Aloha,
I believe my computer (Windows Vista Home Premium, Service pack 1) has been Hijacked. My Internet Explorer 8.0.6 “redirects” to others sites and I get popup ads. I have run the ATF Cleaner, however when I download the Malwarebytes’ Anti-Malware it downloads fine to my desktop and apparently installs but will not run. I have tried several times to delete the program and re-install it, still it will not run.

I also can’t update my TrendMicro 2007, windows update (to service Pack 2) and windows defender.

Thank you,
Greg

Hi and Welcome,

NOTE:

• Malware removal is NOT instantaneous, most infections require several procedures to properly eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted.
• Please DO NOT run any scans or fix items without my direction.

Please do the following:

STEP #1

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txt's will open.
• Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.



STEP #2



Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

I was able to attach the DDS and Attach files no problem. The GMER scan works fine but the "save" button disappears during and after the scan

Hi,

please do the following:


Download Combofix from any of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2



During the download, rename Combofix to Combo-Fix as follows:





--------------------------------------------------------------------

• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.

• Double click on Combo-Fix.exe & follow the prompts.
  
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
  
  **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  
  
  
  -----------------------------------------------------------
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------

It worked!

ComboFix 09-07-09.08 - doctorforgolf 10/07/09 17:59.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1789.1007 [GMT -10:00]
Running from: c:\users\doctorforgolf\Desktop\Combo-Fix.exe
AV: Trend Micro AntiVirus - Virus Protection *On-access scanning disabled* (Updated) {9596F8E6-38C3-4C51-80B9-8C94D2E25B07}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Trend Micro AntiVirus - Spyware Protection *disabled* (Updated) {7241C815-3D0F-4059-9AF4-BF225B1D78B9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\SpeedBit Video Downloader\Toolbar\tbhelper.dll
c:\windows\1015ba9kdzor1516.ocx
c:\windows\10191h59ktool47az.bin
c:\windows\102z4spambo95f.dll
c:\windows\1031hackto9z7e5.ocx
c:\windows\10344v9ruz515.bin
c:\windows\1048spa9se24z5.bin
c:\windows\1075359rus3fz.exe
c:\windows\1077troj15z9.exe
c:\windows\10825hackto9l252z.bin
c:\windows\10964zir5s28f.exe
c:\windows\11857sp9m5ot2ez.cpl
c:\windows\1193bac9dzo52585.cpl
c:\windows\11991no9-a-virz55ff.exe
c:\windows\121695ozm394.bin
c:\windows\123539i5us4z1.ocx
c:\windows\12757viru95z2.ocx
c:\windows\1293359t-a-zirus659.dll
c:\windows\1323sp5mbot61z9.cpl
c:\windows\1325spyzar95859.bin
c:\windows\13475vzrus5559.bin
c:\windows\1349threa5z9882.cpl
c:\windows\134z6vi9us1b5.ocx
c:\windows\13z86tro95f9.ocx
c:\windows\14289zor5416.bin
c:\windows\14993virzs652.cpl
c:\windows\14e6ad9zar51159.dll
c:\windows\14z99spya25.dll
c:\windows\15199spzmbot2c5.cpl
c:\windows\15365h9cz5ool57c.dll
c:\windows\154369orm33z.cpl
c:\windows\1554zhack9ool505.cpl
c:\windows\15689trzjdf9.ocx
c:\windows\15939py476z.bin
c:\windows\15988s5z47c.bin
c:\windows\15e2zi95494.exe
c:\windows\15z65h9cktool16e.dll
c:\windows\16350hacktzol1259.exe
c:\windows\166625roz9c2.bin
c:\windows\16995ackdoor1561z.cpl
c:\windows\17009vz5u96a5.ocx
c:\windows\1729zt5oj68.ocx
c:\windows\17351szam9ot4135.exe
c:\windows\17555w9rm54z.ocx
c:\windows\17597ha9ktool7z1.bin
c:\windows\175bvirz589.dll
c:\windows\18120noz-a-v95us18f.bin
c:\windows\18149n9t-a5virus5fz.bin
c:\windows\18195ddwarz1497.bin
c:\windows\18293v5rusz4b.bin
c:\windows\1889downlozder2955.dll
c:\windows\18900n5z-a-virus597.dll
c:\windows\190sp5mzot54b.bin
c:\windows\1910not-9-virus5z1.exe
c:\windows\19202zacktool6915.exe
c:\windows\19208sp5m9zt43a.exe
c:\windows\19373s5ambot1z9.exe
c:\windows\19568w5rz41c9.ocx
c:\windows\1960zo5m43e.bin
c:\windows\19689wor52z.cpl
c:\windows\19863zirus4569.dll
c:\windows\1998tzief5123.ocx
c:\windows\1998zvir9547d.dll
c:\windows\1ae95hrzat7994.dll
c:\windows\1bc3v5rz499.dll
c:\windows\1bde5z9rse2030.dll
c:\windows\1c85t9zef3098.ocx
c:\windows\1ccfdzwnload9r5661.exe
c:\windows\1e1c9ackdz5r1157.exe
c:\windows\1e39ad59are81z.cpl
c:\windows\1ea5z9r36.ocx
c:\windows\1f45spyw9re1z66.cpl
