I was infected by a scareware/malware virus on the 4th of July. I have scanned with Mcafee, and spyware doctor several times to attempt to remove. I have ran CCleaner a couple of times. The antivirus system pro 2009 fake warnings has stopped, but the computer is still having symptoms. Hopefully I did not cause more harm than good on my attempts to stop it.

Current Symptoms
*Sudden freezing
*Frozen start ups
*safe mode is disabled (blue screen error when attempted)
*Scanning software will not run, hour glass and then nothing. (MBAM, Super Anti Spyware, Alvest all have trouble installing. And if installed will not open to scan)
*Internet searches on google and others are disabled
*Adware popups occur occasionally

Any help you can give will be much appreciated

Ken


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:49 PM, on 7/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jill\Desktop\HJTInstall.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy49.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZKxdm006MWUS
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/in...r_installer.exe
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} (CUpdateCtl Object) - http://update.hpphoto.com/download/HPSWUpdate.ocx
O18 - Filter hijack: text/html - {7e421a40-d91a-424b-86da-0cbce7aab06d} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: __c0067524 - C:\WINDOWS\system32\__c0067524.dat (file missing)
O20 - Winlogon Notify: __c00AB1E4 - C:\WINDOWS\system32\__c00AB1E4.dat (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Jill/LOCALS~1/Temp/msoclip1/01/clip_image001.jpg

--
End of file - 11431 bytes

Hi and Welcome,

NOTE:

• Malware removal is NOT instantaneous, most infections require more than one round to properly eradicate.
• Absence of symptoms does not always mean the job is complete, you can be certain that I will advise you when the computer is clean.
• Kindly follow my instructions in the order posted.
• Please DO NOT run any scans or fix items without my direction.

Please do the following:

STEP #1

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txt's will open.
• Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.



STEP #2



Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Hi Catbyte,

My vistor seems to not want to allow me to open the Gmer program.

I have attached the other requested reports, do you have any suggestion, like a process to kill to get the GMER to open???

Hi,

It would appear there is a rootkit on your system. Leave the GMER program for now and do the following:

Note: It is very important to rename ComboFix before saving it and all of your decurity programs must be disable befor running the program:

Please do the following:


Download Combofix from any of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2
Link 3


During the download, rename Combofix to Combo-Fix as follows:





--------------------------------------------------------------------

• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.

• Double click on Combo-Fix.exe & follow the prompts.
  
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
  
  **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  
  
  
  -----------------------------------------------------------
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------

Running into a route.exe application error and a file corruption warning, Combo-fix is still running, waiting on results...

Combofix did find a rootkit

Here is the log requested.

ComboFix 09-07-07.A2 - Jill 07/07/2009 22:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.203 [GMT -4:00]
Running from: c:\documents and settings\Jill\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Jill\LOCALS~1\Temp\csrss.exe
c:\docume~1\Jill\LOCALS~1\Temp\taskmgr.exe
c:\documents and settings\Jill\Application Data\FunWebProducts
c:\documents and settings\Jill\Desktop\setup.exe
c:\program files\Common
c:\program files\Common\helper.sig
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\0101120101465749.dat
c:\windows\0101120101465752.dat
c:\windows\freddy49.exe
c:\windows\Installer\1d869.msp
c:\windows\Installer\1eebd5.msi
c:\windows\Installer\e0bf.msi
c:\windows\Installer\e0c5.msi
c:\windows\Installer\e0cb.msi
c:\windows\ld12.exe
c:\windows\strt_1246811592.exe
c:\windows\syssvc.exe
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\AutoRun.inf
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\drivers\SKYNETittbjtkb.sys
c:\windows\system32\drivers\UACpboyrgomqfqmoirxd.sys
c:\windows\system32\kungsfwecqdcxj.dat
c:\windows\system32\lsp.dll
c:\windows\system32\UACauakxidmgiswtrjen.dll
c:\windows\system32\UACbobqaimpulhypitys.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkusuphkbisrxrlelx.dll
c:\windows\system32\UACpdavnpmopybwwkrfp.log
c:\windows\system32\UACqtowujomlnonipfqj.dat
c:\windows\system32\UACrqqihhsqlxnwsgwgx.dll
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job
C:\xcrashdump.dat

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_DRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_drv
-------\Service_kungsfmylytitf


((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))
.

2009-07-08 02:20 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-08 02:20 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-08 00:48 . 2009-07-08 00:48 -------- d-----w- c:\program files\Trend Micro
2009-07-07 23:10 . 2004-08-04 11:00 23040 ------w- c:\windows\system32\psapi.dll
2009-07-07 22:35 . 2009-07-07 22:35 -------- d-----w- c:\documents and settings\Ken\Application Data\SUPERAntiSpyware.com
2009-07-07 22:35 . 2009-07-07 22:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-07 22:32 . 2009-07-07 22:32 -------- d-----w- c:\documents and settings\Ken\Local Settings\Application Data\Wal-Mart Music Downloads
2009-07-07 22:13 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-07 22:13 . 2009-07-07 22:13 -------- d-----w- c:\program files\MB
2009-07-07 22:13 . 2009-07-07 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-07 22:13 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-07 22:03 . 2009-07-07 22:03 -------- d-----w- c:\program files\Java
2009-07-07 21:43 . 2009-07-07 21:43 -------- d-----w- c:\program files\CCleaner
2009-07-06 01:56 . 2009-07-06 01:56 -------- d-----w- c:\documents and settings\Jill\Application Data\SACore
2009-07-06 00:55 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-07-06 00:54 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-06 00:54 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-06 00:54 . 2009-07-08 02:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-06 00:54 . 2009-07-06 00:56 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-06 00:54 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-07-06 00:54 . 2009-07-07 22:55 -------- d-----w- c:\program files\Spyware Doctor
2009-07-06 00:54 . 2009-07-06 00:54 -------- d-----w- c:\documents and settings\Ken\Application Data\PC Tools
2009-07-06 00:54 . 2009-07-06 00:54 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-07-05 21:25 . 2009-07-06 16:34 0 ----a-w- c:\windows\system32\drivers\468698c2.sys
2009-07-05 21:25 . 2009-07-05 21:25 21504 ----a-w- C:\kkfwg.exe
2009-07-05 21:25 . 2009-07-05 21:25 32768 ----a-w- C:\fdvjfx.exe
2009-07-05 21:24 . 2009-07-05 21:25 205940 ----a-w- C:\gklrwl.exe
2009-07-05 21:23 . 2009-07-05 21:23 39424 ----a-w- C:\tcburi.exe
2009-07-05 21:22 . 2009-07-05 21:22 -------- d-----w- c:\documents and settings\Ken\Application Data\FileOpen
2009-07-05 14:16 . 2009-07-05 14:16 1 ---h--w- c:\windows\bf23567.dat
2009-07-04 15:35 . 2009-07-04 15:35 1 ---h--w- c:\windows\jmmark2.dat
2009-07-04 12:18 . 2009-07-05 03:37 -------- d-----w- c:\program files\drv
2009-06-23 01:32 . 2009-07-07 22:03 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-11 23:15 . 2009-07-05 17:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-06-11 22:24 . 2009-07-08 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-06-11 21:57 . 2009-07-08 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-09 15:39 . 2009-06-09 15:39 -------- d-----w- C:\PC HugWare

