Like the title says I'm working on my brothers computer, originally he had a fake windows security popup advertising anti-virus pro 2010 or something along those lines. It was easy to remove through the add/remove programs window but I have not regained access to any form of virus protection. As soon as the scan fails after 5-10s the executable is permissions locked.

I read the "how to organize your first post" sticky and backup my registry but I was unable to get a report from dds.scr
while rootrepeat.exe gave me an invalid PE image error.

Hi,

Please do the following:

Please download exeHelper to your desktop.

• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


NEXT

Download and run Win32kDiag:

1. Download Win32kDiag from any of the following locations and save it to your Desktop.
   • Download Win32kDiag (Win32kDiag.exe) - #1
   • Download Win32kDiag (Win32kDiag.exe) - #2
   • Download Win32kDiag (Win32kDiag.exe) - #3
2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Thanks for taking my case!!

Log from exehelperlog.txt

--------------------
exeHelper by Raktor - 09
Build 20090916
Run at 17:14:34 on 09/16/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Found file C:\WINDOWS\system32\braviax.exe
Deleting file C:\WINDOWS\system32\braviax.exe
Found file C:\WINDOWS\system32\~.exe
Deleting file C:\WINDOWS\system32\~.exe
Resetting filetype association for .exe
Resetting filetype association for .com
--Finished--
--------------------





Log from Win32Diag.txt

--------------------
Running from: C:\Documents and Settings\Bill\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Bill\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB915865\KB915865

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\aolshare\aolshare

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3EA.tmp\ZAP3EA.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP49C.tmp\ZAP49C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP588.tmp\ZAP588.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5A1.tmp\ZAP5A1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5E9.tmp\ZAP5E9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8A3.tmp\ZAP8A3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8A5.tmp\ZAP8A5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-10 06:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-118349227-1508774416-1167528130-1005\S-1-5-21-118349227-1508774416-1167528130-1005

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-118349227-1508774416-1167528130-1008\S-1-5-21-118349227-1508774416-1167528130-1008

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\Collab\Collab

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\Preferences\Preferences

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\4L92TSWG\4L92TSWG

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\{4E3254D7-522A-412A-9296-3F4767B3A2CB}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-118349227-1508774416-1167528130-500\S-1-5-21-118349227-1508774416-1167528130-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-118349227-1508774416-1167528130-500\S-1-5-21-118349227-1508774416-1167528130-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\Active

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\CCWin\Address Book\Address Book

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-10 06:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()

[1] 2004-08-10 06:00:00 10752 C:\i386\dumprep.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-10 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-10 06:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\Shockwave 8\DswMedia\DswMedia

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\Shockwave 8\Prefs\Prefs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\TempRec\TempSBE\TempSBE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!
--------------------

Hi,

Please do the following:

Open NOTEPAD.exe and copy/paste the text in the codebox below:
(don't forget to copy and paste REGEDIT4)



Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry
Reboot the machine once this is done.


next

Download Combofix from either of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2



During the download, rename Combofix to Combo-Fix as follows:





--------------------------------------------------------------------

• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.

• Double click on Combo-Fix.exe & follow the prompts.
  
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
  
  **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  
  
  
  -----------------------------------------------------------
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------

NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

k combo fix has just started its scan, need to make a pickup on my little brother from practice so be back in 30 to 40 minutes. scan should probably be done then.

EDIT- I have been having a few problems, the comboFix executable is at 100% but nothing is happening and it hasn't produced a .txt output. Instead I see a folder called combofix w/ the mycomputer icon graphic in my C drive.

This post has been edited by kearnsy: Sep 16 2009, 07:20 PM

Have a look inside the folder to see if there is a combofix.txt file there

did you reboot the computer before running combofix?

If there is no txt file, then combofix probably did not run properly

reboot the machine

delete the copy of combofix from your desktop

delete the combofix folder from your C:drive

download a fresh copy and rename it to combofix.com and run it....try running it in safe mode if need be.

Make sure all your security programs are totally disabled or they will interfere

Success, before seeing your reply I just started a new instance of combo-fix. looks like everything worked out ok, it found a rootkit at

C:\windows\system32\sdra64.exe and restarted the computer, completed like 60 steps and deleted a whole bunch of files.