c:\windows\1f92ztea910895.bin
c:\windows\1z023sp9mbot1f5.dll
c:\windows\1z375t5oj9db.exe
c:\windows\1zf2s9eal1955.dll
c:\windows\201bac5door14z09.exe
c:\windows\20255viruz950.exe
c:\windows\20906vi59s56z.bin
c:\windows\20998spy159z.exe
c:\windows\20a9downlozder2551.dll
c:\windows\20z20hac9t5ol7df.cpl
c:\windows\21728not-5-virzs279.bin
c:\windows\218959ackt5ol102z.ocx
c:\windows\21z09ir5833.exe
c:\windows\22387trz599.ocx
c:\windows\22595hacktzol6929.cpl
c:\windows\22713haz9to5l75c.bin
c:\windows\22724zorm599.bin
c:\windows\22825zpam9ot2a5.cpl
c:\windows\23069not-a-vi9uz15f.bin
c:\windows\2311vir9z68d5.ocx
c:\windows\23479troj5fz.cpl
c:\windows\234bad5wa9e2z33.exe
c:\windows\23718s9ambzt5f05.ocx
c:\windows\2474threat543z9.cpl
c:\windows\24952not-z-vi9usc3.cpl
c:\windows\25598zroj41b.ocx
c:\windows\25655zr9j449.bin
c:\windows\2594spyz97.bin
c:\windows\25d5downloa9zr2795.bin
c:\windows\25eb9ir20z7.ocx
c:\windows\25z4spars59751.exe
c:\windows\25z8threa931065.exe
c:\windows\26z3spy5a9e212.exe
c:\windows\26z98spy53f.bin
c:\windows\27372vi5zs6809.bin
c:\windows\2752th9eat225z4.exe
c:\windows\2755sparsz4719.cpl
c:\windows\27615hzckt5ol5d59.exe
c:\windows\28143worm9z5.bin
c:\windows\28239not-a-zirus5cb.exe
c:\windows\28990hac5toolz0b.exe
c:\windows\28abba5kzoor9979.cpl
c:\windows\28z55ha5ktool3a9.dll
c:\windows\2900zroj915.bin
c:\windows\2913ha9ztoo51b4.exe
c:\windows\29508zpambo92b35.cpl
c:\windows\29538troj60z5.cpl
c:\windows\296zsparse1525.cpl
c:\windows\29745not-a-vizus87.cpl
c:\windows\299975pyz39.cpl
c:\windows\29z2v5ru9753.dll
c:\windows\29z6sparse1754.exe
c:\windows\2b985teal2977z.ocx
c:\windows\2e46zddwa5e3948.cpl
c:\windows\2e9cbazkdo5r2460.exe
c:\windows\2f68thief298z5.bin
c:\windows\2f895zckdoor760.dll
c:\windows\2z321wor9558.ocx
c:\windows\2z852hackto9l3ec.cpl
c:\windows\2z8905i9us601.cpl
c:\windows\2z929spy665.cpl
c:\windows\30834s5am9ztaa.ocx
c:\windows\30z985orm4c8.dll
c:\windows\31040s95zbot481.cpl
c:\windows\318309r5jz95.bin
c:\windows\31989wz5m930.cpl
c:\windows\32300s95zbot97.ocx
c:\windows\3293spamb596z5.bin
c:\windows\33219zt-a-vi5us42.dll
c:\windows\3385steal190z5.cpl
c:\windows\3503zddwa9e611.bin
c:\windows\35159irz959.bin
c:\windows\3552backdoo9z52.cpl
c:\windows\3558s9ealz251.ocx
c:\windows\3569ackdzor766.bin
c:\windows\3592not5azvirus7aa.exe
c:\windows\359fzhief419.bin
c:\windows\363badzw5re69.dll
c:\windows\3959zhreat11391.exe
c:\windows\39azdware415.exe
c:\windows\3a5fs5ea91156z.cpl
c:\windows\3ac3bzckdo5r6819.ocx
c:\windows\3afez9wnlo5der1306.exe
c:\windows\3az75ir959.ocx
c:\windows\3b22sparsz93875.ocx
c:\windows\3b73down5oad9r1z28.dll
c:\windows\3c27doznl9ader9445.ocx
c:\windows\3d1bv951886z.exe
c:\windows\3d41downl5ade9227z.ocx
c:\windows\3d65dow5z9ader214.ocx
c:\windows\3eactz95at5721.exe
c:\windows\3f5b9z51381.cpl
c:\windows\3z22sparse5459.bin
c:\windows\3z259r5j7bb.ocx
c:\windows\3z45back9oor5190.dll
c:\windows\3z53thie53109.ocx
c:\windows\41fd9pywarez575.exe
c:\windows\4319s95az2366.cpl
c:\windows\442ado5nloadez1890.cpl
c:\windows\4550spz9bot506.exe
c:\windows\459cdownzo5der2978.dll
c:\windows\45az5py9are1804.exe
c:\windows\45bethi9f167z.exe
c:\windows\45c29hiez29.ocx
c:\windows\45d0bzckdoor17399.bin
c:\windows\48e4addwarz25969.dll
c:\windows\4930s9amzot30b5.bin
c:\windows\49459tezl39.dll
c:\windows\499zworm35b.ocx
c:\windows\49z9downloader5198.dll
c:\windows\4a1fthi5z1098.dll
c:\windows\4b75tzief2396.bin
c:\windows\4b7czte9l3551.cpl
c:\windows\4c81tzr5at9585.cpl
c:\windows\4d05threat3095z.ocx
c:\windows\4d49spar5e3275z.ocx
c:\windows\4d59virz057.exe
c:\windows\4dezad9ware5499.dll
c:\windows\4z1bback9oor1645.bin
c:\windows\50195hackzool83.exe
c:\windows\513dthief2579z.bin
c:\windows\5168spyw5rz1919.dll
c:\windows\51770spaz9ot4f5.exe
c:\windows\5179sp5z9e1767.ocx
c:\windows\5195adzw5re159.dll
c:\windows\51edownloazer945.exe
c:\windows\5204szyware9632.cpl
c:\windows\52f65tzal15359.cpl
c:\windows\52ff9hreat203z5.exe
c:\windows\52z9sparse15305.exe
c:\windows\5322steaz5449.ocx
c:\windows\5384b5ck9ooz1420.cpl
c:\windows\53976hzc9tool27b.cpl
c:\windows\53f49hr5at1654z.ocx
c:\windows\5408v9r850z.cpl
c:\windows\5468stea92340z.cpl
c:\windows\547zsp9591.exe
c:\windows\54925tzoje7.exe
c:\windows\5501zo9nload5r3151.exe
c:\windows\55a2dowzloade93051.exe
c:\windows\55d9steal17z.bin
c:\windows\55e5szeal999.exe
c:\windows\55z8sparse11319.dll
c:\windows\56dbaddwzre5829.cpl
c:\windows\57195worm2z9.exe
c:\windows\57539hacktool959z.dll
c:\windows\57590trojzd09.ocx
c:\windows\579fthrezt23568.exe