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 02:10 . 2005-03-02 16:11 -------- d-----w- c:\program files\McAfee.com
2009-07-07 22:35 . 2008-08-19 10:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-07 22:31 . 2007-11-26 01:43 -------- d-----w- c:\program files\Google
2009-07-07 22:30 . 2009-02-18 23:01 -------- d-----w- c:\program files\Coupons
2009-07-05 02:46 . 2005-03-05 21:19 124352 ----a-w- c:\documents and settings\Ken\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-21 13:06 . 2005-07-29 00:25 -------- d-----w- c:\program files\Common Files\HP
2009-06-11 11:56 . 2008-04-05 12:37 124352 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-06-10 00:01 . 2009-06-02 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-10 00:00 . 2009-06-02 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-06-02 22:05 . 2009-06-02 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-06-02 22:01 . 2009-06-02 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-05-16 18:59 . 2008-11-27 01:39 -------- d-----w- c:\program files\Hardwood Euchre
2009-05-14 00:17 . 2009-05-14 00:17 -------- d-----w- c:\program files\OverDrive Media Console
2009-05-07 15:44 . 2004-08-04 11:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 11:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-04 11:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:26 . 2004-08-04 11:00 583168 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-07 98304]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-07 148888]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-5-30 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Billminder.lnk - c:\program files\Quicken\billmind.exe [2002-7-30 36864]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2002-7-30 53248]
Quicken Startup.lnk - c:\program files\Quicken\QWDLLS.EXE [2002-7-30 36864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:drv

R0 pctcore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [7/5/2009 8:54 PM 130936]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/5/2009 8:54 PM 348752]
S1 468698c2;468698c2;c:\windows\SYSTEM32\DRIVERS\468698c2.sys [7/5/2009 5:25 PM 0]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" --> c:\program files\McAfee\SiteAdvisor\McSACore.exe [?]
S3 VNA;Check Point Virtual Network Adapter;c:\windows\SYSTEM32\DRIVERS\vna.sys [9/5/2004 11:44 AM 108400]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
drv REG_MULTI_SZ drv
.
Contents of the 'Scheduled Tasks' folder

2009-07-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-26 00:39]