Here is the log.txt

--------------------
ComboFix 09-09-16.01 - Bill 09/16/2009 20:27.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.286 [GMT -5:00]
Running from: c:\documents and settings\Bill\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\683.tmp
C:\685.tmp
C:\688.tmp
C:\68C.tmp
c:\documents and settings\All Users\Application Data\abiz.vbs
c:\documents and settings\All Users\Application Data\axegule._sy
c:\documents and settings\All Users\Application Data\fisyxiba.pif
c:\documents and settings\All Users\Application Data\imihiwyr.vbs
c:\documents and settings\All Users\Application Data\ipiruk.sys
c:\documents and settings\All Users\Application Data\nuwygatohu._sy
c:\documents and settings\All Users\Application Data\nynep.bat
c:\documents and settings\All Users\Application Data\qofetaj._dl
c:\documents and settings\All Users\Application Data\yhifesiju.dl
c:\documents and settings\All Users\Application Data\zyzi.dl
c:\documents and settings\All Users\Documents\adyjada.exe
c:\documents and settings\All Users\Documents\fexikodupi.vbs
c:\documents and settings\All Users\Documents\hijy.ban
c:\documents and settings\All Users\Documents\mewyq.ban
c:\documents and settings\All Users\Documents\omajokafot.exe
c:\documents and settings\All Users\Documents\sasacoqi.inf
c:\documents and settings\All Users\Documents\tyfa.vbs
c:\documents and settings\All Users\Documents\ujuqusavy.dll
c:\documents and settings\All Users\Documents\vypuqo.scr
c:\documents and settings\Bill\Application Data\enajyzyz.exe
c:\documents and settings\Bill\Application Data\eqyboremyv.scr
c:\documents and settings\Bill\Application Data\kywug.bat
c:\documents and settings\Bill\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
c:\documents and settings\Bill\Application Data\Microsoft\Installer\{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}\NewShortcut3_2E7595EC4FB14E2993D49083C8A9B107.exe
c:\documents and settings\Bill\Application Data\Microsoft\Installer\{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}\NewShortcut3_2E7595EC4FB14E2993D49083C8A9B107.exe
c:\documents and settings\Bill\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\NewShortcut1.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe
c:\documents and settings\Bill\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\NewShortcut3.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe
c:\documents and settings\Bill\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\NewShortcut4.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe
c:\documents and settings\Bill\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\NewShortcut5.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe
c:\documents and settings\Bill\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\NewShortcut6.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe
c:\documents and settings\Bill\Application Data\ufek.bat
c:\documents and settings\Bill\Application Data\yqucacefep.dl
c:\documents and settings\Bill\Cookies\jeluqy.ban
c:\documents and settings\Bill\Cookies\uwac.sys
c:\documents and settings\Bill\Cookies\yxoqigehob._dl
c:\documents and settings\Bill\Local Settings\Application Data\avutefuni.com
c:\documents and settings\Bill\Local Settings\Application Data\jotyf._dl
c:\documents and settings\Bill\Local Settings\Application Data\jybo.sys
c:\documents and settings\Bill\Local Settings\Application Data\vakedexaz.reg
c:\documents and settings\Bill\Local Settings\Application Data\ycutijukeq.dll
c:\documents and settings\Bill\Local Settings\Application Data\yhymybe.vbs
c:\documents and settings\Bill\Local Settings\Application Data\ypusohaq._dl
