Good Afternoon,

Unfortunately, my PC has been infected.

Whenever I start Windows Vista, I will initially get a popup which asks if I would like this file to be added: C:\Windows\system32\szbtm.exe

I click no, but it doesn't matter because the popup reappears about every 5-10 min.

About a day after this incident, my computer kept crashing, I would get the blue screen and Windows would automatically restart.

After the restart, some program called "System Security" took over. It plastered a desktop wallpaper saying that my computer was infected and seemed to be doing a scan.

I attempted to cancel, launch antivirus, malware programs, and task manager but it prevented me from doing so.

I cold-booted the system and was able to launch Malaware which found and deleted some viruses (the System Security problem seemed to go away but I still get the initial popup and constant blue screen crashes.

In addition, I am unable to launch my MS Office programs. Whenever I try, it acts as if it is trying to install the program from scratch.

I apologize for the long winded post but I wanted to be as detailed as possible.

I am currently using Windows in safe mode and have run Hijackthis.

Here is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:43 PM, on 7/1/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5674
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5674
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5674
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...TP&M=GT5674
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ButtonMonitor] C:\Program Files\IOI\ButtonMonitor.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [cftmon] C:\Windows\system32\szbtm.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\mykl\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\Windows\system32\Wacom_Tablet.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 13040 bytes

Let me thank all in advance for any information or assistance you can provide in this matter.

Michael

I also forgot to mention that one other side effect is that I am unable to search using Yahoo from Firefox. Whenever I try, I am redirected to totally unrelated websites.

I am able to search using yahoo in IE and Chrome though.

Michael

Hi,

Did MalwareBytes' find anything?

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Right-click dds.scr and select Run As Administrator to run the tool.
• When done two logs should open:
  
  1. DDS.txt
  2. Attach.txt

• Save both reports to your desktop.

---------------------------------------------------

• Post the contents of the DDS.txt report in your next reply
• Attach the Attach.txt report to your post by scrolling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Right-click gmer.exe and select Run As Administrator. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Hi JPShortstuff,

Yes. I believe MalAware found 7 viruses which were deleted. I this is what stopped the "System Security" issue from re-appearing.

I am attempting to follow your instructionjs regarding DDS. I have downloaded the file however when I right-click the icon I do not find the usual "Run as Administrator" option. I am provided with "Test", "Configure" or "Install" options.

(I don't know if this is pertinent but the file type is listed as a screensaver).

I will await your review and further instructions.

Thanks

Mike

Ah yes, sometimes the .scr extension is problematic. Please try this version instead:
http://www.forospyware.com/sUBs/dds/

Cheers.

Ok,

This one is a dds.pif file and when I right-click on this icon I am provided a "Run" option but not "Run as Administrator".

Should I continue?

Mike

Yeah, go for Run, its better than nothing at all

Per your instructions, I am posting the following results:

DDS LOG


DDS (Ver_09-06-26.01) - NTFSx86 NETWORK
Run by mykl at 15:03:25.53 on Wed 07/01/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.2231 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mykl\Documents\Downloads\dds.pif
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [Google Update] "c:\users\mykl\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [AdobeBridge]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ButtonMonitor] c:\program files\ioi\ButtonMonitor.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NoteBurner] c:\program files\noteburner\VTBurnerGUI.exe /silence
mRun: [cftmon] c:\windows\system32\szbtm.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\paltalk.lnk - c:\program files\paltalk messenger\paltalk.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\mykl\appdata\roaming\mozilla\firefox\profiles\sdkka03l.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\extensions\{01a8ca0a-4c96-465b-a49b-65c46fad54f9}\components\Contribute.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npContribute.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\mykl\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\mykl\appdata\roaming\mozilla\firefox\profiles\sdkka03l.default\extensions\{0c7e3f01-99e9-4095-9bdc-f84724960b57}\plugins\NPCpnMgr.dll
FF - plugin: c:\users\mykl\appdata\roaming\mozilla\firefox\profiles\sdkka03l.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071300000040.dll
FF - plugin: c:\users\mykl\program files\dna\plugins\npbtdna.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-6 210216]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-5-9 1153368]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-4-6 2749224]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-15 40160]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2009-07-01 13:05 8,212 a------- c:\windows\mfebcdata
2009-06-30 12:53 <DIR> --d----- c:\program files\Trend Micro
2009-06-29 17:36 220 a------- c:\windows\system32\winset.ini
2009-06-29 17:36 138,752 a------- c:\windows\sreo8703.exe
2009-06-29 17:35 <DIR> --d----- c:\program files\IEToolbar
2009-06-29 17:35 889,078 a------- c:\windows\mdhhh0816.exe
2009-06-29 16:33 <DIR> --d----- c:\windows\system32\Adobe
2009-06-25 22:05 116,839 a------- c:\windows\hpqins00.dat
2009-06-22 17:49 22,872 a----r-- c:\windows\system32\AdobePDFUI.dll
2009-06-15 17:03 <DIR> --d----- c:\users\mykl\appdata\roaming\Malwarebytes
2009-06-15 17:03 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 17:03 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 17:03 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-15 17:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 17:03 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-15 16:53 <DIR> --d----- c:\program files\Belarc
2009-06-14 01:21 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-14 01:21 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-14 01:21 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-14 01:21 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-14 01:21 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-07 08:41 <DIR> --d----- c:\program files\iPod
2009-06-07 08:41 <DIR> --d----- c:\program files\iTunes

==================== Find3M ====================

2009-06-14 10:07 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-14 10:07 51,200 a------- c:\windows\inf\infpub.dat
2009-06-14 10:07 86,016 a------- c:\windows\inf\infstor.dat
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-23 06:10 157,706 a------- c:\windows\hphins27.dat
2009-05-09 01:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 01:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-04-23 08:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 07:55 2,033,152 a------- c:\windows\system32\win32k.sys
2009-01-27 18:59 2,516 a--sh--- c:\programdata\KGyGaAvL.sys
2009-01-27 18:59 2,516 a--sh--- c:\progra~2\KGyGaAvL.sys
2009-01-18 08:32 8 ---shr-- c:\programdata\E6E84B42E6.sys
2009-01-18 08:32 8 ---shr-- c:\progra~2\E6E84B42E6.sys
2008-06-10 21:18 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 15:04:48.99 ===============

