Squelchies by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/squelchies/squelchies-en_US.cab
DPF: Stax by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/stax/stax-en_US.cab
DPF: Sweet Tooth TM by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/sweettooth/sweettooth-en_US.cab
DPF: Thousand Island Solitaire by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/millbrae/millbrae-en_US.cab
DPF: Turbo 21 v2 by pogo - hxxp://game1.pogo.com/v/8.1.9.7/applet/turbo22/turbo22-en_US.cab
DPF: Wonderland Memories by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/memories/memories-en_US.cab
DPF: Word Search Daily by pogo - hxxp://game3.pogo.com/v/8.1.9.4/applet/wordsearch/wordsearch-en_US.cab
DPF: Word Whomp by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/wordwhomp2/whomp2-en_US.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 16:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2624249815-826661598-447150811-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2624249815-826661598-447150811-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-2624249815-826661598-447150811-1006)
@Allowed: (Read) (S-1-5-21-2624249815-826661598-447150811-1006)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\System32\ctmp3.acm
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\msms001.vwp
c:\windows\system32\mvoice.vwp

- - - - - - - > 'explorer.exe'(332)
c:\windows\system32\WININET.dll
c:\windows\System32\ctmp3.acm
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\msms001.vwp
c:\windows\system32\mvoice.vwp
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-12 17:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-12 22:17
ComboFix2.txt 2009-11-12 16:22
ComboFix3.txt 2009-11-08 01:01
ComboFix4.txt 2009-11-07 19:02
ComboFix5.txt 2009-11-12 20:29

Pre-Run: 14,373,957,632 bytes free
Post-Run: 14,319,845,376 bytes free

- - End Of File - - DD3F7F33F509BD0171425188503784BE

Can you try OTL for me again?

Tried OTL again. Same error and "Out of memory" problem. It did not finish.

Dang.

Just to let you know I'll be away from until Tuesday, I'll see about getting someone to cover this for you.

Run DDS for me again then.

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, adware, dialers, and other riskware
  • Archives
  • E-mail databases
• Click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View report... at the bottom.
• Click the Save report... button.
  
  
  
  
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Hi,

chamber has asked me to assist while he's away for the weekend:

if you don't mind, just put the instructions from chamber aside for now:

There is a little more work to do with combofix first:

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')



Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: Allow combofix to update if it requests to do so

Hi there!

Thanks so much for helping! That online virus scan chamber asked me to run froze up about an hour and a half through it anyway. Also, just thought you should know, we got a new printer that my husband tried to install yesterday. It didnt install but a bunch of programs that go with it did. Here is the ComboFix log :

ComboFix 09-11-13.06 - Wenninger 11/13/2009 16:37.7.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.355 [GMT -5:00]
Running from: c:\documents and settings\Wenninger\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Wenninger\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

file zipped: c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c1.dll
file zipped: c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe
file zipped: c:\windows\system32\drivers\utqxodiz.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c1.dll
c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe
c:\windows\system32\drivers\utqxodiz.sys

----- BITS: Possible infected sites -----

hxxp://pdisp01.c-wss.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UTQXODIZ
-------\Service_utqxodiz


((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))
.