c:\windows\57z9thief2259.cpl
c:\windows\581trojz95.cpl
c:\windows\586bszea9748.ocx
c:\windows\5870zvirus29.exe
c:\windows\588as5eal905z.bin
c:\windows\591bad5ware516z.bin
c:\windows\591spzrse2842.exe
c:\windows\59399hizf3028.cpl
c:\windows\596dthze9t57363.exe
c:\windows\59804hackt9ol302z.cpl
c:\windows\5993zsp93c5.exe
c:\windows\5994zirus5e45.exe
c:\windows\5996s5zal2728.exe
c:\windows\5998spyz3e.ocx
c:\windows\59avzr2698.exe
c:\windows\59d3threat50440z.exe
c:\windows\59z8vir23655.ocx
c:\windows\5a08b95kdzor3094.ocx
c:\windows\5ab9vir2z83.cpl
c:\windows\5abz5t9al899.exe
c:\windows\5b2esza9se12805.exe
c:\windows\5cb9a9dware281z.dll
c:\windows\5d4zthr5at97947.dll
c:\windows\5d5cadd9aze1639.exe
c:\windows\5e35backdoo9330z.bin
c:\windows\5e35spyware91z3.cpl
c:\windows\5e89spywzre1561.ocx
c:\windows\5e91thr95tz861.exe
c:\windows\5f87downloa9zr1478.ocx
c:\windows\5faz5teal9664.dll
c:\windows\5fc0thzef799.cpl
c:\windows\5z015worm26b9.dll
c:\windows\5z362worm93c.ocx
c:\windows\5z8eaddwa5e3932.ocx
c:\windows\5zbfaddw9re1930.ocx
c:\windows\5zc9backdoor1568.ocx
c:\windows\62649oz-5-virus336.exe
c:\windows\64fav9r27z5.dll
c:\windows\65439hr5zt10957.ocx
c:\windows\655ddownlozder3159.exe
c:\windows\6596steaz1353.dll
c:\windows\659athiez588.bin
c:\windows\65a19ddwaze24775.cpl
c:\windows\66bfzteal559.dll
c:\windows\6757zparse18489.bin
c:\windows\67d5back9zor1625.cpl
c:\windows\6887back5ooz30589.dll
c:\windows\690aad9ware1853z.exe
c:\windows\6963trojz859.ocx
c:\windows\698ebackdooz2597.exe
c:\windows\69b3zteal9925.dll
c:\windows\6bz1downloa5er1859.bin
c:\windows\6d6aback5oz91646.cpl
c:\windows\6e6ezpa5se98.dll
c:\windows\6fazaddwar51596.dll
c:\windows\705ebackdoz9952.ocx
c:\windows\70esteaz29225.dll
c:\windows\70z9vir5s9af.dll
c:\windows\7151sparse19z5.exe
c:\windows\7203backzo5r2596.dll
c:\windows\744astezl1459.exe
c:\windows\7499t5reat3653z.cpl
c:\windows\7535stz9l2899.exe
c:\windows\7598do9nzoader2083.cpl
c:\windows\759cvir16z09.cpl
c:\windows\7789addware9z50.ocx
c:\windows\7802stzal9745.ocx
c:\windows\7895zpyware1454.bin
c:\windows\78d1tzre5t399.ocx
c:\windows\798asparse205z.exe
c:\windows\7990t9reaz15159.cpl
c:\windows\7c6d59arse1630z.exe
c:\windows\7cd6th5zf2992.cpl
c:\windows\7ezthreat561079.ocx
c:\windows\8655ownlzader2922.dll
c:\windows\89czpyware18395.dll
c:\windows\8b6thzeat259909.dll
c:\windows\90513sp5mboz3cc.exe
c:\windows\911z1tro55ec.dll
c:\windows\91898not-z-viru5dc.cpl
c:\windows\9235zorm725.bin
c:\windows\9243vzr19925.bin
c:\windows\9305thiefz17.ocx
c:\windows\93070sp5mboz396.dll
c:\windows\941zspyw5re2289.ocx
c:\windows\9517th5ez3189.bin
c:\windows\9544tr9j2ez.dll
c:\windows\9555vzr1157.exe
c:\windows\9556addzare246.bin
c:\windows\9597threat1z446.ocx
c:\windows\95cst5zl9657.exe
c:\windows\95e0bzckdoor1209.ocx
c:\windows\968tro592z.exe
c:\windows\971795irusz9.ocx
c:\windows\9725adzware2932.exe
c:\windows\97fs5z9are2729.exe
c:\windows\98z3downloade51591.dll
c:\windows\99379zroja15.dll
c:\windows\9943spz745.dll
c:\windows\9967viru56az.dll
c:\windows\9979not-a-vzrus4d5.dll
c:\windows\9992zpy552.bin
c:\windows\9a2cspazse15485.dll
c:\windows\9a5spywzre5049.exe
c:\windows\9c24stealz854.bin
c:\windows\9c7ebac5zoor2047.exe
c:\windows\9f00addwar5z729.cpl
c:\windows\9f9dbackdoo5z769.cpl
c:\windows\9z0avir1925.cpl
c:\windows\9z160sp5324.bin
c:\windows\9z47hac5tool34f9.cpl
c:\windows\9z51thief216.ocx
c:\windows\a18zi5998.exe
c:\windows\d045azk9oor1585.exe
c:\windows\d8bbackdozr1559.exe
c:\windows\d8ddoznloader5039.exe
c:\windows\dazsteal15979.cpl
c:\windows\db65p9rze2325.cpl
c:\windows\dcas9zr5e3193.cpl
c:\windows\ee6azd5a9e2433.exe
c:\windows\f9bazdw95e1002.bin
c:\windows\fb5zpars95879.bin
c:\windows\setup.exe
c:\windows\system32\drivers\MSIVXbppioxkuwipmxnrxtnhroqrihotpxdqx.sys
c:\windows\system32\MSIVXbldjjlftclimidwtytctfvvysndockwr.dll
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXexlwesyppvsrqkyogmbvqxxuvbsjnwwc.dll
c:\windows\z0857worm693.exe
c:\windows\z259backdoor5742.exe
c:\windows\z2997t59j3ec.exe
c:\windows\z3116sp5539.dll
c:\windows\z3444not-a5vi9us53b.ocx
c:\windows\z4159hackto5l32c.exe
c:\windows\z453spa5bot5cd9.cpl
c:\windows\z5124h9cktool4c25.cpl
c:\windows\z5215ir49.ocx
c:\windows\z5253tr9j7c5.cpl
c:\windows\z59cad9ware5042.cpl
c:\windows\z61dback9oo5633.cpl
c:\windows\z7215hreat29133.ocx
c:\windows\z7591worm3e9.cpl
c:\windows\z79downloa5er2007.exe
c:\windows\z7bfth9eat5552.dll
c:\windows\z870t95j27d.exe
c:\windows\z99135p9mbot6f2.dll
c:\windows\z9980h9cktool56d.ocx