2009-07-08 c:\windows\Tasks\User_Feed_Synchronization-{B2AE97CA-183B-4A7D-BAF5-5A62628C3075}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKLM-Run-sysfbtray - c:\windows\freddy49.exe
HKLM-Run-StandardInstall - (no file)
Notify-__c0067524 - c:\windows\system32\__c0067524.dat
Notify-__c00AB1E4 - c:\windows\system32\__c00AB1E4.dat
Notify-ckpNotify - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZKxdm006MWUS
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 22:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\Perflib_Perfdata_704.dat 16384 bytes
c:\windows\TEMP\sqlite_Op7bq2UCL9cJVfk 1024 bytes
c:\windows\TEMP\sqlite_OuTett7zk5WwX8G 1024 bytes
c:\windows\TEMP\sqlite_Ov95uyOpzPsyYZL 0 bytes
c:\windows\TEMP\sqlite_OZX8DEZdr9Dw4bg 1024 bytes
c:\windows\TEMP\sqlite_OzxOfkaenl3CTkT 1024 bytes
c:\windows\TEMP\sqlite_p35jwbbfYKSPRNI 1024 bytes
c:\windows\TEMP\sqlite_PcBWXt2CwmUrhft 1024 bytes
c:\windows\TEMP\sqlite_pERbh5sUN8sXB0h 0 bytes
c:\windows\TEMP\sqlite_pJbz7Jng5K4R60T 0 bytes
c:\windows\TEMP\sqlite_PJegX0u8vkqPwBc 0 bytes
c:\windows\TEMP\sqlite_PjyduV9uzhImUvS 0 bytes
c:\windows\TEMP\sqlite_pk2DDJnGoy2SQ8H 1024 bytes
c:\windows\TEMP\sqlite_pmch9HUDFCD7W2q 1024 bytes
c:\windows\TEMP\sqlite_PNexcsmkFeAAo9z 1024 bytes
c:\windows\TEMP\sqlite_pQ5a7bLuWPjjJmI 0 bytes
c:\windows\TEMP\sqlite_pqOjCrS2zerza7D 1024 bytes
c:\windows\TEMP\sqlite_PrjHbrdgB3DiOkc 0 bytes
c:\windows\TEMP\sqlite_qE91uX3ls4ysdOC 0 bytes
c:\windows\TEMP\sqlite_qls34aldfRphF3O 1024 bytes
c:\windows\TEMP\sqlite_QPILeuBoaXYGOeD 1024 bytes
c:\windows\TEMP\sqlite_QwNM2GnqoHoDiSC 1024 bytes
c:\windows\TEMP\sqlite_rkJXq00gd049Hwu 0 bytes
c:\windows\TEMP\sqlite_RNtUs92GOgShcaR 0 bytes
c:\windows\TEMP\sqlite_s3OZF69vmbRTYoK 1024 bytes
c:\windows\TEMP\Cookies
c:\windows\TEMP\Cookies\index.dat 16384 bytes
c:\windows\TEMP\History
c:\windows\TEMP\History\History.IE5
c:\windows\TEMP\History\History.IE5\desktop.ini 145 bytes
c:\windows\TEMP\History\History.IE5\index.dat 16384 bytes
c:\windows\TEMP\MCE00000
c:\windows\TEMP\sqlite_Cebw4Ta8TRzjFzO 1024 bytes
c:\windows\TEMP\sqlite_CIEmMva3lNDgqD6 1024 bytes
c:\windows\TEMP\sqlite_citv5tnyhxkAVsh 0 bytes
c:\windows\TEMP\sqlite_CNFbalswStPW8ag 1024 bytes
c:\windows\TEMP\sqlite_CntBmKF1j5BMNcy 0 bytes
c:\windows\TEMP\sqlite_cOGeeDLgB3gZa6V 1024 bytes
c:\windows\TEMP\sqlite_cQ6Uxfkr7alEgI5 1024 bytes
c:\windows\TEMP\sqlite_CSmVeXHhXdbQu4l 1024 bytes
c:\windows\TEMP\sqlite_DaQQO85ULROSwev 1024 bytes
c:\windows\TEMP\sqlite_DcIPqCgiLVjXcUD 0 bytes
c:\windows\TEMP\sqlite_dcOWVb5gTnfV1lW 0 bytes
c:\windows\TEMP\sqlite_de3zWmsykDSmCax 1024 bytes
c:\windows\TEMP\sqlite_DhNV57Jy3R9tPVV 1024 bytes
c:\windows\TEMP\sqlite_DiyeZd27jQ234WT 1024 bytes
c:\windows\TEMP\sqlite_dLitNcEJtXjSX4C 0 bytes
c:\windows\TEMP\sqlite_wbPllxFBzJH58ot 0 bytes
c:\windows\TEMP\sqlite_wFH1WKyspfsnbQw 1024 bytes
c:\windows\TEMP\sqlite_WJKehs7f1HebRTg 1024 bytes
c:\windows\TEMP\sqlite_wPUXy0BhWn9gsK3 1024 bytes
c:\windows\TEMP\sqlite_wqLmHh6QiiVyszX 1024 bytes
c:\windows\TEMP\sqlite_wucu4qKgohPr9DX 1024 bytes
c:\windows\TEMP\sqlite_Wumg84bdMwyvbrS 0 bytes
c:\windows\TEMP\sqlite_WV2Q7ojEhkNX664 0 bytes
c:\windows\TEMP\sqlite_xaJE6GhyzcN7Mea 0 bytes
c:\windows\TEMP\sqlite_xDe2OEfyXfgwyyh 1024 bytes
c:\windows\TEMP\sqlite_xsQdla6F5UVCOEk 0 bytes
c:\windows\TEMP\sqlite_XTIokCnEVtgfzJ2 1024 bytes
c:\windows\TEMP\sqlite_XU11knpFlScT40C 1024 bytes
c:\windows\TEMP\sqlite_xY6wR4TitZAG7bO 0 bytes
c:\windows\TEMP\sqlite_yd9MVBaIyMMRAFK 1024 bytes
c:\windows\TEMP\sqlite_YdVUDVBDqg5UNmM 0 bytes
c:\windows\TEMP\sqlite_YIlxp5PyPWUb5Bj 1024 bytes
c:\windows\TEMP\sqlite_ysodB3rY646j8wi 0 bytes
c:\windows\TEMP\sqlite_yTcmokz6McgTbkP 1024 bytes
c:\windows\TEMP\sqlite_Z4Dt2SHVStwltqE 1024 bytes
c:\windows\TEMP\sqlite_ZgUlX6SgeMTw1kl 1024 bytes
c:\windows\TEMP\sqlite_ZlqNbRs7gZAzKAj 0 bytes
c:\windows\TEMP\sqlite_gXIo9MIWPY5xOlx 1024 bytes
c:\windows\TEMP\sqlite_GXIv3aCKbKkypLm 1024 bytes
c:\windows\TEMP\sqlite_h1925HaMU3PRNie 1024 bytes
c:\windows\TEMP\sqlite_hjq4hagVPgltaP7 1024 bytes
c:\windows\TEMP\sqlite_HkgG9iBhQ2lbgzk 0 bytes
c:\windows\TEMP\sqlite_hNGMX0TuAOhr2mN 1024 bytes
c:\windows\TEMP\sqlite_hNJYEqaFw5rzPrA 1024 bytes
c:\windows\TEMP\sqlite_hnk17iU8VPBeTK5 1024 bytes
c:\windows\TEMP\sqlite_HokS3MSJZPHz9Ft 1024 bytes
c:\windows\TEMP\sqlite_HPhabqyqvDykXWe 0 bytes
c:\windows\TEMP\sqlite_HQ7fNuH00asDTMa 0 bytes
c:\windows\TEMP\sqlite_HZAWBEiRso9ccex 1024 bytes