c:\documents and settings\Bill\Local Settings\Application Data\yxulilete.dl
c:\documents and settings\Bill\Local Settings\Temporary Internet Files\inewahytep.db
c:\documents and settings\Bill\Local Settings\Temporary Internet Files\juhox.reg
c:\documents and settings\Bill\Local Settings\Temporary Internet Files\odezyxofu._dl
c:\documents and settings\Debby\Application Data\enigowi.lib
c:\documents and settings\Debby\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Debby\Application Data\yquxekyci.scr
c:\documents and settings\Debby\Cookies\ovisydiz.sys
c:\documents and settings\Debby\Cookies\ovybujot.bin
c:\documents and settings\Debby\Cookies\timodud.ban
c:\documents and settings\Debby\Cookies\zazo.ban
c:\documents and settings\Debby\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Debby\Local Settings\Application Data\wineceg.sys
c:\documents and settings\Debby\Local Settings\Temporary Internet Files\veseqelat.vbs
c:\documents and settings\Debby\Local Settings\Temporary Internet Files\vocy.db
c:\documents and settings\Debby\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Debby\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Debby\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Ryan\Application Data\bakawuq.bin
c:\documents and settings\Ryan\Application Data\folyciligi._sy
c:\documents and settings\Ryan\Start Menu\Programs\Internet Speed Monitor
c:\documents and settings\Ryan\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
c:\documents and settings\Ryan\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
c:\program files\Common Files\bexobeseti.bat
c:\program files\Common Files\hydimitiw._dl
c:\program files\Common Files\izeloty.exe
c:\program files\Common Files\lokymy.scr
c:\program files\Common Files\opusebify.pif
c:\program files\Common Files\orehupeser.dl
c:\program files\Common Files\pytarilu.exe
c:\program files\Common Files\tybusotoh.dl
c:\program files\Common Files\veqisa.bat
c:\program files\GetModule
c:\program files\GetModule\dicik.gz
c:\program files\GetModule\kwdik.gz
c:\program files\GetModule\pckik.dat
c:\program files\GetPack
c:\program files\GetPack\dictame.gz
c:\program files\GetPack\trgtame.gz
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\inetget2
c:\program files\ISM
c:\program files\ISM\dictionary.gz
c:\program files\ISM\synupd.exe
c:\program files\ISM\targets.gz
c:\program files\ISM\Uninstall.exe
c:\program files\ISM2
c:\program files\ISM2\dictionary.gz
c:\program files\ISM2\targets.gz
c:\program files\QdrModule
c:\program files\QdrModule\dic.gz
c:\program files\QdrModule\kwd.gz
c:\program files\QdrPack
c:\program files\QdrPack\dicts.gz
c:\program files\QdrPack\trgts.gz
c:\program files\RcvSystem
c:\program files\Temporary
c:\program files\Words
c:\program files\Words\list.txt
c:\program files\Words\script.txt
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\ehumy.exe
c:\windows\godaboteb.reg
c:\windows\huvoqalus.pif
c:\windows\Installer\2e172b.msi
c:\windows\kb913800.exe
c:\windows\ojyhataqe.dl
c:\windows\ozuv.pif
c:\windows\system32\_scui.cpl
c:\windows\system32\aval.inf
c:\windows\system32\awexewuga.bin
c:\windows\system32\dllcache\figaro.sys
c:\windows\system32\drivers\UACd.sys
c:\windows\system32\hejo.bin
c:\windows\system32\ibesod.vbs
c:\windows\system32\jewihigy.inf
c:\windows\system32\kihudabege.inf
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\muzapp.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\wisdstr.exe
c:\windows\system32\xojocafuje.pif
c:\windows\system32\xywibojuqy.bat
c:\windows\system32\zagypafip.pif
c:\windows\vycytagepe.inf
c:\windows\zemeqyha.sys