2009-11-13 18:30 . 2009-11-13 18:30 152576 ----a-w- c:\documents and settings\Wenninger\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-12 22:56 . 2009-11-12 22:56 -------- d-----w- c:\documents and settings\Wenninger\Application Data\Canon Easy-WebPrint EX
2009-11-12 22:55 . 2009-11-12 22:55 -------- d-----w- c:\program files\Common Files\CANON
2009-11-12 22:49 . 2009-11-12 23:16 -------- d-----w- c:\program files\Canon
2009-11-08 02:58 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 02:58 . 2009-11-08 02:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 02:58 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 04:50 . 2009-11-05 04:50 -------- d-----w- c:\program files\ESET
2009-11-05 03:32 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-05 03:29 . 2009-11-05 03:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-11-04 21:16 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-04 18:48 . 2009-11-04 22:11 -------- d-----w- C:\Combo-Fix
2009-11-04 04:35 . 2009-11-04 04:35 -------- d-----w- c:\program files\ERUNT
2009-11-04 02:38 . 2009-11-04 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-04 02:32 . 2009-11-04 02:32 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-03 06:23 . 2009-11-03 06:23 -------- d-----w- c:\documents and settings\Wenninger\Application Data\AVG8
2009-11-03 03:30 . 2009-11-03 03:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AOL
2009-11-02 19:32 . 2009-11-03 04:00 -------- d-----w- c:\program files\Panda Security
2009-11-02 09:37 . 2009-11-02 09:37 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\AOL
2009-11-02 07:16 . 2009-11-07 20:34 -------- d-----w- c:\documents and settings\Wenninger\Application Data\Malwarebytes
2009-11-02 04:30 . 2009-11-02 04:30 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Application Data\Malwarebytes
2009-11-02 04:29 . 2009-11-07 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-02 04:22 . 2009-11-02 04:22 -------- d-sh--w- c:\documents and settings\Administrator.ALEVISSA\PrivacIE
2009-11-01 23:15 . 2009-11-02 01:30 -------- d-----w- c:\windows\BDOSCAN8
2009-11-01 07:40 . 2009-11-01 07:40 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-01 06:41 . 2009-11-01 06:41 -------- d-sh--w- c:\documents and settings\Administrator.ALEVISSA\IETldCache
2009-11-01 05:49 . 2009-11-01 05:49 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\Shareaza
2009-11-01 05:49 . 2009-11-01 05:49 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Application Data\Shareaza
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-13 18:32 . 2003-10-06 13:01 -------- d-----w- c:\program files\Java
2009-11-03 04:05 . 2008-06-25 18:15 -------- d-----w- c:\program files\Freecell Buddy Pogo
2009-11-03 04:02 . 2008-02-15 19:49 -------- d-----w- c:\program files\PokerStars
2009-11-03 02:41 . 2003-06-11 00:45 -------- d-----w- c:\program files\Common Files\aol
2009-11-02 09:59 . 2008-02-09 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-02 09:41 . 2005-11-17 22:25 139112 -c--a-w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 09:17 . 2008-12-18 13:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18 . 2008-10-16 04:59 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-09-03 16:44 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-24 00:32 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-09-03 17:05 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 20:09 . 2009-08-20 20:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2004-12-26 00:47 . 2004-12-26 00:47 35121138 ----a-w- c:\program files\NIS_Retail.EXE
.