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 )))))))))))))))))))))))))))))))
.

2009-12-24 01:16 . 2009-12-24 01:16 3482 ----a-w- c:\windows\system32\22950not-z9vi5us5e.bin
2009-12-23 23:54 . 2009-12-23 23:54 11381 ----a-w- c:\windows\system32\95429zy3a6.exe
2009-12-22 09:06 . 2009-12-22 09:06 11399 ----a-w- c:\windows\system32\5239w9rmz42.bin
2009-12-15 18:47 . 2009-12-15 18:47 12892 ----a-w- c:\windows\system32\5fd69hzef5227.bin
2009-12-15 14:08 . 2009-12-15 14:08 13132 ----a-w- c:\windows\zbbds5arse2109.bin
2009-12-14 21:01 . 2009-12-14 21:01 11512 ----a-w- c:\windows\system32\b995tezl1158.dll
2009-12-14 07:09 . 2009-12-14 07:09 6845 ----a-w- c:\windows\system32\167715pam9zt431.exe
2009-12-09 03:14 . 2009-12-09 03:14 4952 ----a-w- c:\windows\system32\8a5spyware927z.exe
2009-12-08 07:44 . 2009-12-08 07:44 7816 ----a-w- c:\windows\system32\55905orz501.bin
2009-12-07 13:31 . 2009-12-07 13:31 3355 ----a-w- c:\windows\system32\15538trojzb9.dll
2009-12-06 21:54 . 2009-12-06 21:54 12873 ----a-w- c:\windows\system32\4565s5zware4349.bin
2009-12-04 11:46 . 2009-12-04 11:46 7351 ----a-w- c:\windows\system32\12zaste9l594.exe
2009-12-03 23:30 . 2009-12-03 23:30 16752 ----a-w- c:\windows\system32\593vzr1705.dll
2009-12-03 01:43 . 2009-12-03 01:43 17707 ----a-w- c:\windows\system32\299975py5cz.bin
2009-11-28 01:28 . 2009-11-28 01:28 3103 ----a-w- c:\windows\system32\7795addwarez99.exe
2009-11-23 08:53 . 2009-11-23 08:53 9047 ----a-w- c:\windows\system32\99030sp5mbot6d1z.dll
2009-11-18 17:56 . 2009-11-18 17:56 8239 ----a-w- c:\windows\system32\29710viruz5a59.dll
2009-11-18 17:22 . 2009-11-18 17:22 11087 ----a-w- c:\windows\system32\19438zacktool4555.dll
2009-11-13 11:40 . 2009-11-13 11:40 7626 ----a-w- c:\windows\system32\z47as5ea93153.dll
2009-11-12 21:18 . 2009-11-12 21:18 10865 ----a-w- c:\windows\system32\1738759rz3a8.dll
2009-11-11 22:11 . 2009-11-11 22:11 2874 ----a-w- c:\windows\system32\7z15s5yware9290.bin
2009-11-01 17:28 . 2009-11-01 17:28 7878 ----a-w- c:\windows\system32\zcb9t5i9f62.bin
2009-11-01 11:35 . 2009-11-01 11:35 12603 ----a-w- c:\windows\system32\16704viru59az.dll
2009-10-28 16:58 . 2009-10-28 16:58 7110 ----a-w- c:\windows\system32\3a879aczdo5r3120.bin
2009-10-24 11:59 . 2009-10-24 11:59 3960 ----a-w- c:\windows\system32\29916tr5z2d3.dll
2009-10-20 15:34 . 2009-10-20 15:34 17622 ----a-w- c:\windows\system32\5ddo59zoader1188.bin
2009-10-11 22:02 . 2009-10-11 22:02 16307 ----a-w- c:\windows\system32\3ee99zdware19095.bin
2009-10-10 01:54 . 2009-10-10 01:54 12681 ----a-w- c:\windows\system32\154zw9r55e6.exe
2009-10-04 00:33 . 2009-10-04 00:33 12795 ----a-w- c:\windows\system32\15z55no9-a-virus278.dll
2009-10-02 13:52 . 2009-10-02 13:52 7402 ----a-w- c:\windows\system32\7f89t9reat22z95.exe
2009-09-23 15:47 . 2009-09-23 15:47 14351 ----a-w- c:\windows\system32\11151wo59zaf.exe
2009-09-15 16:46 . 2009-09-15 16:46 3682 ----a-w- c:\windows\system32\2308dow59zader27.exe
2009-09-08 22:04 . 2009-09-08 22:04 4082 ----a-w- c:\windows\system32\25515not-azvirus927.exe
2009-09-05 20:27 . 2009-09-05 20:27 6712 ----a-w- c:\windows\system32\2b51back9oor3z11.exe
2009-08-28 08:33 . 2009-08-28 08:33 15762 ----a-w- c:\windows\system32\2z415w59m542.exe
2009-08-27 01:37 . 2009-08-27 01:37 14233 ----a-w- c:\windows\system32\4579troj95z.bin
2009-08-25 12:08 . 2009-08-25 12:08 16060 ----a-w- c:\windows\system32\3572spy9are1865z.bin
2009-08-23 05:40 . 2009-08-23 05:40 13583 ----a-w- c:\windows\system32\14967trzj385.dll
2009-08-21 19:58 . 2009-08-21 19:58 5944 ----a-w- c:\windows\system32\95fsparsez346.exe
2009-08-14 09:18 . 2009-08-14 09:18 6711 ----a-w- c:\windows\system32\29493n5t-a-viruz649.bin
2009-08-10 10:50 . 2009-08-10 10:50 3984 ----a-w- c:\windows\system32\116695otza-viru9514.bin
2009-08-04 02:58 . 2009-08-04 02:58 2873 ----a-w- c:\windows\system32\7d58vir201z9.exe
2009-07-22 23:11 . 2009-07-22 23:11 3592 ----a-w- c:\windows\system32\25dz5ackdoor1948.bin
2009-07-22 02:49 . 2009-07-22 02:49 11425 ----a-w- c:\windows\system32\9120h5cktzo911b.bin
2009-07-17 23:41 . 2009-07-17 23:41 14377 ----a-w- c:\windows\system32\94154worm162z.exe
2009-07-12 18:18 . 2009-07-12 18:18 6463 ----a-w- c:\windows\system32\1795zi9us799.dll
2009-07-11 04:12 . 2009-07-11 04:15 -------- d-----w- c:\users\doctorforgolf\AppData\Local\temp