GMER LOG


DDS (Ver_09-06-26.01) - NTFSx86 NETWORK
Run by mykl at 15:03:25.53 on Wed 07/01/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.2231 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mykl\Documents\Downloads\dds.pif
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [Google Update] "c:\users\mykl\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [AdobeBridge]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ButtonMonitor] c:\program files\ioi\ButtonMonitor.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NoteBurner] c:\program files\noteburner\VTBurnerGUI.exe /silence
mRun: [cftmon] c:\windows\system32\szbtm.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\paltalk.lnk - c:\program files\paltalk messenger\paltalk.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\mykl\appdata\roaming\mozilla\firefox\profiles\sdkka03l.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\extensions\{01a8ca0a-4c96-465b-a49b-65c46fad54f9}\components\Contribute.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npContribute.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\mykl\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\mykl\appdata\roaming\mozilla\firefox\profiles\sdkka03l.default\extensions\{0c7e3f01-99e9-4095-9bdc-f84724960b57}\plugins\NPCpnMgr.dll
FF - plugin: c:\users\mykl\appdata\roaming\mozilla\firefox\profiles\sdkka03l.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071300000040.dll
FF - plugin: c:\users\mykl\program files\dna\plugins\npbtdna.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-6 210216]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-5-9 1153368]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-4-6 2749224]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-15 40160]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2009-07-01 13:05 8,212 a------- c:\windows\mfebcdata
2009-06-30 12:53 <DIR> --d----- c:\program files\Trend Micro
2009-06-29 17:36 220 a------- c:\windows\system32\winset.ini
2009-06-29 17:36 138,752 a------- c:\windows\sreo8703.exe
2009-06-29 17:35 <DIR> --d----- c:\program files\IEToolbar
2009-06-29 17:35 889,078 a------- c:\windows\mdhhh0816.exe
2009-06-29 16:33 <DIR> --d----- c:\windows\system32\Adobe
2009-06-25 22:05 116,839 a------- c:\windows\hpqins00.dat
2009-06-22 17:49 22,872 a----r-- c:\windows\system32\AdobePDFUI.dll
2009-06-15 17:03 <DIR> --d----- c:\users\mykl\appdata\roaming\Malwarebytes
2009-06-15 17:03 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 17:03 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 17:03 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-15 17:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 17:03 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-15 16:53 <DIR> --d----- c:\program files\Belarc
2009-06-14 01:21 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-14 01:21 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-14 01:21 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-14 01:21 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-14 01:21 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-07 08:41 <DIR> --d----- c:\program files\iPod
2009-06-07 08:41 <DIR> --d----- c:\program files\iTunes

==================== Find3M ====================

2009-06-14 10:07 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-14 10:07 51,200 a------- c:\windows\inf\infpub.dat
2009-06-14 10:07 86,016 a------- c:\windows\inf\infstor.dat
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-23 06:10 157,706 a------- c:\windows\hphins27.dat
2009-05-09 01:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 01:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-04-23 08:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 07:55 2,033,152 a------- c:\windows\system32\win32k.sys
2009-01-27 18:59 2,516 a--sh--- c:\programdata\KGyGaAvL.sys
2009-01-27 18:59 2,516 a--sh--- c:\progra~2\KGyGaAvL.sys
2009-01-18 08:32 8 ---shr-- c:\programdata\E6E84B42E6.sys
2009-01-18 08:32 8 ---shr-- c:\progra~2\E6E84B42E6.sys
2008-06-10 21:18 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 15:04:48.99 ===============

THE "ATTACH" FILE

 Attach.txt ( 12.28K ) Number of downloads: 476


Awaiting further instructions

Thanks

Mike

Hi there, it looks like you've posted the DDS log twice, rather than the GMER log

My apologies

GMER LOG

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-01 15:25:36
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

Code 85D002D8 ZwEnumerateKey
Code 85CF2300 ZwFlushInstructionCache
Code 858B7995 IofCallDriver
Code 85CDE336 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 81E54FE2 5 Bytes JMP 85CDE33B
.text ntkrnlpa.exe!IofCallDriver 81ED6F6F 5 Bytes JMP 858B799A
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 81FCD30B 5 Bytes JMP 85CF2304
PAGE ntkrnlpa.exe!ZwEnumerateKey 82022BA2 5 Bytes JMP 85D002DC