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ESQULSERV.SYS
-------\Legacy_WINDOWS_MSI
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_ESQULserv.sys
-------\Service_Windows MSI


((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.

2009-09-16 23:20 . 2009-09-17 01:14 -------- d-----w- C:\Combo-Fix
2009-09-16 22:52 . 1997-04-09 01:08 299520 ----a-w- c:\windows\uninst.exe
2009-09-16 22:51 . 2009-09-16 22:51 -------- d-----w- C:\Lxk6100
2009-09-14 23:51 . 2009-09-14 23:51 -------- d-----w- c:\program files\ERUNT
2009-09-14 23:39 . 2009-09-14 23:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2009-09-14 23:38 . 2009-09-14 23:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-14 23:37 . 2009-09-14 23:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-14 23:35 . 2009-09-14 23:35 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-14 22:52 . 2009-09-14 22:52 -------- d-----w- c:\documents and settings\Bill\Application Data\Malwarebytes
2009-09-14 22:33 . 2009-09-14 22:33 -------- d-----w- c:\documents and settings\Ryan\Application Data\Malwarebytes
2009-09-14 22:33 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-14 22:33 . 2009-09-14 23:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-14 22:33 . 2009-09-14 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-14 22:33 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-13 03:23 . 2009-09-13 03:23 19376 ----a-w- c:\windows\myfeqetevy.dat
2009-09-11 21:38 . 2009-09-11 21:38 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Mozilla
2009-09-10 03:04 . 2009-09-10 03:04 19309 ----a-w- c:\windows\system32\fifemoquq.com
2009-09-09 01:58 . 2009-09-09 01:58 19271 ----a-w- c:\windows\ebedewalys.com
2009-09-08 23:37 . 2009-09-08 23:37 13778 ----a-w- c:\documents and settings\Bill\Local Settings\Application Data\ocifij.dat
2009-09-08 20:17 . 2009-09-14 22:38 -------- d-----w- c:\documents and settings\Bill\Application Data\NBC Direct
2009-09-08 20:17 . 2009-09-08 20:19 -------- d-----w- c:\documents and settings\Bill\Application Data\IDM
2009-09-08 20:16 . 2009-09-08 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NBC Direct
2009-09-08 20:16 . 2009-09-08 20:17 -------- d---a-w- c:\program files\NBC Direct
2009-09-08 20:16 . 2009-09-08 20:22 -------- dc-h--w- c:\documents and settings\Bill\Local Settings\Application Data\{F9ABF6FF-B068-4877-9373-3B5353A65A36}
2009-09-02 21:10 . 2009-09-02 21:10 -------- d-----w- c:\program files\Avast Anti-Virus
2009-09-02 21:05 . 2009-09-02 21:05 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Mozilla
2009-08-25 04:14 . 2009-08-25 04:14 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2009-08-25 04:14 . 2009-08-25 04:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-25 04:14 . 2009-08-25 04:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-08-22 08:10 . 2009-08-22 08:10 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-22 08:10 . 2009-08-22 08:10 -------- d-----w- c:\program files\MSBuild
2009-08-22 08:10 . 2009-08-22 08:10 -------- d-----w- c:\program files\Reference Assemblies
2009-08-22 08:08 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-22 08:08 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-22 08:08 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-22 08:08 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-22 08:08 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-22 08:08 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-22 08:08 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-22 08:08 . 2009-08-22 08:09 -------- d-----w- C:\b4e9d31e2ce3f4910a2da1e1b1
2009-08-21 00:29 . 2009-08-21 00:29 -------- d-sh--w- c:\documents and settings\Debby\PrivacIE
2009-08-20 23:50 . 2009-08-20 23:50 -------- d-sh--w- c:\documents and settings\Debby\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 23:44 . 2005-11-02 17:44 -------- d-----w- c:\program files\Trend Micro
2009-09-13 03:23 . 2009-09-13 03:23 18705 ----a-w- c:\program files\Common Files\qisam.db
2009-09-10 03:04 . 2009-09-10 03:04 18454 ----a-w- c:\documents and settings\Bill\Application Data\orirywiq.dat
2009-09-10 03:04 . 2009-09-10 03:04 12138 ----a-w- c:\documents and settings\Bill\Application Data\kahuty.dat
2009-09-07 16:32 . 2005-11-30 13:18 75752 -c--a-w- c:\documents and settings\Bill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-02 21:02 . 2008-07-22 02:11 56212 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-30 23:43 . 2005-11-05 13:03 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2009-08-10 15:04 . 2005-11-02 17:29 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 03:35 . 2008-03-15 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-31 01:48 . 2009-07-31 01:47 -------- d-----w- c:\program files\DivX
2009-07-31 01:47 . 2009-07-31 01:47 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-25 10:23 . 2009-06-30 19:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-22 01:46 . 2009-07-17 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-22 01:46 . 2009-07-17 00:06 -------- d-----w- c:\program files\NOS
2009-07-17 19:01 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2005-08-16 10:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2005-08-16 10:18 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2005-08-16 10:18 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2005-08-16 10:18 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2005-08-16 10:18 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-08-16 10:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2005-08-16 10:18 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-05-01 03:12 . 2005-12-06 13:13 104 --sh--r- c:\windows\system32\9228711212.sys
2009-05-01 03:12 . 2005-12-06 13:13 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 57344]

c:\documents and settings\Bill\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=c:\windows\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"sprtsvc_dellsupportcenter"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"PcCtlCom"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"GameConsoleService"=3 (0x3)
"DSBrokerService"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AOL ACS"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Windows MSI"=2 (0x2)
"WANMiniportService"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\AOL\\1170284644\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=