2009-07-11 02:07 . 2009-07-11 02:07 -------- d-----w- c:\users\doctorforgolf\AppData\Local\Adobe
2009-07-10 22:55 . 2009-06-17 21:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 22:55 . 2009-07-10 22:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-10 22:55 . 2009-06-17 21:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-10 17:17 . 2009-07-10 17:17 95744 ----a-w- c:\programdata\SpeedBit\DAP\Updates\Condition.dll
2009-07-09 19:28 . 2009-07-09 19:28 9759 ----a-w- c:\windows\system32\213019iruz7c85.dll
2009-07-09 01:27 . 2009-07-09 01:27 6828 ----a-w- c:\windows\system32\69azsteal543.exe
2009-07-08 00:35 . 2009-07-08 00:35 -------- d-----w- c:\users\doctorforgolf\AppData\Roaming\Unity
2009-07-06 07:07 . 2009-07-06 07:07 11390 ----a-w- c:\windows\system32\zf8a5hief2995.dll
2009-07-03 15:44 . 2009-07-03 15:44 -------- d-----w- c:\users\doctorforgolf\AppData\Local\Yahoo
2009-07-02 19:35 . 2009-07-02 19:35 -------- d-----w- c:\users\doctorforgolf\AppData\Local\Unity
2009-07-02 19:35 . 2009-07-02 19:35 -------- d-----w- c:\program files\Unity
2009-07-01 23:06 . 2009-07-01 23:06 15252 ----a-w- c:\windows\system32\10z77n9t-a-virus755.exe
2009-07-01 19:05 . 2009-05-27 05:50 607472 ----a-w- c:\programdata\Yahoo!\YUpdater\yupdater.exe
2009-06-27 09:44 . 2009-06-27 09:44 746744 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-06-26 09:01 . 2009-06-26 09:01 13373 ----a-w- c:\windows\system32\93a9stea5515z.bin
2009-06-26 03:38 . 2009-06-26 03:38 6146 ----a-w- c:\windows\system32\2289zspy1b5.bin
2009-06-25 08:32 . 2009-06-25 08:32 8221 ----a-w- c:\windows\system32\24852sp5m9zt115.bin
2009-06-24 12:10 . 2009-06-24 12:10 17216 ----a-w- c:\windows\system32\6759hack9ool6z7.exe
2009-06-23 22:29 . 2009-06-23 22:29 -------- d-----w- c:\users\doctorforgolf\AppData\Local\ToolBook
2009-06-23 17:06 . 2009-06-23 17:06 -------- d-----w- c:\program files\BSOMETER 2009
2009-06-23 04:38 . 2009-06-23 04:38 -------- d-----w- c:\program files\iPod
2009-06-23 04:38 . 2009-06-23 04:38 -------- d-----w- c:\program files\iTunes
2009-06-23 04:34 . 2009-06-23 04:35 -------- d-----w- c:\program files\QuickTime
2009-06-22 09:54 . 2009-06-22 09:54 15418 ----a-w- c:\windows\system32\1415n9t-az5irus5b3.bin
2009-06-21 08:20 . 2009-06-21 08:20 2522 ----a-w- c:\windows\system32\9350downlo5der164z.dll
2009-06-21 01:45 . 2009-06-21 01:45 15778 ----a-w- c:\windows\system32\412fbackdzo53059.dll
2009-06-20 23:12 . 2009-06-20 23:12 8219 ----a-w- c:\windows\system32\62e5thief962z.dll
2009-06-20 20:03 . 2009-06-20 20:03 6155 ----a-w- c:\windows\system32\9269wozm9d5.exe
2009-06-19 10:18 . 2009-06-19 10:18 6129 ----a-w- c:\windows\system32\22599zp97b75.exe
2009-06-16 08:21 . 2009-06-16 08:21 7401 ----a-w- c:\windows\system32\9b05viz5880.exe
2009-06-13 15:24 . 2009-06-13 15:24 12783 ----a-w- c:\windows\system32\215fspa9ze1885.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-11 04:13 . 2006-11-14 14:39 12 ----a-w- c:\windows\bthservsdp.dat
2009-07-10 21:28 . 2008-04-23 19:00 -------- d-----w- c:\users\doctorforgolf\AppData\Roaming\uTorrent
2009-07-09 22:26 . 2008-12-23 09:09 83456 ----a-w- c:\programdata\SpeedBit\DAP\SDCondition.dll
2009-07-09 19:28 . 2009-07-09 19:28 2988 ----a-w- c:\windows\system32\395zdownloader1290.dll
2009-07-06 13:13 . 2008-02-02 17:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-04 00:09 . 2009-03-31 21:04 -------- d-----w- c:\program files\Windows Live Safety Center
2009-07-01 19:06 . 2007-06-23 01:28 -------- d-----w- c:\programdata\Yahoo! Companion
2009-07-01 19:05 . 2007-06-19 20:10 -------- d-----w- c:\programdata\Yahoo!
2009-07-01 18:13 . 2008-12-24 02:50 -------- d-----w- c:\program files\GrandBilliards
2009-06-23 04:38 . 2007-07-01 17:55 -------- d-----w- c:\program files\Common Files\Apple
2009-06-23 04:38 . 2007-06-24 16:34 -------- d-----w- c:\programdata\Apple Computer
2009-06-17 02:25 . 2007-08-04 18:12 -------- d-----w- c:\users\doctorforgolf\AppData\Roaming\Image Zone Express
2009-06-10 19:38 . 2007-06-16 19:41 -------- d-----w- c:\programdata\Microsoft Help
2009-06-10 14:18 . 2009-06-10 14:18 7246 ----a-w- c:\windows\system32\5b2aadz9are326.bin
2009-06-09 14:04 . 2009-06-09 14:04 12111 ----a-w- c:\windows\system32\6527wozm2e19.dll
2009-06-07 20:51 . 2008-03-02 07:42 -------- d-----w- c:\program files\TVUPlayer