c:\windows\TEMP\sqlite_i0R0dIi97bolIcv 0 bytes
c:\windows\TEMP\sqlite_I3L81P3oe0Lw8Xb 0 bytes
c:\windows\TEMP\sqlite_IbMGvaDDcGWlmYU 1024 bytes
c:\windows\TEMP\sqlite_IC4Bvg4AbDbOxyl 1024 bytes
c:\windows\TEMP\sqlite_ifpV0vwW17CgJC8 1024 bytes
c:\windows\TEMP\sqlite_6YNWpdc9E0rQ6Cg 1024 bytes
c:\windows\TEMP\sqlite_79EwgouQ5iqzYZM 0 bytes
c:\windows\TEMP\sqlite_7bjA2F1TJCNIAEi 0 bytes
c:\windows\TEMP\sqlite_7UJvnMB7OcdNZ5l 1024 bytes
c:\windows\TEMP\sqlite_8J1TDZ8VCqbcO2U 0 bytes
c:\windows\TEMP\sqlite_Kpc7yRfAIPiIm19 1024 bytes
c:\windows\TEMP\sqlite_KV5VXQjkzCfU6bl 1024 bytes
c:\windows\TEMP\sqlite_kz3xzcic8USzSKC 0 bytes
c:\windows\TEMP\sqlite_L2l1FaAzXU07Rgl 1024 bytes
c:\windows\TEMP\sqlite_LAgfKBSdiws9L6X 0 bytes
c:\windows\TEMP\sqlite_LaLOAl1ZxyIgl13 0 bytes
c:\windows\TEMP\sqlite_lawi52W50fVAaXB 1024 bytes
c:\windows\TEMP\sqlite_lbzZofC9x5dNJBf 1024 bytes
c:\windows\TEMP\sqlite_Lcs2chNTHqDuzAC 1024 bytes
c:\windows\TEMP\sqlite_lEGUTeO5piffr9P 0 bytes
c:\windows\TEMP\sqlite_LLy9BcUzv58tnVc 0 bytes
c:\windows\TEMP\sqlite_lndvSPAfwUAtPGo 1024 bytes
c:\windows\TEMP\sqlite_Lo0miUXYeMk6M2R 1024 bytes
c:\windows\TEMP\sqlite_lTpDpAs3itfU8lj 1024 bytes
c:\windows\TEMP\sqlite_LXUQv9XOQTGkxi9 1024 bytes
c:\windows\TEMP\sqlite_M08dQX4ArRvTU62 0 bytes
c:\windows\TEMP\sqlite_m1jad2dggrPQAYS 1024 bytes
c:\windows\TEMP\sqlite_M5BeHx7Z5tst543 0 bytes
c:\windows\TEMP\sqlite_m8eiHhFv63uMYLd 0 bytes
c:\windows\TEMP\sqlite_mcaJKUWGUna9jgr 1024 bytes
c:\windows\TEMP\sqlite_MDZBdNdBGj3Qnaz 0 bytes
c:\windows\TEMP\sqlite_MGH0UJGkNCVQDUR 1024 bytes
c:\windows\TEMP\sqlite_MJVMxtMNTlfxOQM 1024 bytes
c:\windows\TEMP\sqlite_SA15XOSYQyl3XWI 0 bytes
c:\windows\TEMP\sqlite_savzKvb7qv5LPXR 0 bytes
c:\windows\TEMP\sqlite_sCnqppBzX3IkAfs 0 bytes
c:\windows\TEMP\sqlite_SFvT9zSeVrAt3dH 1024 bytes
c:\windows\TEMP\sqlite_sleosbTZFEwWYvx 0 bytes
c:\windows\TEMP\sqlite_snlYeFbNzkskoOg 1024 bytes
c:\windows\TEMP\sqlite_t0yI0vE0lOUNm82 1024 bytes
c:\windows\TEMP\sqlite_T3wjhL1TEHSMpPF 0 bytes
c:\windows\TEMP\sqlite_ta8lI1I7SVIRUqc 1024 bytes
c:\windows\TEMP\sqlite_TbtfSnpKEJaw7om 1024 bytes
c:\windows\TEMP\sqlite_Tfo7COrmfuEIteT 1024 bytes
c:\windows\TEMP\sqlite_ThzSkgrybnUeAQn 1024 bytes
c:\windows\TEMP\sqlite_TIF3KUD1FFvq3zs 0 bytes
c:\windows\TEMP\sqlite_TIFzQyH9IbOdqmB 1024 bytes
c:\windows\TEMP\sqlite_tM5yEk1vfjpCjTn 1024 bytes
c:\windows\TEMP\sqlite_tMUlBJbfli7p0OG 1024 bytes
c:\windows\TEMP\sqlite_tsf23yzxqo2hXOs 0 bytes
c:\windows\TEMP\sqlite_TvaYi6A1i3INoyR 1024 bytes
c:\windows\TEMP\sqlite_TWKzmOGgxIy2f48 1024 bytes
c:\windows\TEMP\sqlite_tztiUgkFIPSAmge 1024 bytes
c:\windows\TEMP\sqlite_ElP81E3jg3RHFMc 1024 bytes
c:\windows\TEMP\sqlite_eLsynSfXhEq5FoQ 1024 bytes
c:\windows\TEMP\sqlite_EO76THexfofe8bO 1024 bytes
c:\windows\TEMP\sqlite_EU5NkbLLcqaS0bn 1024 bytes
c:\windows\TEMP\sqlite_EUQTB5CZuFxe31c 0 bytes
c:\windows\TEMP\sqlite_ewQyTLj3C0EKAYJ 0 bytes
c:\windows\TEMP\sqlite_EXBRgKcrdrtgV5V 0 bytes
c:\windows\TEMP\sqlite_eYgF4DmblhXArJl 1024 bytes
c:\windows\TEMP\sqlite_F8a2u5vHZZF4g6y 1024 bytes
c:\windows\TEMP\sqlite_fANzsAFjoYm6dw4 1024 bytes
c:\windows\TEMP\sqlite_fE5gtQlnA0NOepm 0 bytes
c:\windows\TEMP\sqlite_FehGStzKsGlJK0m 1024 bytes
c:\windows\TEMP\sqlite_ffNEuV6DEvaO3mw 1024 bytes
c:\windows\TEMP\sqlite_FgjC8XcpMJRzhvh 1024 bytes
c:\windows\TEMP\sqlite_FiBBYYPoQBSN92m 1024 bytes
c:\windows\TEMP\sqlite_FKTSIhRsplnKDzG 1024 bytes
c:\windows\TEMP\sqlite_FNYeDtcXXxEXOGv 1024 bytes
c:\windows\TEMP\sqlite_foTMvI8kZXGTVr8 1024 bytes
c:\windows\TEMP\sqlite_fp8Ioc3aOV2LFXi 1024 bytes
c:\windows\TEMP\sqlite_FPTcnm3pqJFJr9A 0 bytes
c:\windows\TEMP\sqlite_g4HG8RstAmlZQGn 1024 bytes
c:\windows\TEMP\sqlite_G7uwr7RcWLsGAlo 0 bytes
c:\windows\TEMP\sqlite_G80SRRn99P95vie 0 bytes
c:\windows\TEMP\sqlite_g9I2LwF3lG3cER4 1024 bytes
c:\windows\TEMP\sqlite_g9pPqDRhjsxNH2F 1024 bytes
c:\windows\TEMP\sqlite_gFFFTdUbl5YY7OP 0 bytes
c:\windows\TEMP\sqlite_gg6YzelhvRGj3ed 1024 bytes
c:\windows\TEMP\sqlite_GgDzbzJpbfbBpxi 1024 bytes
c:\windows\TEMP\sqlite_GGhwHZD1fTV4SP7 0 bytes
c:\windows\TEMP\sqlite_gIcoMEnmG9WcLI7 1024 bytes
c:\windows\TEMP\sqlite_9oEdn4ePtAmy1md 0 bytes
c:\windows\TEMP\sqlite_9rmYj1iBepvr5Xg 1024 bytes
c:\windows\TEMP\sqlite_a8bXFh8P0v2WUA0 0 bytes
c:\windows\TEMP\sqlite_aAubcHXk4hnhFYa 0 bytes
c:\windows\TEMP\sqlite_AbxPHDumW7jwmfc 1024 bytes
c:\windows\TEMP\sqlite_Af4Iwfm6dhzaBY1 1024 bytes
c:\windows\TEMP\sqlite_AfK1dtXk92reNww
c:\windows\TEMP\sqlite_AftOEsjfDroUli7 1024 bytes