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\SYSTEM32\WISPTIS.EXE[344] ntdll.dll!LdrLoadDll 76E97933 5 Bytes JMP 0074000A
.text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[372] ntdll.dll!LdrLoadDll 76E97933 5 Bytes JMP 002E000A
.text C:\Windows\system32\winlogon.exe[484] ntdll.dll!LdrLoadDll 76E97933 5 Bytes JMP 000E000A
.text C:\Windows\system32\wbem\wmiprvse.exe[524] ntdll.dll!LdrLoadDll 76E97933 5 Bytes JMP 0026000A
.text C:\Windows\system32\lsm.exe[548] ntdll.dll!LdrLoadDll 76E97933 5 Bytes JMP 0082000A
.text ...
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtCreateFile + 6 76EC800E 4 Bytes [28, 00, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtCreateFile + B 76EC8013 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtMapViewOfSection + 6 76EC875E 1 Byte [28]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtMapViewOfSection + 6 76EC875E 4 Bytes [28, 03, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtMapViewOfSection + B 76EC8763 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtOpenFile + 6 76EC87EE 4 Bytes [68, 00, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtOpenFile + B 76EC87F3 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtOpenProcess + 6 76EC886E 4 Bytes [A8, 01, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtOpenProcess + B 76EC8873 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtOpenProcessToken + 6 76EC887E 4 Bytes CALL 75EC8E84 C:\Windows\system32\OLEAUT32.dll (Microsoft Corporation)
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtOpenProcessToken + B 76EC8883 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtOpenProcessTokenEx + 6 76EC888E 4 Bytes [A8, 02, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtOpenProcessTokenEx + B 76EC8893 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtOpenThread + 6 76EC88DE 4 Bytes [68, 01, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtOpenThread + B 76EC88E3 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtOpenThreadToken + 6 76EC88EE 4 Bytes [68, 02, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtOpenThreadToken + B 76EC88F3 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtOpenThreadTokenEx + 6 76EC88FE 4 Bytes CALL 75EC8F05 C:\Windows\system32\OLEAUT32.dll (Microsoft Corporation)
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtOpenThreadTokenEx + B 76EC8903 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtQueryAttributesFile + 6 76EC898E 4 Bytes [A8, 00, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtQueryAttributesFile + B 76EC8993 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtQueryFullAttributesFile + 6 76EC8A3E 4 Bytes CALL 75EC9043 C:\Windows\system32\OLEAUT32.dll (Microsoft Corporation)
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtQueryFullAttributesFile + B 76EC8A43 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtSetInformationFile + 6 76EC8F1E 4 Bytes [28, 01, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtSetInformationFile + B 76EC8F23 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtSetInformationThread + 6 76EC8F6E 4 Bytes [28, 02, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtSetInformationThread + B 76EC8F73 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtUnmapViewOfSection + 6 76EC920E 1 Byte [68]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtUnmapViewOfSection + 6 76EC920E 4 Bytes [68, 03, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2688] ntdll.dll!NtUnmapViewOfSection + B 76EC9213 1 Byte [E2]
.text C:\Windows\system32\cscript.exe[2908] ntdll.dll!LdrLoadDll 76E97933 5 Bytes JMP 0039000A
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!LdrLoadDll 76E97933 5 Bytes JMP 002D000A
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtCreateFile + 6 76EC800E 4 Bytes [28, 00, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtCreateFile + B 76EC8013 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtMapViewOfSection + 6 76EC875E 1 Byte [28]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtMapViewOfSection + 6 76EC875E 4 Bytes [28, 03, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtMapViewOfSection + B 76EC8763 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtOpenFile + 6 76EC87EE 4 Bytes [68, 00, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtOpenFile + B 76EC87F3 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtOpenProcess + 6 76EC886E 4 Bytes [A8, 01, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtOpenProcess + B 76EC8873 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtOpenProcessToken + 6 76EC887E 4 Bytes CALL 75EC8E84 C:\Windows\system32\OLEAUT32.dll (Microsoft Corporation)
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtOpenProcessToken + B 76EC8883 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtOpenProcessTokenEx + 6 76EC888E 4 Bytes [A8, 02, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtOpenProcessTokenEx + B 76EC8893 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtOpenThread + 6 76EC88DE 4 Bytes [68, 01, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtOpenThread + B 76EC88E3 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtOpenThreadToken + 6 76EC88EE 4 Bytes [68, 02, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtOpenThreadToken + B 76EC88F3 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtOpenThreadTokenEx + 6 76EC88FE 4 Bytes CALL 75EC8F05 C:\Windows\system32\OLEAUT32.dll (Microsoft Corporation)
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtOpenThreadTokenEx + B 76EC8903 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtQueryAttributesFile + 6 76EC898E 4 Bytes [A8, 00, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtQueryAttributesFile + B 76EC8993 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtQueryFullAttributesFile + 6 76EC8A3E 4 Bytes CALL 75EC9043 C:\Windows\system32\OLEAUT32.dll (Microsoft Corporation)
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtQueryFullAttributesFile + B 76EC8A43 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtSetInformationFile + 6 76EC8F1E 4 Bytes [28, 01, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtSetInformationFile + B 76EC8F23 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtSetInformationThread + 6 76EC8F6E 4 Bytes [28, 02, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtSetInformationThread + B 76EC8F73 1 Byte [E2]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtUnmapViewOfSection + 6 76EC920E 1 Byte [68]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtUnmapViewOfSection + 6 76EC920E 4 Bytes [68, 03, 06, 00]
.text C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe[2952] ntdll.dll!NtUnmapViewOfSection + B 76EC9213 1 Byte [E2]
.text C:\Windows\system32\notepad.exe[3244] ntdll.dll!LdrLoadDll 76E97933 5 Bytes JMP 0024000A
.text C:\Windows\System32\cmd.exe[3604] ntdll.dll!LdrLoadDll 76E97933 5 Bytes JMP 003B000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73C57BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73C998C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73C5D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73C4F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73C57599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73C4E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73C8B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73C5D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73C5012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73C50095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73C471F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73CDD802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73C775E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73C4DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73C4668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73C466BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73C51E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\SYSTEM32\WISPTIS.EXE [344] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [372] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\system32\wininit.exe [440] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\system32\winlogon.exe [484] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\system32\wbem\wmiprvse.exe [524] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\system32\services.exe [528] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\system32\lsass.exe [540] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\system32\lsm.exe [548] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [700] 0x01190000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [772] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [816] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [908] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [936] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [984] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\system32\wbem\unsecapp.exe [1032] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1036] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\SYSTEM32\WISPTIS.EXE [1052] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [1060] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1080] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ c:\PROGRA~1\mcafee.com\agent\mcagent.exe [1188] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [1224] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1364] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Program Files\McAfee\MPF\MPFSrv.exe [1504] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1540] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Users\mykl\Documents\Downloads\dds.pif [1600] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Users\mykl\Desktop\gmer.exe [1724] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [1876] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\system32\notepad.exe [2252] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe [2540] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe [2688] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\system32\cscript.exe [2908] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe [2952] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\system32\notepad.exe [3244] 0x10000000
Library \\?\globalroot\systemroot\system32\SKYNETqwusvhmb.dll (*** hidden *** ) @ C:\Windows\System32\cmd.exe [3604] 0x10000000

---- EOF - GMER 1.0.15 ----

OK, looks like you've got a nasty Rootkit on board.