((((((((((((((((((((((((((((( SnapShot_2009-11-07_18.21.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-13 22:19 . 2009-11-13 22:19 16384 c:\windows\temp\Perflib_Perfdata_5dc.dat
+ 2005-05-26 08:16 . 2009-08-07 00:24 44768 c:\windows\SYSTEM32\wups2.dll
+ 2004-08-03 18:59 . 2009-08-07 00:24 35552 c:\windows\SYSTEM32\wups.dll
+ 2005-01-06 03:11 . 2009-08-07 00:24 53472 c:\windows\SYSTEM32\wuauclt.exe
+ 2009-11-13 03:17 . 2009-08-07 00:24 44768 c:\windows\SYSTEM32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2009-11-13 03:17 . 2009-08-07 00:24 35552 c:\windows\SYSTEM32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2004-08-03 18:59 . 2009-08-07 00:24 35552 c:\windows\SYSTEM32\DLLCACHE\wups.dll
+ 2005-01-06 03:11 . 2009-08-07 00:24 53472 c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
+ 2002-09-03 16:28 . 2009-08-07 00:24 96480 c:\windows\SYSTEM32\DLLCACHE\cdm.dll
+ 2002-09-03 16:28 . 2009-08-07 00:24 96480 c:\windows\SYSTEM32\cdm.dll
- 2002-09-30 10:11 . 2009-11-06 19:28 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2004-08-03 18:59 . 2009-08-07 00:24 209632 c:\windows\SYSTEM32\wuweb.dll
+ 2004-08-03 19:02 . 2009-08-07 00:24 327896 c:\windows\SYSTEM32\wucltui.dll
+ 2004-08-03 19:00 . 2009-08-07 00:23 575704 c:\windows\SYSTEM32\wuapi.dll
+ 2009-11-13 18:32 . 2009-10-11 09:17 149280 c:\windows\SYSTEM32\javaws.exe
+ 2009-11-13 18:32 . 2009-10-11 09:17 145184 c:\windows\SYSTEM32\javaw.exe
+ 2009-11-13 18:32 . 2009-10-11 09:17 145184 c:\windows\SYSTEM32\java.exe
- 2002-09-30 10:15 . 2009-08-14 08:12 411880 c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2002-09-30 10:15 . 2009-11-12 08:12 411880 c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2004-08-03 18:59 . 2009-08-07 00:24 209632 c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
+ 2004-08-03 19:02 . 2009-08-07 00:24 327896 c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
+ 2004-08-03 19:00 . 2009-08-07 00:23 575704 c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
+ 2009-11-07 22:49 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-07 22:49 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2005-01-06 03:11 . 2009-08-07 00:23 1929952 c:\windows\SYSTEM32\wuaueng.dll
+ 2008-10-16 04:59 . 2009-08-14 13:21 1850624 c:\windows\SYSTEM32\win32k.sys
+ 2004-10-25 15:39 . 2009-10-22 09:19 5939712 c:\windows\SYSTEM32\mshtml.dll
+ 2005-01-06 03:11 . 2009-08-07 00:23 1929952 c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
+ 2008-10-14 17:48 . 2009-08-14 13:21 1850624 c:\windows\SYSTEM32\DLLCACHE\win32k.sys
+ 2006-05-19 15:08 . 2009-10-22 09:19 5939712 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2009-09-30 20:11 . 2009-09-30 20:11 8409088 c:\windows\Installer\1df230c.msp
+ 2009-11-07 22:49 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
+ 2005-05-11 09:00 . 2009-11-05 17:36 26768832 c:\windows\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rundll32.exe"="" [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
backup=c:\windows\pss\Free WebSite Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Kazaa Upgrade Suite3.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online.lnk]
backup=c:\windows\pss\Verizon Online.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1157574114\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\1157574114\\EE\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

S3 SKUSBKBF;USB Keyboard Filter Driver;c:\windows\SYSTEM32\DRIVERS\skusbkbf.sys [7/27/2001 8:25 AM 14048]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/19/2009 4:51 PM 24652]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]