R3 atinewp2;ATI eHomeWonder, WDM Video CODEC;c:\windows\system32\drivers\atinewp2.sys [11/2/2005 12:11 PM 485888]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: ez-data.com
Trusted Zone: ezdata.com
Trusted Zone: smartofficeonline.com
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: {1FA44E01-A60B-4449-BF97-66CDAA200433} - hxxps://ampf.ez-data.com/java/downloads/SOConfig6.cab
DPF: {D22621D3-E219-4B03-AF3E-5E8AEF7CC70B} - hxxps://ampf.ez-data.com/java/downloads/SmartOfficeLink6.cab
DPF: {DB31DA00-4F6F-4CC7-8627-C5A142E1FC7C} - hxxp://www.syncmyride.com/Own/Modules/UploadDownload/applets/sync.cab
FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\oy8ka86m.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\documents and settings\Bill\Application Data\IDM\bin\flash\platform\WINNT\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\Bill\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Bill\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\NBC Direct\npDirectPlayerMozilla.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ComcastHSI - c:\program files\support.com\uninstall\chsi_uninstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 20:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1292)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Lexmark X6100 Series\lxbfbmon.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-17 20:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-17 01:56

Pre-Run: 3,556,892,672 bytes free
Post-Run: 5,083,246,592 bytes free

388 --- E O F --- 2009-08-23 08:03

--------------------

Hi,

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')



Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

NEXT

• Please open your MalwareBytes AntiMalware Program
• Click the Update Tab and search for updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

In your next reply please include

• ComboFix log
• MBAM Log
• Kaspersky report

ComboFix Log.txt

--------------------
ComboFix 09-09-16.01 - Bill 09/16/2009 21:41.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.92 [GMT -5:00]
Running from: c:\documents and settings\Bill\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Bill\Desktop\CFScript.txt

file zipped: c:\documents and settings\Bill\Application Data\kahuty.dat
file zipped: c:\documents and settings\Bill\Application Data\orirywiq.dat
file zipped: c:\documents and settings\Bill\Local Settings\Application Data\ocifij.dat
file zipped: c:\program files\Common Files\qisam.db
file zipped: c:\windows\ebedewalys.com
file zipped: c:\windows\myfeqetevy.dat
file zipped: c:\windows\system32\fifemoquq.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bill\Application Data\kahuty.dat
c:\documents and settings\Bill\Application Data\orirywiq.dat
c:\documents and settings\Bill\Local Settings\Application Data\ocifij.dat
c:\program files\Common Files\qisam.db
c:\windows\ebedewalys.com
c:\windows\myfeqetevy.dat
c:\windows\system32\fifemoquq.com

.
((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.

2009-09-16 23:20 . 2009-09-17 01:14 -------- d-----w- C:\Combo-Fix
2009-09-16 22:52 . 1997-04-09 01:08 299520 ----a-w- c:\windows\uninst.exe
2009-09-16 22:51 . 2009-09-16 22:51 -------- d-----w- C:\Lxk6100
2009-09-14 23:51 . 2009-09-14 23:51 -------- d-----w- c:\program files\ERUNT
2009-09-14 23:39 . 2009-09-14 23:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2009-09-14 23:38 . 2009-09-14 23:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-14 23:37 . 2009-09-14 23:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-14 23:35 . 2009-09-14 23:35 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-14 22:52 . 2009-09-14 22:52 -------- d-----w- c:\documents and settings\Bill\Application Data\Malwarebytes
2009-09-14 22:33 . 2009-09-14 22:33 -------- d-----w- c:\documents and settings\Ryan\Application Data\Malwarebytes
2009-09-14 22:33 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-14 22:33 . 2009-09-14 23:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-14 22:33 . 2009-09-14 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-14 22:33 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-11 21:38 . 2009-09-11 21:38 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Mozilla
2009-09-08 20:17 . 2009-09-14 22:38 -------- d-----w- c:\documents and settings\Bill\Application Data\NBC Direct
2009-09-08 20:17 . 2009-09-08 20:19 -------- d-----w- c:\documents and settings\Bill\Application Data\IDM
2009-09-08 20:16 . 2009-09-08 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NBC Direct
2009-09-08 20:16 . 2009-09-08 20:17 -------- d---a-w- c:\program files\NBC Direct
2009-09-08 20:16 . 2009-09-08 20:22 -------- dc-h--w- c:\documents and settings\Bill\Local Settings\Application Data\{F9ABF6FF-B068-4877-9373-3B5353A65A36}
2009-09-02 21:10 . 2009-09-02 21:10 -------- d-----w- c:\program files\Avast Anti-Virus
2009-09-02 21:05 . 2009-09-02 21:05 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Mozilla
2009-08-25 04:14 . 2009-08-25 04:14 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2009-08-25 04:14 . 2009-08-25 04:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-25 04:14 . 2009-08-25 04:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-08-22 08:10 . 2009-08-22 08:10 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-22 08:10 . 2009-08-22 08:10 -------- d-----w- c:\program files\MSBuild
2009-08-22 08:10 . 2009-08-22 08:10 -------- d-----w- c:\program files\Reference Assemblies
2009-08-22 08:08 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-22 08:08 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-22 08:08 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-22 08:08 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-22 08:08 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-22 08:08 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-22 08:08 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-22 08:08 . 2009-08-22 08:09 -------- d-----w- C:\b4e9d31e2ce3f4910a2da1e1b1
2009-08-21 00:29 . 2009-08-21 00:29 -------- d-sh--w- c:\documents and settings\Debby\PrivacIE
2009-08-20 23:50 . 2009-08-20 23:50 -------- d-sh--w- c:\documents and settings\Debby\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 23:44 . 2005-11-02 17:44 -------- d-----w- c:\program files\Trend Micro
2009-09-07 16:32 . 2005-11-30 13:18 75752 -c--a-w- c:\documents and settings\Bill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-02 21:02 . 2008-07-22 02:11 56212 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-30 23:43 . 2005-11-05 13:03 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2009-08-10 15:04 . 2005-11-02 17:29 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 03:35 . 2008-03-15 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-31 01:48 . 2009-07-31 01:47 -------- d-----w- c:\program files\DivX
2009-07-31 01:47 . 2009-07-31 01:47 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-25 10:23 . 2009-06-30 19:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-22 01:46 . 2009-07-17 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-22 01:46 . 2009-07-17 00:06 -------- d-----w- c:\program files\NOS
2009-07-17 19:01 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2005-08-16 10:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2005-08-16 10:18 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2005-08-16 10:18 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2005-08-16 10:18 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2005-08-16 10:18 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2005-08-16 10:18 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-08-16 10:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2005-08-16 10:18 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-05-01 03:12 . 2005-12-06 13:13 104 --sh--r- c:\windows\system32\9228711212.sys
2009-05-01 03:12 . 2005-12-06 13:13 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 57344]