2009-06-06 11:49 . 2009-06-06 11:49 6612 ----a-w- c:\windows\system32\195zs5yd79.bin
2009-06-05 23:57 . 2009-06-05 23:57 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-04 02:16 . 2009-06-04 02:16 17868 ----a-w- c:\windows\system32\90z5vir849.dll
2009-05-25 00:37 . 2009-05-25 00:37 4523 ----a-w- c:\windows\system32\19b6st5al3z29.dll
2009-05-21 07:51 . 2009-05-21 07:51 4606 ----a-w- c:\windows\system32\12514not-a-vir9z3de.exe
2009-05-18 10:53 . 2009-05-18 10:53 16254 ----a-w- c:\windows\system32\19929spy2z95.dll
2009-05-17 02:43 . 2009-05-17 02:43 2672 ----a-w- c:\windows\system32\18308w9rz55.exe
2009-05-16 08:45 . 2009-05-16 08:45 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-05-15 11:36 . 2009-05-15 11:36 11970 ----a-w- c:\windows\system32\76f9s9yw5re2z74.dll
2009-05-13 16:52 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-09 11:14 . 2006-11-02 19:09 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2009-05-09 11:14 . 2009-05-09 11:14 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2009-05-09 05:50 . 2009-06-10 19:29 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-10 19:29 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-05-09 02:27 . 2009-05-09 02:27 18044 ----a-w- c:\windows\system32\793abackdo5r324z.dll
2009-05-01 08:16 . 2009-05-01 08:16 14137 ----a-w- c:\windows\system32\335ba5kdoor1179z.bin
2009-04-30 12:37 . 2009-06-10 19:30 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-04-30 12:37 . 2009-06-10 19:30 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-04-29 19:40 . 2007-06-15 07:38 58896 ----a-w- c:\users\doctorforgolf\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-28 23:59 . 2009-04-28 23:59 4567 ----a-w- c:\windows\system32\7z98tro59ee.exe
2009-04-23 12:43 . 2009-06-10 19:29 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-06-10 19:28 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-23 09:21 . 2009-04-23 09:21 14440 ----a-w- c:\windows\system32\25959spzm95t3d6.exe
2009-04-22 19:06 . 2009-04-22 19:06 16556 ----a-w- c:\windows\system32\z1539virus539.exe
2009-04-21 11:55 . 2009-06-10 19:29 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-04-19 06:00 . 2009-04-19 06:00 3347 ----a-w- c:\windows\system32\15522vz9us689.exe
2009-04-16 11:57 . 2009-04-16 11:57 10075 ----a-w- c:\windows\system32\5964zvirus739.bin
2009-04-16 01:26 . 2009-04-16 01:26 4078 ----a-w- c:\windows\system32\26758n9t5a-viruszb6.bin
2009-04-14 06:06 . 2009-04-14 06:06 7284 ----a-w- c:\windows\system32\2259sparze950.dll
2009-04-13 04:05 . 2009-04-13 04:05 16546 ----a-w- c:\windows\system32\737a9parze5222.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2009-03-29 2811392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"Trend Micro AntiVirus 2007"="c:\program files\Trend Micro\AntiVirus 2007\tavui.exe" [2008-05-09 4613384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^doctorforgolf^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\doctorforgolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^doctorforgolf^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\doctorforgolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Windows Defender"=%ProgramFiles%\Windows Defender\MSASCui.exe -hide
"MSServer"=rundll32.exe c:\windows\system32\fCrQHBRH.dll,#1
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{927248FD-E49B-4655-A7C9-99CFC38C9A01}"= UDP:c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{85F06963-6C2E-4DFB-8907-9431AD1D0926}"= TCP:c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{0E657784-68A1-4FE9-B5E8-16D7267074B8}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9BF89F45-9086-400F-AD8A-559B560B9B71}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{612A132E-89C2-4FF9-9CFC-7F682139B180}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{66547474-D9DB-47EA-A6C4-8ECF14BD70DF}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BF3CF9DB-5725-407D-BC75-14A271DCF1D1}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{A9A9400D-12FA-49F1-9895-49290E397612}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E7FC3E9D-5B1E-4A6E-9095-8F1754C8BC29}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{392A561F-0882-486E-BC29-F61AFDFB99BE}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{314F600F-DF4A-46F5-9A4D-0711231CFAC6}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{3F72A6AB-3338-4948-B01F-7CF46753C6A2}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{D7CA48E7-F260-4C32-B8B6-24716052AAD5}"= UDP:c:\program files\SkillGround\Games\UTG\Main.exe:UTG