2009-11-13 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uDefault_Search_URL = hxxp://search.msn.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
IE:
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\v5.windowsupdate
Trusted Zone: windowsupdate.com
DPF: Aces Up! by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/aces/aces-en_US.cab
DPF: Backgammon by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/backgammon/backgammon-en_US.cab
DPF: Bingo Luau by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/freebingo/freebingo-en_US.cab
DPF: Blackjack by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/blackjack/blackjack-en_US.cab
DPF: Blackjack Carnival by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/vbjack2/vbjack2-en_US.cab
DPF: Blooop by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/cascade/cascade-en_US.cab
DPF: Canasta by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/canasta/canasta-en_US.cab
DPF: Checkers by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/checkers2/checkers-en_US.cab
DPF: Chess by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/chess2/chess2-en_US.cab
DPF: Dice City Roller by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/ytz/ytz-en_US.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Dominoes by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/domino/domino-en_US.cab
DPF: Double Deuce Poker by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/videopoker2/doubledeuce-en_US.cab
DPF: Fortune Bingo by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/superbingo/superbingo-en_US.cab
DPF: Hangman Hijinks by pogo - hxxp://game3.pogo.com/v/8.1.8.10/applet/hangman/hangman-en_US.cab
DPF: Hearts by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/hearts/hearts-en_US.cab
DPF: High Stakes Poker by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/drawpoker/drawpoker-en_US.cab
DPF: High Stakes Pool by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/pool2/pool-en_US.cab
DPF: Hog Heaven Slots by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/fancy/fancy-en_US.cab
DPF: Jungle Gin by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/gin2/gin2-en_US.cab
DPF: Lost Temple Poker by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/mhpoker/mhpoker-en_US.cab
DPF: Lottso by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/lottso/lottso-en_US.cab
DPF: Makeover Madness by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/shoes/shoes-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: NASCAR Web Racing by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/nascar/nascar-en_US.cab
DPF: No-Limit Texas Hold'em by pogo - hxxp://game1.pogo.com/v/8.1.1.21/applet/allin/allin-en_US.cab
DPF: Pai Gow by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/paigow/paigow-en_US.cab
DPF: Payday Freecell Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/freecell2/freecell2-en_US.cab
DPF: Perfect Pair Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/waterwheel/waterwheel-en_US.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/flinger/flinger-en_US.cab
DPF: Poppit by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/poppit2/poppit2-en_US.cab
DPF: Quick Quack by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/hotstreak/hotstreak-en_US.cab
DPF: QWERTY by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/squares/squares-en_US.cab
DPF: Ride The Tide by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/ride/ride-en_US.cab
DPF: Showbiz Slots by pogo - hxxp://game1.pogo.com/v/8.1.0.24/applet/slots/showbiz-en_US.cab
DPF: Spooky Slots - hxxp://game1.pogo.com/v/8.1.1.35/applet/spooky/spooky-en_US.cab
DPF: Squelchies by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/squelchies/squelchies-en_US.cab
DPF: Stax by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/stax/stax-en_US.cab
DPF: Sweet Tooth TM by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/sweettooth/sweettooth-en_US.cab
DPF: Thousand Island Solitaire by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/millbrae/millbrae-en_US.cab
DPF: Turbo 21 v2 by pogo - hxxp://game1.pogo.com/v/8.1.9.7/applet/turbo22/turbo22-en_US.cab
DPF: Wonderland Memories by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/memories/memories-en_US.cab
DPF: Word Search Daily by pogo - hxxp://game3.pogo.com/v/8.1.9.4/applet/wordsearch/wordsearch-en_US.cab
DPF: Word Whomp by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/wordwhomp2/whomp2-en_US.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-13 17:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2624249815-826661598-447150811-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2624249815-826661598-447150811-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-2624249815-826661598-447150811-1006)
@Allowed: (Read) (S-1-5-21-2624249815-826661598-447150811-1006)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\System32\ctmp3.acm
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\msms001.vwp
c:\windows\system32\mvoice.vwp

- - - - - - - > 'explorer.exe'(308)
c:\windows\system32\WININET.dll
c:\windows\System32\ctmp3.acm
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\msms001.vwp
c:\windows\system32\mvoice.vwp
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-13 17:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-13 22:43
ComboFix2.txt 2009-11-12 22:17
ComboFix3.txt 2009-11-12 16:22
ComboFix4.txt 2009-11-08 01:01
ComboFix5.txt 2009-11-13 21:35

Pre-Run: 14,189,043,712 bytes free
Post-Run: 14,246,047,744 bytes free

- - End Of File - - 46F6345541E241BD027FC7CD1C289CF6

Hi,

Please do the following:

• Please open your MalwareBytes AntiMalware Program
• Click the Update Tab and search for updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activeX control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

Okay, I did everything. The computer is MUCH better than it was! I have it on selective startup and have most programs not starting when the computer starts though. If you think it is okay I will have it boot up normally. Also, my hubby had trouble installing the new printer but I scolded him because I was still working on the computer. He didn't know. So should I run things like normal now? Should I try to install the printer? You have been a great help! Heres the logs:

MBAM:

Malwarebytes' Anti-Malware 1.41
Database version: 3166
Windows 5.1.2600 Service Pack 3

11/13/2009 10:16:18 PM
mbam-log-2009-11-13 (22-16-18).txt

Scan type: Quick Scan
Objects scanned: 122563
Time elapsed: 25 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2a5702546bab0c42aff39c7764186622
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-11-14 03:57:56
# local_time=2009-11-13 10:57:56 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=514 16777214 0 1 159551942 159551942 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776869 100 100 0 12713551 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=53509
# found=0
# cleaned=0
# scan_time=2246

Hi, boot it normally, with all the programs running on start up. leave the printer for the moment till I'm sure your completely clean...I'd wade through all these pages, but it's easier for me to give you the link and download instructions again for DDS...so sorry if chamber already gave it to you


please do the following:

Please download DDS from LINK 1 or LINK 2
and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txt's will open.
• Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.