c:\documents and settings\Bill\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=c:\windows\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"sprtsvc_dellsupportcenter"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"PcCtlCom"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"GameConsoleService"=3 (0x3)
"DSBrokerService"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AOL ACS"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Windows MSI"=2 (0x2)
"WANMiniportService"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\AOL\\1170284644\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=

R3 atinewp2;ATI eHomeWonder, WDM Video CODEC;c:\windows\system32\drivers\atinewp2.sys [11/2/2005 12:11 PM 485888]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: ez-data.com
Trusted Zone: ezdata.com
Trusted Zone: smartofficeonline.com
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: {1FA44E01-A60B-4449-BF97-66CDAA200433} - hxxps://ampf.ez-data.com/java/downloads/SOConfig6.cab
DPF: {D22621D3-E219-4B03-AF3E-5E8AEF7CC70B} - hxxps://ampf.ez-data.com/java/downloads/SmartOfficeLink6.cab
DPF: {DB31DA00-4F6F-4CC7-8627-C5A142E1FC7C} - hxxp://www.syncmyride.com/Own/Modules/UploadDownload/applets/sync.cab
FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\oy8ka86m.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\documents and settings\Bill\Application Data\IDM\bin\flash\platform\WINNT\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\Bill\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Bill\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\NBC Direct\npDirectPlayerMozilla.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 21:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-09-17 21:56
ComboFix-quarantined-files.txt 2009-09-17 02:55
ComboFix2.txt 2009-09-17 01:56

Pre-Run: 5,119,000,576 bytes free
Post-Run: 5,104,066,560 bytes free

227 --- E O F --- 2009-08-23 08:03
Upload was successful

--------------------





Malwarebytes mbam-log-2009-09-16 (22-21-11).txt
--------------------

Malwarebytes' Anti-Malware 1.41
Database version: 2814
Windows 5.1.2600 Service Pack 3

9/16/2009 10:21:11 PM
mbam-log-2009-09-16 (22-21-11).txt

Scan type: Quick Scan
Objects scanned: 128093
Time elapsed: 9 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

--------------------

Kasperky Log to come restarting now but didn't want to loose the work on this post.

Hi,

There was still more work to do in the final clean up, if you could post the Kaspersky log.

Due to inactivity this topic will be closed.
If you need help please start a new thread.