"{C2A51C7F-74D9-4D41-AC95-AE6C011FCF02}"= TCP:c:\program files\SkillGround\Games\UTG\Main.exe:UTG
"{4F6410FE-CE92-48C8-A561-4C0C3BF98AF3}"= UDP:c:\program files\SkillGround\Games\UTG\Main.exe:UTG
"{27D4C395-6B49-41A3-88A8-3B6FA1EF03F3}"= TCP:c:\program files\SkillGround\Games\UTG\Main.exe:UTG
"{C582AB5D-FC3A-495A-A240-DDB821CF976E}"= UDP:c:\program files\SkillGround\Games\LASR\LASR.exe:LASR
"{54D534F6-153F-4C26-88FE-859872D16976}"= TCP:c:\program files\SkillGround\Games\LASR\LASR.exe:LASR
"{DC5CC197-1EE4-4FD9-A28B-31C1C7201399}"= UDP:c:\program files\DAP\DAP.exe:Download Accelerator Plus (DAP)
"{E21EB8A9-621F-40E3-A6DA-363BE56313CD}"= TCP:c:\program files\DAP\DAP.exe:Download Accelerator Plus (DAP)
"TCP Query User{04E17617-BDE3-4B17-A12B-B26EB74B1162}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{7784223E-110C-4A42-A73E-DEC29CDBD3B5}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{8AEC62C9-9DE4-4A16-95C6-6DACDEC5D6C9}c:\\windows\\winsxs\\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16557_none_095474fd52156893\\wmplayer.exe"= UDP:c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16557_none_095474fd52156893\wmplayer.exe:Windows Media Player
"UDP Query User{F6CFB282-CF0A-4F35-A4C1-4D386A35CD47}c:\\windows\\winsxs\\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16557_none_095474fd52156893\\wmplayer.exe"= TCP:c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16557_none_095474fd52156893\wmplayer.exe:Windows Media Player
"TCP Query User{ED8F4EE4-2CCB-4FE1-94E9-536E5B225045}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{3D904081-8882-4BD7-A5AC-677E6264DAF1}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{126755B8-273F-473E-8240-BEDC8BAFE583}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{432553A0-8FC9-4052-A647-69102C965A8E}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{CB779049-4B01-4924-A69C-911B12ABF2A3}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{6440266F-A075-4B43-9771-5F8A0037591D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{D4F601D0-1560-4106-8CD7-AE2CCEF10BAF}c:\\program files\\limewire\\limewire.exe"= Disabled:UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{7A77704F-2C85-4751-AF0E-0E811FBCAE75}c:\\program files\\limewire\\limewire.exe"= Disabled:TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{43F67693-8437-432C-8B2E-87E9FF8807E1}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{2806D38B-A9EA-46F4-BC31-DC59124236CA}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"TCP Query User{DB21EC60-386E-4399-ADB3-8AE42FE6A13D}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{270F5483-614E-4DE7-81E8-A7274AEFAA4C}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{1A2A8A34-B00A-4C11-A742-1274BE3AD8F1}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{3A5F0339-8F9C-4D86-A943-50411434D733}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{9E45B3EC-F7F0-4566-ABF8-DD35155AF0B4}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{2B95FB81-2D07-4311-B05F-6037CA1546F1}c:\\users\\doctorforgolf\\appdata\\roaming\\macromedia\\flash player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= UDP:c:\users\doctorforgolf\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe:octoshape.exe
"UDP Query User{F54D6B63-62FE-46B6-9E70-5D203531FA5E}c:\\users\\doctorforgolf\\appdata\\roaming\\macromedia\\flash player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= TCP:c:\users\doctorforgolf\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe:octoshape.exe
"{22707778-0D9E-4F84-AD5F-4C06E4BD58B1}"= UDP:c:\ppv\00\PP.EXE:6.2
"{CFDC9201-D4A8-4B01-9C08-7CD7005E47CC}"= TCP:c:\ppv\00\PP.EXE:6.2
"{0C8B47AD-9D8E-4655-97A4-D187110BCB89}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D919F67A-3CE1-402E-9594-87F9043AB975}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3B41E15B-A6E4-4D8A-872A-18D90D4BEF25}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{6BBE6289-6A90-448F-B247-E42775CEBF26}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)