Please click Start >> Control Panel >> Add/Remove Programs, and then find and Remove these old versions of Java:
Java™ 6 Update 4
Java™ 6 Update 5
Java™ 6 Update 7
(Leave Update 13)

While you are there, I recommend you consider removing Limewire - its a great way to get yourself infected.


Download ComboFix by sUBs from here or here

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

**Save it to your desktop**

We need to disable one or more of your security programs so that they do not interfere with ComboFix.

Check here for information on disabling your security programs. It is important that you disable Spybot TeaTimer, as this can interfere with our fixes.

Double click on ComboFix.exe & follow the prompts. If you are prompted to install the Recovery Console I recommend you go ahead and hit yes.
When finished, it shall produce a log for you. Please save that log to post in your next reply along with a fresh HJT log

Notes:

1. Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
4. ComboFix disconnects your machine from the internet when it runs. This connection should be automatically restored when ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

This post has been edited by jpshortstuff: Jul 1 2009, 02:14 PM

I was able to uninstall Limewire but unable to remove the three Java versions you spoke of. Whenever I attempt to uninstall, I receive the following popup message:

"The Windows Installer service could not be accessed.
This can occur of the Windows Installer is not correctly installed.
Contact your support personnel for assistance."

How should I proceed?

Mike

Hold off on that for a moment then, and continue with the ComboFix step. We will come back to them later.

The past hour has been interesting.

Ok here is what is occurring...

-I downloaded Combofix as instructed

-I disabled all security programs as instructed with the exception of Windows Defender which was partially disabled (I was able to complete the first set of instructions but was not able to find a "Security" tab or option in the Control Panel to complete the 2nd set of instructions)

-I double click the Combofix icon and it launches but soon after, I receive the following message:
"Access denied. Administrator permission are needed to use the selected options. Use an administrator command prompt to complete these tasks".

Without me doing anything a Disclaimer of Warranty on Software appears. It has wording about going to bleepingcomputer.com for a guide to using the software. A prompt asks me if I want to continue. I click "yes".

The Combofix popup adds the following message "Attempting a new restore point".

That window dissapears and the Combofix autoscan popup appears and it attempts to scan my computer. This goes on for approximately 3 minutes when the popup window is flooded with "Access Denied" error messages before the system reboots.

I tried Combofix six times, uninstalling the first link and trying the second link. Right clicking the icon and running as an admin instead of doubleclicking. All with the same results.

(I attempted to screen capture these messages with the Google snipping tool but it would not allow me to save and then froze)

I hope this info was helpful.

I await further instruction.

Thanks-Mike
Mike

Hi,

Let's try a workaround, this Rootkit has been known to block ComboFix.

Please delete your existing copy of ComboFix.

Please download ComboFix to your desktop from one of these locations. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
Link 3





IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on Combo-Fix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Unfortunately, the results are exactly the same. I've installed and attempted to run each Combofix link provided, always making sure to delete the previous version and renaming before saving.

Please let me know how to proceed.

Thanks

Mike

Please try in Safe Mode (restart, tap F8 before Windows loads).

If that's still no good, let me know.

Good Evening jpshortstuff,

I apologize for not mentioning that everything I have done so far has been in safe mode. I am unable to do anything in normal mode because I get the blue screen and my system restarts.

Mike

Hi,

This is all very strange, please try this Rootkit scan

Please download Rooter.exe to your desktop.

• Double click on Rooter.exe to start the application.
• Now click on the Scan button.
• When the scan is completed a text file called Rooter.txt will appear on your desktop, post the contents in your next reply.
• Now click on Close button to exit Rooter.

Note: The logfile can also be located within this folder Rooter$ at the root of your installed Hard-Drive. EG: C:\Rooter$

Good Morning,

Here is the requested Rooter Log:

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows Vista Home Edition (6.0.6001) Service Pack 1
[32_bits] - x86 Family 16 Model 2 Stepping 2, AuthenticAMD
.
[wscsvc] STOPPED (state:1) : Security Center -> Disabled !
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Disabled !
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 8.0.6001.18783
Mozilla Firefox 3.0.11 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:454 Go - Free:352 Go )
D:\ [Fixed-NTFS] .. ( Total:10 Go - Free:5 Go )
E:\ [CD_Rom]
F:\ [Removable]
G:\ [Removable]
H:\ [Removable]
I:\ [Removable]
.
Scan : 07:18.28
Path : C:\Users\mykl\Desktop\Rooter.exe
User : mykl ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ \SystemRoot\System32\smss.exe (336)
______ C:\Windows\system32\csrss.exe (420)
______ C:\Windows\system32\csrss.exe (456)
______ C:\Windows\system32\wininit.exe (464)
______ C:\Windows\system32\winlogon.exe (492)
______ C:\Windows\system32\services.exe (536)
______ C:\Windows\system32\lsass.exe (548)
______ C:\Windows\system32\lsm.exe (556)
______ C:\Windows\system32\svchost.exe (716)
______ C:\Windows\system32\svchost.exe (788)
______ C:\Windows\System32\svchost.exe (836)
______ C:\Windows\System32\svchost.exe (920)
______ C:\Windows\system32\svchost.exe (948)
______ C:\Windows\System32\svchost.exe (992)
______ C:\Windows\system32\svchost.exe (1048)
______ C:\Windows\SYSTEM32\WISPTIS.EXE (1064)
______ C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe (1072)
______ C:\Windows\system32\svchost.exe (1088)
______ C:\Windows\system32\svchost.exe (1368)
______ C:\Program Files\McAfee\MPF\MPFSrv.exe (1512)
______ C:\Windows\system32\svchost.exe (1548)
______ C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (1844)
______ C:\Windows\SYSTEM32\WISPTIS.EXE (248)
______ C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe (252)
______ c:\PROGRA~1\mcafee.com\agent\mcagent.exe (724)
______ C:\Windows\Explorer.EXE (1040)
______ C:\Windows\system32\wbem\unsecapp.exe (1224)
______ C:\Windows\system32\wbem\wmiprvse.exe (1608)
______ C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe (2240)
______ C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe (2320)
______ C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe (2408)
______ C:\Program Files\Internet Explorer\iexplore.exe (2512)
______ C:\Program Files\Internet Explorer\iexplore.exe (2624)
______ C:\Users\mykl\Desktop\Rooter.exe (3836)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:11753892864)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:11753925120 | Length:488351324160)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-684128119-126982121-4194404797-1000Core.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-684128119-126982121-4194404797-1000UA.job
C:\Windows\Tasks\McDefragTask.job
C:\Windows\Tasks\McQcTask.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
C:\Windows\Tasks\User_Feed_Synchronization-{D1822597-6DEB-483F-A23C-A2934950ED11}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 07:18.35
.
C:\Rooter$\Rooter_2.txt - (03/07/2009 | 07:18.35)



Mike

Hi,

OK, please give this a go.