c:\windows\TEMP\sqlite_AhQqyXEuGG90Q3R 1024 bytes
c:\windows\TEMP\sqlite_Ai3ocaIpOEEjOuE 0 bytes
c:\windows\TEMP\sqlite_aJyuCWlhGhPW0IW 1024 bytes
c:\windows\TEMP\sqlite_AOBgQZCo2RtRtgB 0 bytes
c:\windows\TEMP\sqlite_aOlZciZMtJArVKk 1024 bytes
c:\windows\TEMP\sqlite_aRRoajlX9Vu1TF5 1024 bytes
c:\windows\TEMP\sqlite_zrb3q4CidWSymQf 1024 bytes
c:\windows\TEMP\sqlite_zuQawmnlHLHW4tC 0 bytes
c:\windows\TEMP\T30DebugLogFile.txt 0 bytes
c:\windows\TEMP\Temporary Internet Files
c:\windows\TEMP\Temporary Internet Files\Content.IE5
c:\windows\TEMP\Temporary Internet Files\Content.IE5\23E9WLGP
c:\windows\TEMP\Temporary Internet Files\Content.IE5\23E9WLGP\desktop.ini 67 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\4KSAN3EU
c:\windows\TEMP\Temporary Internet Files\Content.IE5\4KSAN3EU\btn_type3_left_22x4[1].gif 182 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\4KSAN3EU\btn_type3_left_22x4[2].gif 182 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\4KSAN3EU\desktop.ini 67 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\4KSAN3EU\JClassFactory[1].js 6319 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\4KSAN3EU\RegisterNewUser[1].htm 16961 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\4KSAN3EU\RegWizard_Style2[1].css 3604 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\4KSAN3EU\RegWiz_Style[1].css 13500 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\desktop.ini 67 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\index.dat 49152 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\JBC3XV2J
c:\windows\TEMP\Temporary Internet Files\Content.IE5\JBC3XV2J\anim_meter[1].gif 46824 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\JBC3XV2J\btn_type3_right_22x4[1].gif 183 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\JBC3XV2J\buttonbg[1].gif 830 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\JBC3XV2J\ClientDataReader[1].htm 3217 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\JBC3XV2J\ClientDataReader[2].htm 39615 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\JBC3XV2J\desktop.ini 67 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\JBC3XV2J\fieldSetBoxDisplay[1].gif 488 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\JBC3XV2J\JCPanel[1].js 2900 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\KXCJLKF2
c:\windows\TEMP\Temporary Internet Files\Content.IE5\KXCJLKF2\bg_pc[1].gif 16925 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\KXCJLKF2\bg_print[1].gif 104 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\KXCJLKF2\buttons[1].css 643 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\KXCJLKF2\desktop.ini 67 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\KXCJLKF2\JCButton[1].js 6105 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\KXCJLKF2\NotificationOptIn[1].htm 14535 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\KXCJLKF2\RegisterNewUser[1].htm 28901 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\KXCJLKF2\RegWizard_Style[1].css 7206 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\PSHP2TPT
c:\windows\TEMP\Temporary Internet Files\Content.IE5\PSHP2TPT\btn_print[1].gif 243 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\PSHP2TPT\btn_type3_bg_22x4[1].gif 289 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\PSHP2TPT\Common[1].vbs 17528 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\PSHP2TPT\desktop.ini 67 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\PSHP2TPT\JCImageLoader[1].js 2058 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\PSHP2TPT\NotificationOptIn[1].htm 12084 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\PSHP2TPT\RegisterNewUser[1].htm 17023 bytes
c:\windows\TEMP\UAC5e49.tmp 67072 bytes executable
c:\windows\TEMP\UAC7b41.tmp 67072 bytes executable
c:\windows\TEMP\UAC9076.tmp 67072 bytes executable
c:\windows\TEMP\UACf278.tmp 67072 bytes executable
c:\windows\TEMP\UACf5e.tmp 67072 bytes executable
c:\windows\TEMP\update000.log 607 bytes
c:\windows\TEMP\WGAErrLog.txt 255 bytes
c:\windows\TEMP\WGANotify.settings 409 bytes
c:\windows\TEMP\_ISTMP1.DIR
c:\windows\TEMP\_ISTMP1.DIR\_ISTMP0.DIR
c:\windows\TEMP\_ISTMP1.DIR\_ISTMP0.DIR\value.shl 728 bytes
c:\windows\TEMP\sqlite_u2pEaGJPdOUGrhC 1024 bytes
c:\windows\TEMP\sqlite_u7d8YyhcOFYorO9 1024 bytes
c:\windows\TEMP\sqlite_UBZrIEJERPbIheN 1024 bytes
c:\windows\TEMP\sqlite_UERkAxaBZccNU0K 0 bytes
c:\windows\TEMP\sqlite_UFTaR8NGeVBdYbi 0 bytes