R0 SI3112r;ATI-4379 Serial ATA Controller;c:\windows\System32\drivers\SI3112r.sys [29/08/07 2:04 AM 116264]
R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [27/09/06 5:31 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\AntiVirus 2007\components\TmProxy.exe [10/01/07 7:19 PM 566872]
S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\System32\drivers\smscirda.sys [14/11/06 2:39 AM 31232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-07-11 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 19:09]

2009-07-11 c:\windows\Tasks\User_Feed_Synchronization-{78015774-5756-4EC1-AEA6-F9588B1A1E2F}.job
- c:\windows\system32\msfeedssync.exe [2009-03-25 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: &eBay Search
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZJman000
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\tmlsp.dll
FF - ProfilePath - c:\users\doctorforgolf\AppData\Roaming\Mozilla\Firefox\Profiles\42j4lfkt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\users\doctorforgolf\AppData\Roaming\Mozilla\Firefox\Profiles\42j4lfkt.default\extensions\{642BD07B-43AB-4157-921B-3E62B71AD39F}\plugins\npskill.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 18:14
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Trend Micro\AntiVirus 2007\tavsvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\osk.exe
c:\windows\ehome\ehmsas.exe
c:\windows\System32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-07-11 18:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-11 04:24

Pre-Run: 15,063,101,440 bytes free
Post-Run: 14,785,552,384 bytes free

723 --- E O F --- 2009-07-09 22:00

Hi,

Please do the following

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')



Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

NEXT

Download TFC to your desktop

• Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

NEXT

• Please open your MalwareBytes AntiMalware Program
• Click the Update Tab and search for updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


NEXT

**Vista users - right click on the IE icon and run as administrator

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

In your next reply please include

• ComboFix Log
• MBAM Log
• Kaspersky report

Ok had to run the Kaspersky 3X whew... Thank you for all your help!

Hi,

One of the files deleted by MBAM was identified as a "backdoor bot" This type of infection has the ability to steal personal information from your computer.

As a precaution, from a totally clean computer, change all your on-line passwords, especially any for financial institutions and notify those same institutions that your personal information may have been compromised.

NEXT

Navigate to the following file and delete it:

C:\DOWNLOADS\setup.exe


NEXT

Please run a fresh DDS log and advise how your computer is running now and if there are any outstanding issues.

Hello, yes I still have issues with my firefox being redirected.

Hi,

Please do the following:

Please download HostsXpert

• Unzip HostsXpert to it's own folder in a convenient place such as C:\HostsXpert
• Run: HostsXpert.exe
• Click: Make Writable? in the upper left corner.
• Click: Restore MS Hosts File
• Click: Replace
• Click: OK
• Click: Make ReadOnly
• Close HostsXpert.

NEXT

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

I can't seem to get the HostsXpert to work, ERROR: Cannot create file C:\windows\system32\Drivers\ETC\host

Hi,

Please run this program instead

Please download HostsFileReader.zip by Option^Explicit, saving it to the desktop.

• Extract HostsFileReader.zip to your desktop
  
• Double click on HostsFileReader.exe
  
• Click on Reset Default

Then move on to the GooredFix program.


If the first program still will not work, then move to the GooredFix program.

GooredFix by jpshortstuff (12.07.09)
Log created at 06:02 on 12/07/2009 (doctorforgolf)
Firefox version 3.0.5 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org [04:51 25/03/2008]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:50 25/03/2008]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [08:31 11/09/2007]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [22:02 09/10/2007]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [18:37 06/03/2008]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [06:04 07/02/2009]

-=E.O.F=-

Were you able to reset the hosts program?

How is your computer running now?
are you still being redirected?

Still getting the same error message with HostXpert, but firefox is NOT being redirected.