Please download OTM by OldTimer.

• Save it to your desktop.
• Please click OTM and then click >> run.
• Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

• Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM

Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


After that (if it works), please try running ComboFix again. Let me know how it all goes.

The OTM instructions were successful. I had to reboot and the log results are pasted below this reply.

Unfortunately the ComboFix results were the same as before and I have to add one bit of bad news.

After attempting to run the third Combo-Fix link, I stepped away from my PC and forgot to reboot in Safe Mode so Windows started in Normal Mode.

I returned to the PC by that time and the blue screen appeared as usual but before my system rebooted, I saw that the "System Secure" malware reappeared.

OTM LOG

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
c:\windows\sreo8703.exe moved successfully.
c:\windows\mdhhh0816.exe moved successfully.
c:\program files\IEToolbar moved successfully.
File/Folder C:\WINDOWS\system32\SKYNETqwusvhmb.dll not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temporary Internet Files folder emptied: 0 bytes

User: mykl
File delete failed. C:\Users\mykl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YX1XE0WV\iframe[4].htm scheduled to be deleted on reboot.
File delete failed. C:\Users\mykl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YX1XE0WV\Infections_disabled_apps_t104689[1].html&st=15&gopid=574307 scheduled to be deleted on reboot.
File delete failed. C:\Users\mykl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Users\mykl\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 1902200156 bytes
->Java cache emptied: 19465820 bytes
->FireFox cache emptied: 62922502 bytes
->Google Chrome cache emptied: 167702500 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
File delete failed. C:\Windows\temp\mcmsc_YHZia1oiWW7jx7M scheduled to be deleted on reboot.
Windows Temp folder emptied: 2347399 bytes

RecycleBin emptied: 24958394242 bytes

Total Files Cleaned = 1281.03 mb


OTM by OldTimer - Version 3.0.0.2 log created on 07032009_094253

OK, I have one more thing I'd like you to try with regards to running ComboFix.

Ensure it is on your Desktop, and named Combo-Fix.exe. Click Start, type cmd and hit Enter to open a command Window. Type the following into the command box and hit Enter:
%userprofile%\Desktop\Combo-Fix.exe /KillAll

You mentioned that everything you've been doing has been in Safe Mode. If the above doesn't work, please give Combo-Fix a go in Normal Mode (if you haven't already).

If that is still no good, please run GMER again and post the log so we can see what is left after OTM. If the Rootkit involved is still here, I will contact the developer of ComboFix and see if we can sort something out for you.

This post has been edited by jpshortstuff: Jul 3 2009, 09:12 AM

Hallelujah!!

Initially, I was unable to launch Combo-Fix in Normal mode becuse the blue screen would crash the system within 3 minutes of Windows loading.
The only way I was able to stall was to launch a Malaware scan which gave me the time to launch ComboFix. (hopefully this does not affect the log results)

I am currently sending this post in Normal Mode and have pasted the following logs

COMBOFIX

ComboFix 09-07-02.02 - mykl 07/03/2009 11:39.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.2214 [GMT -4:00]
Running from: c:\users\mykl\Desktop\Combo-Fix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~2\11219774
c:\progra~2\11219774\11219774
c:\progra~2\11219774\11219774.exe
c:\windows\Installer\191e94d.msi
c:\windows\system32\drivers\SKYNETpirgenli.sys
c:\windows\system32\SKYNEThodccuta.dat
c:\windows\system32\SKYNETmciitcie.dll
c:\windows\system32\SKYNETqwusvhmb.dll
c:\windows\system32\SKYNETytxpaeij.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETtwpqscqq
-------\Service_SKYNETtwpqscqq