c:\windows\TEMP\sqlite_UI6jJyrC5SoqMGv 1024 bytes
c:\windows\TEMP\sqlite_Ul077OBSD8j3H3n 1024 bytes
c:\windows\TEMP\sqlite_uWPxvLrkEtSAhTj 0 bytes
c:\windows\TEMP\sqlite_vc0mjVZbIyxpKLA 1024 bytes
c:\windows\TEMP\sqlite_VhGNEzbVhNsDzdj 1024 bytes
c:\windows\TEMP\sqlite_vKparchbZZviDkg 1024 bytes
c:\windows\TEMP\sqlite_vMM8fLpJVfFslnP 1024 bytes
c:\windows\TEMP\sqlite_vO0HiDsNMkQsGve 0 bytes
c:\windows\TEMP\sqlite_vUdVibBWgs12x2U 1024 bytes
c:\windows\TEMP\sqlite_VVmkfD2CCC58u2L 1024 bytes
c:\windows\TEMP\sqlite_w28bgxPapvV9KXs 1024 bytes
c:\windows\TEMP\sqlite_w8rNnM1vLhNoC9i 0 bytes
c:\windows\TEMP\sqlite_8QAUhCCd3Etifeq 1024 bytes
c:\windows\TEMP\sqlite_b5POhfy26taYzxn 1024 bytes
c:\windows\TEMP\sqlite_c4RW6lnDQCXx3Lx 1024 bytes
c:\windows\TEMP\sqlite_DMexw1K9v8YzRNq 1024 bytes
c:\windows\TEMP\sqlite_ElK6lIIlewMKCO6 1024 bytes
c:\windows\TEMP\sqlite_gWe85VRMZLlXw8Y 1024 bytes
c:\windows\TEMP\sqlite_IHzbe7t9QbTiKVV 0 bytes
c:\windows\TEMP\sqlite_KICIFWld86hlOh8 1024 bytes
c:\windows\TEMP\sqlite_MMrG7f7zLbtgpRm 1024 bytes
c:\windows\TEMP\sqlite_ooLmBgFYZUbZkH6 1024 bytes
c:\windows\TEMP\sqlite_S9Wp4OnGDsCEkPB 1024 bytes
c:\windows\TEMP\sqlite_tZxzsOKfOlybJyn 0 bytes
c:\windows\TEMP\sqlite_WbJO07q3R6ayB79 1024 bytes
c:\windows\TEMP\sqlite_znnC75IehG4g0E3 1024 bytes
c:\windows\TEMP\hpqddsvc.log 3409 bytes
c:\windows\TEMP\sqlite_mS93ajJ9BAyEUVR 0 bytes
c:\windows\TEMP\sqlite_MvuJEMdjQdIFCFF 1024 bytes
c:\windows\TEMP\sqlite_N02QAv3OjjGHOYA 1024 bytes
c:\windows\TEMP\sqlite_n2wEyYnLzxdROeD 0 bytes
c:\windows\TEMP\sqlite_N9Fk2ZmRm9KPzCG 0 bytes
c:\windows\TEMP\sqlite_ncSWTth4gxD6Dgx 0 bytes
c:\windows\TEMP\sqlite_Ne6F8FaVWEKQsQp 0 bytes
c:\windows\TEMP\sqlite_NQe5vhdiqWWhREf 0 bytes
c:\windows\TEMP\sqlite_NRHfSINg1OCvrEe 1024 bytes
c:\windows\TEMP\sqlite_nS1ZqWmzmpvkSci 1024 bytes
c:\windows\TEMP\sqlite_NxeJlfG2mdIyl4H 1024 bytes
c:\windows\TEMP\sqlite_O9rEA31e9lLEaB7 1024 bytes
c:\windows\TEMP\sqlite_oappbb2VhurtKlK 0 bytes
c:\windows\TEMP\sqlite_OdfVPeJgx6Tx2pA 0 bytes
c:\windows\TEMP\sqlite_ODV81BwbLCOupzn 1024 bytes
c:\windows\TEMP\sqlite_ofcmd4xWKxLHE0b 0 bytes
c:\windows\TEMP\sqlite_OIbVAbq7lgxjR43 1024 bytes
c:\windows\TEMP\sqlite_ONtyZ1BvCofDtJR 1024 bytes
c:\windows\TEMP\sqlite_ISJSSYpi8wQeEUU 1024 bytes
c:\windows\TEMP\sqlite_J2poovlmsaMg2wt 1024 bytes
c:\windows\TEMP\sqlite_J8SKWZVQ6CzV2Bu 1024 bytes
c:\windows\TEMP\sqlite_jBJ6pjgjs61K8Sl 1024 bytes
c:\windows\TEMP\sqlite_jgi1KFgW1CYmji5 0 bytes
c:\windows\TEMP\sqlite_jgtJhj0cj7IIrK7 1024 bytes
c:\windows\TEMP\sqlite_JRaiRyXeWh3wCvO 1024 bytes
c:\windows\TEMP\sqlite_jrEFA8DuGXMTIBm 1024 bytes
c:\windows\TEMP\sqlite_JuvyrTXZPqWekYY 1024 bytes
c:\windows\TEMP\sqlite_JxOvUBBhZrbvpwY 1024 bytes
c:\windows\TEMP\sqlite_jZKNctAFBeOsq6G 0 bytes
c:\windows\TEMP\sqlite_jZKNctAFBeOsq6G-journal 512 bytes
c:\windows\TEMP\sqlite_k6EfPhKnaTPDmPA 0 bytes
c:\windows\TEMP\sqlite_k9lOGFatGGSKRZS 0 bytes
c:\windows\TEMP\sqlite_KBFslaYxwhcerFe 1024 bytes
c:\windows\TEMP\sqlite_kCTXrlfKiE3ZIXE 1024 bytes
c:\windows\TEMP\sqlite_KdSxduItx2ln2rD 0 bytes
c:\windows\TEMP\sqlite_keN4bdkMBcuEFAZ 0 bytes
c:\windows\TEMP\sqlite_kfcMgxBtewXIfxg 1024 bytes
c:\windows\TEMP\sqlite_b9D24jljmsv4Rof 0 bytes
c:\windows\TEMP\sqlite_BAD9w19dHgvwDTl 1024 bytes
c:\windows\TEMP\sqlite_BAGJqywLgO9eNwu 1024 bytes
c:\windows\TEMP\sqlite_bbNXzQOzb0Ep5rV 0 bytes
c:\windows\TEMP\sqlite_BbR8k1KUEV66T8H 1024 bytes
c:\windows\TEMP\sqlite_BCyElHw4X4lndyi 1024 bytes
c:\windows\TEMP\sqlite_BEyy9H9fdWigb17 1024 bytes
c:\windows\TEMP\sqlite_BKZtWXcUaJqdaga 1024 bytes
c:\windows\TEMP\sqlite_BLU5LIaPqIB2WPs 0 bytes
c:\windows\TEMP\sqlite_BVCPKBaUFgt5UtO 1024 bytes
c:\windows\TEMP\sqlite_bvW0AXqKjowmeNj 1024 bytes
c:\windows\TEMP\sqlite_C3SJQm2t61Ji5Yn 0 bytes
c:\windows\TEMP\sqlite_C46cMraD4blhxZw 0 bytes
c:\windows\TEMP\sqlite_dMpxhyH9tUytbyE 0 bytes
c:\windows\TEMP\sqlite_dMwruP3o2SL759T 0 bytes
c:\windows\TEMP\sqlite_do1sYpldLTcxziq 1024 bytes
c:\windows\TEMP\sqlite_DqhSh23sZziIMMP 1024 bytes
c:\windows\TEMP\sqlite_dVXWX8Ot5mCPRsb 1024 bytes
c:\windows\TEMP\sqlite_dvY10sjur6f3AwG 0 bytes
c:\windows\TEMP\sqlite_DyggddmTzR53irS 1024 bytes
c:\windows\TEMP\sqlite_e0BxRHLEgOZY0Qx 1024 bytes
c:\windows\TEMP\sqlite_E1XbthkRXhA7Fvz 1024 bytes
c:\windows\TEMP\sqlite_E998qv3ilh7fUPl 1024 bytes
c:\windows\TEMP\sqlite_eChK2Ea98ybizYO 1024 bytes
c:\windows\TEMP\sqlite_eciY8yuKFxzvM75 1024 bytes
c:\windows\TEMP\sqlite_eK92Y2XXfVlG5UA 1024 bytes

scan completed successfully
hidden files: 327

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3456)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\SYSTEM32\WSCNTFY.EXE
c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\update\update.exe
.
**************************************************************************
.
Completion time: 2009-07-08 22:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-08 02:38

Pre-Run: 216,550,662,144 bytes free
Post-Run: 217,380,827,136 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

574

Hi,

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')



Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

Good Morning,

Here is the log you requested.

Ken

ComboFix 09-07-07.A4 - Jill 07/08/2009 5:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.204 [GMT -4:00]
Running from: c:\documents and settings\Jill\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Jill\Desktop\cfscript.txt
* Created a new restore point

file zipped: C:\fdvjfx.exe
file zipped: C:\gklrwl.exe
file zipped: C:\kkfwg.exe
file zipped: C:\tcburi.exe
file zipped: c:\windows\bf23567.dat
file zipped: c:\windows\jmmark2.dat
file zipped: c:\windows\system32\drivers\468698c2.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\fdvjfx.exe
C:\gklrwl.exe
C:\kkfwg.exe
c:\program files\drv
c:\program files\drv\drv.dll
C:\tcburi.exe
c:\windows\bf23567.dat
c:\windows\jmmark2.dat
c:\windows\system32\drivers\468698c2.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_468698c2


((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))
.

2009-07-08 02:53 . 2009-07-08 02:53 -------- d-----w- c:\documents and settings\Jill\Application Data\Malwarebytes
2009-07-08 02:20 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-08 02:20 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-08 00:48 . 2009-07-08 00:48 -------- d-----w- c:\program files\Trend Micro
2009-07-07 23:10 . 2004-08-04 11:00 23040 ------w- c:\windows\system32\psapi.dll
2009-07-07 22:35 . 2009-07-07 22:35 -------- d-----w- c:\documents and settings\Ken\Application Data\SUPERAntiSpyware.com
2009-07-07 22:35 . 2009-07-07 22:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-07 22:32 . 2009-07-07 22:32 -------- d-----w- c:\documents and settings\Ken\Local Settings\Application Data\Wal-Mart Music Downloads
2009-07-07 22:13 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-07 22:13 . 2009-07-07 22:13 -------- d-----w- c:\program files\MB
2009-07-07 22:13 . 2009-07-07 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-07 22:13 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-07 22:03 . 2009-07-07 22:03 -------- d-----w- c:\program files\Java
2009-07-07 21:43 . 2009-07-07 21:43 -------- d-----w- c:\program files\CCleaner
2009-07-06 01:56 . 2009-07-06 01:56 -------- d-----w- c:\documents and settings\Jill\Application Data\SACore
2009-07-06 00:55 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-07-06 00:54 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-06 00:54 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-06 00:54 . 2009-07-08 09:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-06 00:54 . 2009-07-06 00:56 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-06 00:54 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-07-06 00:54 . 2009-07-07 22:55 -------- d-----w- c:\program files\Spyware Doctor
2009-07-06 00:54 . 2009-07-06 00:54 -------- d-----w- c:\documents and settings\Ken\Application Data\PC Tools
2009-07-06 00:54 . 2009-07-06 00:54 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-07-05 21:22 . 2009-07-05 21:22 -------- d-----w- c:\documents and settings\Ken\Application Data\FileOpen
2009-06-23 01:32 . 2009-07-07 22:03 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-11 23:15 . 2009-07-05 17:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-06-11 22:24 . 2009-07-08 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-06-11 21:57 . 2009-07-08 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-09 15:39 . 2009-06-09 15:39 -------- d-----w- C:\PC HugWare