((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-03 15:45 . 2009-07-03 15:48 -------- d-----w- c:\users\mykl\AppData\Local\temp
2009-07-03 13:41 . 2009-07-03 13:41 -------- d-----w- C:\_OTM
2009-07-03 11:11 . 2009-07-03 11:18 -------- d-----w- C:\Rooter$
2009-07-01 21:42 . 2009-07-01 22:57 -------- d-s---w- C:\ComboFix
2009-06-30 22:36 . 2009-06-30 22:37 -------- d-----w- c:\program files\ERUNT
2009-06-30 22:10 . 2009-06-30 22:10 -------- d-----w- c:\users\mykl\AppData\Local\Apple Computer
2009-06-30 20:46 . 2009-06-30 20:47 -------- d-----w- c:\users\mykl\AppData\Local\Adobe
2009-06-30 20:31 . 2009-06-30 20:31 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-30 16:53 . 2009-06-30 16:53 -------- d-----w- c:\program files\Trend Micro
2009-06-29 20:33 . 2009-06-29 20:33 -------- d-----w- c:\windows\system32\Adobe
2009-06-26 02:05 . 2009-06-26 02:07 116839 ----a-w- c:\windows\hpqins00.dat
2009-06-25 23:02 . 2009-06-25 23:02 488960 ----a-w- c:\users\mykl\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv302-0811070-0-main.dll
2009-06-25 23:02 . 2009-06-25 23:02 319488 ----a-w- c:\users\mykl\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-06-22 21:49 . 2008-04-07 10:38 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2009-06-15 21:03 . 2009-06-15 21:03 -------- d-----w- c:\users\mykl\AppData\Roaming\Malwarebytes
2009-06-15 21:03 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 21:03 . 2009-06-15 21:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 21:03 . 2009-06-15 21:03 -------- d-----w- c:\progra~2\Malwarebytes
2009-06-15 21:03 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-15 20:53 . 2009-06-15 20:53 -------- d-----w- c:\program files\Belarc
2009-06-14 05:21 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-14 05:21 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-06-07 12:41 . 2009-06-07 12:41 -------- d-----w- c:\program files\iPod
2009-06-07 12:41 . 2009-06-07 12:42 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 15:45 . 2009-03-11 18:52 12 ----a-w- c:\windows\bthservsdp.dat
2009-07-03 14:23 . 2009-03-04 18:55 -------- d-----w- c:\progra~2\McAfee
2009-07-03 03:05 . 2008-10-17 02:13 1356 ----a-w- c:\users\mykl\AppData\Local\d3d9caps.dat
2009-06-30 21:30 . 2008-08-20 14:25 -------- d-----w- c:\users\mykl\AppData\Roaming\LimeWire
2009-06-29 22:44 . 2009-01-18 12:27 -------- d-----w- c:\progra~2\Corel
2009-06-21 18:53 . 2008-07-15 14:37 -------- d-----w- c:\program files\Safari
2009-06-14 07:01 . 2008-02-26 18:10 -------- d-----w- c:\progra~2\Microsoft Help
2009-06-07 12:41 . 2008-06-08 13:17 -------- d-----w- c:\program files\Common Files\Apple
2009-06-07 12:39 . 2009-03-15 12:08 -------- d-----w- c:\program files\QuickTime
2009-06-07 12:34 . 2008-06-08 13:17 -------- d-----w- c:\progra~2\Apple
2009-05-29 17:36 . 2009-05-29 17:36 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-29 17:36 . 2009-05-29 17:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-23 10:10 . 2009-04-05 22:36 157706 ----a-w- c:\windows\hphins27.dat
2009-05-13 07:00 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-09 23:06 . 2009-05-09 22:38 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-05-09 22:38 . 2009-05-09 22:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-09 05:50 . 2009-06-11 11:27 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-11 11:27 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-04-23 12:43 . 2009-06-11 11:27 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-06-11 11:27 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:55 . 2009-06-11 11:27 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-04-18 20:37 . 2008-06-06 23:57 1315064 ----a-w- c:\users\mykl\AppData\Local\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-08 251240]
"Google Update"="c:\users\mykl\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-12-13 133104]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-12 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-12 81920]
"ButtonMonitor"="c:\program files\IOI\ButtonMonitor.exe" [2007-05-11 53248]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-04 333120]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-20 185872]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-31 4702208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
PalTalk.lnk - c:\program files\Paltalk Messenger\paltalk.exe [2009-1-28 10950144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5E7AB81B-8D13-4B51-9E40-2DFA62BB6B58}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7D7DB688-420A-4EF3-BAE3-E21F511536C2}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{406C5336-4045-4B16-84A1-E436B9610FCB}c:\\program files\\paltalk messenger\\paltalk.exe"= UDP:c:\program files\paltalk messenger\paltalk.exe:PaltalkScene
"UDP Query User{B9664D97-D808-46DD-B4E0-EC4BA1A0D5CF}c:\\program files\\paltalk messenger\\paltalk.exe"= TCP:c:\program files\paltalk messenger\paltalk.exe:PaltalkScene
"{17798F79-2B2A-4A95-AD8B-A422396148E6}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{98E4117C-F121-4F4E-9CF7-5758DCB743C0}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{70A6D4DC-D0E8-491E-B8A9-33FA5987D0F9}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{B6AFE4BF-C9AC-4980-A76C-7A2B642DE0AF}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0C78D471-1812-42DC-B2D4-BF739649B44B}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9BD0000E-3AC3-4560-BC2A-8ABA9C009CC1}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{47779EED-1283-4C94-9C00-0C2F2169AFBD}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{D7DE5CF6-88D7-45D6-BF93-DD2B275A1A9C}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D05D9C80-4D53-436D-BF77-CE7F92D07D04}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{CF5F2579-3AFF-4221-8772-61DD6DEE22BE}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{A5C67625-BAE3-480F-8F4E-910CE5528817}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{8B5E9057-C45D-436F-81A0-A76BEAC6EFF8}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{4DEF6A6B-C329-4D87-850A-B666B2D522DA}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{C8814272-BF61-4E0C-B643-2996A00CBBA9}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{F8D02B18-A922-4164-B98D-FC3A923701A1}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{42D7E387-EDAD-49DB-B64C-EE120B43FA20}"= UDP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{C39535C7-8CE5-4C5E-BADC-F14AC48065D8}"= TCP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{A2AFBFB0-826D-4EF7-B09D-445290CC68B9}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{BF4D3762-26EE-4B75-8DA8-831311FE2A3D}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{6E94EDB8-D35F-40B7-9CC4-8B40EF582BB1}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{38B7F0AE-E9DA-4408-8EAD-4E35EDF04DBA}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{AB23632B-54F0-4693-9C16-7E8D89D7B4D9}"= UDP:5353:Adobe CSI CS4
"{A8C977C3-6CA0-4D12-973F-F7E83C906DDC}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{20B6906F-DB85-4471-A9F2-409042CE4EF4}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"TCP Query User{D9BE6D3B-C583-46AC-A2E5-EC49BA358379}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{AB77A8F1-E0E7-48D2-8312-2BF8955E3397}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{41C04DE2-399B-4859-8F10-52A8CCF60361}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{BF45A2BC-2A90-44D4-9786-59C03A8F8622}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{5A970C87-CDA4-48B9-AFBE-DE2EC2611F0E}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{19F569F8-B16B-4B87-B15B-DE7DC9173B26}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{C7AD0606-623F-4C46-B6AE-A611D332728F}"= UDP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{391FFDC7-302A-401D-9D4B-5CB15684C432}"= TCP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{58769221-0755-4364-BFF7-92A198901370}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{EA246592-779D-4E21-82DD-6CBA06821D7A}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{8FDB1823-7B6B-4D29-A0A8-DF62DEC9E6FF}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{E05D45B2-BACA-489C-9873-40AD49C679CA}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{4DB3A43E-D126-408E-95C4-47E1C0F6AA37}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{7D3446E8-DCAE-45B6-83D7-4FF38CED0C06}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{7CD5F27A-0F2F-4DF8-83C4-63923B10C331}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{E44FA2A3-2C02-4C30-97FF-9A01A674D36E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [5/9/2009 6:38 PM 1153368]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\System32\Wacom_Tablet.exe [4/6/2009 1:29 PM 2749224]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 6:38 AM 92008]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [6/15/2009 5:03 PM 40160]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 6:25 AM 2589184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
HKLM-Run-NoteBurner - c:\program files\NoteBurner\VTBurnerGUI.exe
HKLM-Run-11219774 - c:\programdata\11219774\11219774.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\mykl\AppData\Roaming\Mozilla\Firefox\Profiles\sdkka03l.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}\components\Contribute.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npContribute.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\mykl\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\mykl\AppData\Roaming\Mozilla\Firefox\Profiles\sdkka03l.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: c:\users\mykl\AppData\Roaming\Mozilla\Firefox\Profiles\sdkka03l.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071300000040.dll
FF - plugin: c:\users\mykl\Program Files\DNA\plugins\npbtdna.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 11:48
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3952)
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\wisptis.exe
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\System32\WUDFHost.exe
c:\windows\System32\wisptis.exe
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\System32\WTablet\Wacom_TabletUser.exe
c:\combo-fix\hidec.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Common Files\microsoft shared\ink\InputPersonalization.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Windows Media Player\wmplayer.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\combo-fix\Catchme.tmp
c:\windows\servicing\TrustedInstaller.exe
c:\windows\System32\consent.exe
.
**************************************************************************
.
Completion time: 2009-07-03 11:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-03 15:54