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 02:10 . 2005-03-02 16:11 -------- d-----w- c:\program files\McAfee.com
2009-07-07 22:35 . 2008-08-19 10:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-07 22:31 . 2007-11-26 01:43 -------- d-----w- c:\program files\Google
2009-07-07 22:30 . 2009-02-18 23:01 -------- d-----w- c:\program files\Coupons
2009-07-05 02:46 . 2005-03-05 21:19 124352 ----a-w- c:\documents and settings\Ken\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-21 13:06 . 2005-07-29 00:25 -------- d-----w- c:\program files\Common Files\HP
2009-06-11 11:56 . 2008-04-05 12:37 124352 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-06-10 00:01 . 2009-06-02 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-10 00:00 . 2009-06-02 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-06-02 22:05 . 2009-06-02 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-06-02 22:01 . 2009-06-02 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-05-16 18:59 . 2008-11-27 01:39 -------- d-----w- c:\program files\Hardwood Euchre
2009-05-14 00:17 . 2009-05-14 00:17 -------- d-----w- c:\program files\OverDrive Media Console
2009-05-07 15:44 . 2004-08-04 11:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 11:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-04 11:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:26 . 2004-08-04 11:00 583168 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-08_02.26.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-08 09:44 . 2009-07-08 09:44 16384 c:\windows\temp\Perflib_Perfdata_238.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-07 98304]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-07 148888]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-5-30 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Billminder.lnk - c:\program files\Quicken\billmind.exe [2002-7-30 36864]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2002-7-30 53248]
Quicken Startup.lnk - c:\program files\Quicken\QWDLLS.EXE [2002-7-30 36864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

R0 pctcore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [7/5/2009 8:54 PM 130936]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/5/2009 8:54 PM 348752]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" --> c:\program files\McAfee\SiteAdvisor\McSACore.exe [?]
S3 VNA;Check Point Virtual Network Adapter;c:\windows\SYSTEM32\DRIVERS\vna.sys [9/5/2004 11:44 AM 108400]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-07-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-26 00:39]

2009-07-08 c:\windows\Tasks\User_Feed_Synchronization-{B2AE97CA-183B-4A7D-BAF5-5A62628C3075}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 05:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1756)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2009-07-08 5:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-08 09:52
ComboFix2.txt 2009-07-08 02:38

Pre-Run: 216,858,304,512 bytes free
Post-Run: 216,846,024,704 bytes free

198

Hi,

The files I had hoped to upload didn't go through,

please do the following:

• Go to Start >> My Computer > C:\
• Then Navigate to the C:\Qoobox\Quarantine folder.
• Find the archive zip file called "[4]-Submit_Date_Time.zip" (Date_Time will be the Date/Time of the last ComboFix run)
• Simply go to This Channel and upload the submit.zip archive file to me.
• Follow the instructions on that page to copy/paste/send the requested file.

Please let me know that the upload was successful.


NEXT

Download TFC to your desktop

• Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

NEXT

• Please open your MalwareBytes AntiMalware Program
• Click the Update Tab and search for updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

**Vista users - right click on the IE icon and run as administrator

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

In your next reply please include

• MBAM Log
• Kaspersky report

Hi Catbyte,

Sorry for the delay, I have been at work, away from my albatrose.

The zip file was uploaded successfully. Working on the scans now.

Kaspersky is an hour and 1/2 into the scan about 65% complete.

Here is the MBAM report....Kaspersky is on its way soon......I hope.

Kaspersky can take 4 hours or more.

Kaspersky scan complete

Here is the log...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, July 8, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, July 09, 2009 00:39:13
Records in database: 2445763
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 86449
Threat name: 10
Infected objects: 19
Suspicious objects: 51
Duration of the scan: 02:04:53


File name / Threat name / Threats count
C:\Documents and Settings\Jill\Local Settings\Application Data\Identities\{4CFF26F8-3336-4220-8023-576507616466}\Microsoft\Outlook Express\McAfee Anti-Spam.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 22
C:\Documents and Settings\Jill\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Jill\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\McAfee Anti-Spam.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 27
C:\Qoobox\Quarantine\C\Program Files\drv\drv.dll.vir Infected: Trojan-Downloader.Win32.Agent.chpc 1
C:\Qoobox\Quarantine\C\WINDOWS\ld12.exe.vir Infected: Trojan.Win32.Agent.covi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACpboyrgomqfqmoirxd.sys.vir Infected: Rootkit.Win32.Agent.lzl 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lsp.dll.vir Infected: Trojan-Proxy.Win32.Agent.bpi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACauakxidmgiswtrjen.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbobqaimpulhypitys.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACkusuphkbisrxrlelx.dll.vir Infected: Trojan.Win32.TDSS.adzz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrqqihhsqlxnwsgwgx.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-08_05.35.49.zip Infected: Backdoor.Win32.NewRest.an 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-08_05.35.49.zip Infected: Virus.Win32.Virut.ce 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-08_05.35.49.zip Infected: Trojan-Downloader.Win32.Clopack.a 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0001001.sys Infected: Rootkit.Win32.Agent.lzl 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0001002.dll Infected: Packed.Win32.Tdss.m 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0001003.dll Infected: Packed.Win32.Tdss.m 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0001004.dll Infected: Packed.Win32.Tdss.m 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0001005.dll Infected: Trojan.Win32.TDSS.adzz 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0001276.exe Infected: Trojan.Win32.Agent.covi 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0001283.dll Infected: Trojan-Proxy.Win32.Agent.bpi 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001612.dll Infected: Trojan-Downloader.Win32.Agent.chpc 1

The selected area was scanned.

Hi,

Most of the items found by Kaspersky are in quarantine or old restore points which we will clean up shortly.

The other items are in your email deleted items which you should empty.



Please do the following:


Follow these steps to uninstall Combofix

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

NEXT

Now to remove the rest of the tools that we have used in fixing your machine:

• Make sure you have an Internet Connection.
• Download OTC to your desktop and run it
• A list of tool components used in the Cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
• Click Yes to begin the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

• Keep Windows updated by regularly checking their website at :
  http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
  
• SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  
  
• SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  
  
• Make Internet Explorer more secure
  
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  
  
• ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  
  WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
  WOT has an addon available for both Firefox and IE
  
  
• Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
  secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
  blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
  Here
  
  
  If you choose to use Firefox, I highly recommend this add-on to keep your PC even more secure.
  
  • NoScript - for blocking ads and other potential website attacks
  
  
• Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  
• In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
  Think Prevention.
  PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.