Pre-Run: 400,869,187,584 bytes free
Post-Run: 400,504,344,576 bytes free

277 --- E O F --- 2009-07-03 15:30


HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:43 PM, on 7/1/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mykl\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5674
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5674
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5674
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...TP&M=GT5674
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ButtonMonitor] C:\Program Files\IOI\ButtonMonitor.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [cftmon] C:\Windows\system32\szbtm.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\mykl\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\Windows\system32\Wacom_Tablet.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 13040 bytes


Awaitinfurther instructions

Mike

Looks like that got it

OK, I assume Normal Mode is working fine now? Please give MalwareBytes' another scan, but make sure you Update it. The virus you had was pretty new by the looks of things.

How are things running at the moment? If MalwareBytes' finds anything, please post the log it gives (after removing what it finds).

It takes longer to launch Windows after rebooting than before but Normal Mode seems to be stable.

I am able to search in Yahoo wthout being redirected in all browsers but I am still unable to launch any MS Office programs. (It still launches an installer).

When I ran Malaware before to allow Combofix to launch, it did find 6 viruses. I was unable to delete yhem because Combofix restarted my PC. I just ran MAlAware again and it claims not to have found any infections.

MALAWARE LOG

Malwarebytes' Anti-Malware 1.37
Database version: 2284
Windows 6.0.6001 Service Pack 1

7/3/2009 1:12:13 PM
mbam-log-2009-07-03 (13-12-13).txt

Scan type: Quick Scan
Objects scanned: 83892
Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Mike

Hi,

Are you now able to uninstall those old Java entries?

Let's check out your Windows Installer, just make sure there isn't anything wrong.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  CODE
  :service
  MSIServer
  
  
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Cheers.

I did forget about the old Java apps but I did delete them successfully; leaving the latest version..

I have run the Systemlook. program and have pasted the following log:

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 15:31 on 03/07/2009 by mykl (Administrator - Elevation successful)

========== service ==========

MSIServer
Windows Installer
"Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start."
Current Status: Started
Startup Type: Demand
Error Control: Critical
Binary: C:\Windows\system32\msiexec.exe /V
Group: (none)
SafeBoot:
Dependencies:
->rpcss
Dependant Services:
(none)

-=End Of File=-

Mike

ok...another issue seems to be occurring mnow.

My WinPatrol app keeps alertinhg me that some auto startup program is trying to load in my system. It asks if I find this acceptable (until I hear otherwise from you I click "NO" at whih point I get this warning thatit is a key location to my operating system. (it did not provide a name of the program that wants to load like it usually does which raised alarms)

I left everything the wait it is at this point and posted immediately.

I was also able to screen capture the popup messages

Thanks-Mike

Hmm, that's a little strange. Can't see any problem with the Windows Installer. I will refer you to our Tech Team for the Office problems because I don't think its Malware.

But first, we'd better check this new WinPatrol problem out. Please run DDS again and post the logs, let's see if this mysterious Startup entry shows up there.

My latest DDS LOG:


DDS (Ver_09-06-26.01) - NTFSx86
Run by mykl at 16:39:04.99 on Fri 07/03/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.1405 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Wacom_Tablet.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Windows\system32\Wacom_Tablet.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\IOI\ButtonMonitor.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Paltalk Messenger\paltalk.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\mykl\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [Google Update] "c:\users\mykl\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ButtonMonitor] c:\program files\ioi\ButtonMonitor.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\paltalk.lnk - c:\program files\paltalk messenger\paltalk.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\mykl\appdata\roaming\mozilla\firefox\profiles\sdkka03l.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - component: c:\program files\mozilla firefox\extensions\{01a8ca0a-4c96-465b-a49b-65c46fad54f9}\components\Contribute.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npContribute.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\mykl\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\mykl\appdata\roaming\mozilla\firefox\profiles\sdkka03l.default\extensions\{0c7e3f01-99e9-4095-9bdc-f84724960b57}\plugins\NPCpnMgr.dll
FF - plugin: c:\users\mykl\appdata\roaming\mozilla\firefox\profiles\sdkka03l.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071300000040.dll
FF - plugin: c:\users\mykl\program files\dna\plugins\npbtdna.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-5-9 1153368]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-4-6 2749224]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2009-07-03 11:48 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-07-03 09:41 <DIR> --d----- C:\_OTM
2009-07-03 07:11 <DIR> --d----- C:\Rooter$
2009-07-01 17:42 <DIR> --ds---- C:\ComboFix
2009-07-01 16:52 161,792 a------- c:\windows\SWREG.exe
2009-07-01 16:52 155,136 a------- c:\windows\PEV.exe
2009-07-01 16:52 98,816 a------- c:\windows\sed.exe
2009-06-30 12:53 <DIR> --d----- c:\program files\Trend Micro
2009-06-29 17:36 220 a------- c:\windows\system32\winset.ini
2009-06-29 16:33 <DIR> --d----- c:\windows\system32\Adobe
2009-06-25 22:05 116,839 a------- c:\windows\hpqins00.dat
2009-06-22 17:49 22,872 a----r-- c:\windows\system32\AdobePDFUI.dll
2009-06-15 17:03 <DIR> --d----- c:\users\mykl\appdata\roaming\Malwarebytes
2009-06-15 17:03 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 17:03 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 17:03 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-15 17:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 17:03 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-15 16:53 <DIR> --d----- c:\program files\Belarc
2009-06-14 01:21 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-14 01:21 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-14 01:21 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-14 01:21 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-14 01:21 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-07 08:41 <DIR> --d----- c:\program files\iPod
2009-06-07 08:41 <DIR> --d----- c:\program files\iTunes

==================== Find3M ====================

2009-06-14 10:07 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-14 10:07 51,200 a------- c:\windows\inf\infpub.dat
2009-06-14 10:07 86,016 a------- c:\windows\inf\infstor.dat
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-23 06:10 157,706 a------- c:\windows\hphins27.dat
2009-05-09 01:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 01:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-04-23 08:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 07:55 2,033,152 a------- c:\windows\system32\win32k.sys
2009-01-27 18:59 2,516 a--sh--- c:\programdata\KGyGaAvL.sys
2009-01-27 18:59 2,516 a--sh--- c:\progra~2\KGyGaAvL.sys
2009-01-18 08:32 8 ---shr-- c:\programdata\E6E84B42E6.sys
2009-01-18 08:32 8 ---shr-- c:\progra~2\E6E84B42E6.sys
2008-06-10 21:18 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 16:39:21.86 ===============

My latest ATTACH attachment:

sigh...

now a Java runtime Environment Update wants to be installed.

Everybody wants to join the party it seems...lol

Mike

Hi,

I can see nothing bad in those logs.

I would give the second box a "Yes" for removal. There is nothing 'key' that your OS would need to add just out of the blue, especially without any name or info about it.

For your Office problem, I think you would get the best help if you posted to our Microsoft Office forum, where out Tech Team should be with you shortly.

Logs looks good

Click Start >> Run, and then type ComboFix /u and hit enter.
You can now delete any other tools I had you download and use, unless you wish to keep them.


Now that your system appears to be clean, theres just a few steps I'd like you to take to prevent any future infections.

• Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis. I recommend you install Vista's Service Pack 2 to get your system fully updated.
  
  
• Make sure you update your Anti-Virus software regularly, new viruses are being developed all the time.

Also, please read this great article by Tony Klein: So How Did I Get Infected In First Place

Glad we could be of assistance.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Stay Clean!

jpshortstuff

jpshortstuff,

I can't thank you enough for your patience and attention to this problem.

I really appreciate all the time you took in helping me.

I will now go bug the Windows Office Team...lol

THANKS AGAIN!!!

Mike

Glad I could help you

I will leave this open a little longer, just in case you have any other problems that you think may be Malware related.

Good luck

Hi,

I just launched my Chrome browser and it seems that all my browsing history, bookmarks, etc were wiped out..as if I just installed the program.

It is not a big deal as I can always start again but I just wanted to make you aware.

thanks again
Mike

That's strange, we haven't gone anyway near Chrome as far as I know. I don't use it so I couldn't tell you for sure, but are there any automatic backups of things like Bookmarks that it creates?

Could have been a casualty of war

Yes. I believe they sacrificed themselves for the greater good...LMAO

I checked to see if there were any backups but unfortunately not.

I just wanted to make you aware so that if you get similar cases in the futue you can pour over everything that was done in assisting me.

Mike

Thank you, I will keep this in mind

it seems that there is a problem with that Winpatrol popup we discussed earlier.

If I click yes or no to the request to allow the startup program or to have the file removed (despite the warning) the popup reappears about every 5-10 min.

I do not detct any system changes or difference in behavior except for the recurring popup.\\The only thing I have done since my last post was to do the suggested Windows Update.

Thanks-Mike

Hi,

OK, let's see if we can find this entry that WinPatrol is talking about. Its going to be little tough since we have pretty much no info on it, but we'll do our best.

Create a Startup List

• Open HijackThis
• Click on "Open the Misc Tools section"
• Check the 2 boxes next to the Box that says "Generate StartupList log"
• Copy and past the StartupList from the notepad into your next post

I will also install WinPatrol on my own computer and see if I can find any settings/functions to help.

Good Morning,

After startup the continuous popups have stopped (for now...hopefully forever).

I still wanted to run the Hijackthis procedure from your last post but when I did the notepad file was blank.

I apologize for the apparent false alarm.

I guess my system is a little quirky right now.

Mike

Alrighty, I'll keep this open for a bit longer. If any of the issues return, let me know

Hi jpshortstuff,

After a couple of days of use, I beleive that I am out of the woods thanks to you.

If you wish, this thread can be closed.

I just had one question.

My system startup is slower than usual. Can you recommend software, instructions, forums that can assist me in optimizing my system's performance?

Once again, Thank you for everything

Mike

Glad to hear things are running better. As for the slowness, well, there could be a number of causes. Our sister-site, Malware Removal, has a fantastic guide for slow computers, I suggest you have a look:
http://www.malwareremoval.com/tutorials/runningslowly.php

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.