Thank you for any help you can give me.:)

About 3 days ago, I was suddenly bombarded by pop-up warnings from XP Security Center (which I suspected was malware), followed alamost immediately by ones from ZoneAlarm, AnitVirus and Spybot, one right after another, until my screen was full. Every time I managed to move things around to hit 'deny access' on the legitimate pop-ups, another bunch of malware pop-ups appeared. Using the 'x' or minimize just launched even more of them...I must have had a dozen or more at once! Finally, I resorted to ending processes in Task Manager, stopping everything on my user name that I did not recognize as a function of AntiVir, Spybot, Malwarebytes or ZoneAlarm.

As soon as the pop-up spam stopped, I ran SpyBot and found 29 malware/trojans, including Window Security, Smitfraud-C, PWS.LDPinchIE, Virtumonde. "Fixed" them, and ran AnitVirus scan, found a slew of TR/...Gen infections, "Fixed" them. Tried to run Malwarebytes, but the .exe file 'could not be found'. Tried to Download it again....the .exe 'could not be found' immediately after download. Google links would send me to strange sites, rather than Malwarebytes or here. Had to find other ways in.

For the last few days, I have been running SpyBot and Anti Virus almost continuously, finding fewer and fewer items, each time. The only thing SpyBot is finding now is Virtumonde. When it declared my computer clean, this morning, I tried again to download Malwarebytes, but still could not get the .exe, and Google is stuck at 'loading', my only way in is thru bookmarks or history.

When I turned of TeaTimer and rebooted, in order to post to this forum, SpyBot started automatically at startup and found Virtumonde, again. It asked to finish, fix and reboot to run again, I chose no, and then ended the process in TaskManager, to keep it from rebooting while I was posting.

-------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:07:35 PM, on 2/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avnotify.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\program files\intel\intel matrix storage manager\iaanotif .exe
c:\windows\system32\dla\tfswctrl .exe
c:\progra~1\common~1\instal~1\update~1\issch .exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\program files\microsoft office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\program files\internet explorer\wmpscfgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html?p=DS
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe lkmj.bdo igtvkg
O2 - BHO: C:\WINDOWS\system32\vpwmivfq.dll - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\vpwmivfq.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PORTAO~1.EXE" -Run
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105975379\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA3441] command.com /c del "c:\windows\system32\kemituba.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1968] cmd.exe /c del "c:\windows\system32\kemituba.dll_old"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat""
O4 - HKCU\..\Run: [uishf9wuifwuh387fh3wufinhjfdwefe] c:\docume~1\sharon\locals~1\temp\suumo .exe
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\Sharon\LOCALS~1\Temp\notepad.exe
O4 - HKUS\S-1-5-18\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\WINDOWS\TEMP\user.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199454514156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-chocolatier-2-secret-ingredients/Chocolatier2Web.1.0.0.14.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC2C3DCD-C949-4938-A897-6415905663E8}: NameServer = 83.149.115.157,4.2.2.1,192.168.0.1 205.171.3.25
O20 - AppInit_DLLs: c:\windows\system32\fivuvujo.dll mekijoru.dll c:\windows\system32\kemituba.dll
O21 - SSODL: belevuziz - {8c71bd42-8c19-47af-a927-c2b83794a1cf} - c:\windows\system32\fivuvujo.dll (file missing)
O21 - SSODL: rusawesof - {b42b2b25-fff7-4ac2-8753-da9931da232e} - c:\windows\system32\kemituba.dll (file missing)
O22 - SharedTaskScheduler: dfgfgfiljojigidghu7yuhdiugrh98au - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\vpwmivfq.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {8c71bd42-8c19-47af-a927-c2b83794a1cf} - c:\windows\system32\fivuvujo.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {b42b2b25-fff7-4ac2-8753-da9931da232e} - c:\windows\system32\kemituba.dll (file missing)
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11609 bytes

Hi and Welcome,Sorry for the delay the forum is really busy.
My name is Cypher, and I will be helping you with your malware problems.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

please note the following important guidelines.

The instructions being given are for YOUR computer and system only!.
Using these instructions on a different computer, can damage that computer and possibly make it inoperable!
If you don't know or understand something, please don't hesitate to ask.
Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"
Absence of symptoms does not mean that everything is clear.
Please DO NOT run any other tools or scans whilst I am helping you.
Please DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
Print each set of instructions... if possible...your Internet connection might not be available during some fix processes.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
The logs from the tools we use can take some time to research so please be patient.


Please post an Uninstall list.

Open HijackThis.
Click on the Open the Misc Tools section button.
Look under System tools.
Click on the Open Uninstall Manager... button.
Click on the Save list... button.
It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
Notepad will open. Please post this log in your next reply.

Hi Cypher :)

Thank you for replying.

Just to catch up with what has happened since posting original HJT, I ran Spybot and Avira several times every day, fixing or deleting anything they found, but even when they said it was clean, I still could not download or run Malwarebytes, or run a reliable search for it on Google. Virtumonde would show up again on Spybot after reboot.
I finally found a way to run Malwarebytes from a disk and it started cleaning up a lot of stuff. Spybot was acting funny (3 hour scans & auto reboots to scan again), so I uninstalled and reinstalled it, after I got a clean scan on Malwarebytes and Avira. Late Saturday I got a clean report from Spybot, Malwarebytes and Avira.
This should mean I am clean....but I still get the "Rundll32.exe Bad Image" pop-up, that preceded the attack, on every connection to the internet , my browsers are slow (but that may be because I am overdoing the security settings), and I still can not open my computer in Safe Mode (I get the blue screen error page).:confused:

Because the bad image mentioned in the Error pop-up was for Adobe Updater, I deleted all my Adobe reader, Flashplayer and the download manager, and reinstalled them, after the clean reports.

I feel like I am sitting on a boat in the middle of a calm sea.....and hearing the theme music from Jaws....ta dum....ta dum.....:eek:

I hope you can help me figure out if I have beaten this or just screwed it up more.:sad:

I am posting a new HJT as well as the Uninstall list you requested.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:45 AM, on 2/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AOL 9.5a\waol.exe
C:\Program Files\AOL 9.5a\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html?p=DS
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PORTAO~1.EXE" -Run
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105975379\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat""
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.5a\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199454514156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-chocolatier-2-secret-ingredients/Chocolatier2Web.1.0.0.14.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
O20 - AppInit_DLLs: c:\windows\system32\fivuvujo.dll mekijoru.dll c:\windows\system32\kemituba.dll c:\windows\system32\ c:\windows\system32\ c:\windows\system32\sitewifa.dll
O21 - SSODL: belevuziz - {8c71bd42-8c19-47af-a927-c2b83794a1cf} - c:\windows\system32\fivuvujo.dll (file missing)
O21 - SSODL: rusawesof - {b42b2b25-fff7-4ac2-8753-da9931da232e} - c:\windows\system32\kemituba.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {8c71bd42-8c19-47af-a927-c2b83794a1cf} - c:\windows\system32\fivuvujo.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {b42b2b25-fff7-4ac2-8753-da9931da232e} - c:\windows\system32\kemituba.dll (file missing)
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11198 bytes

-----------------Uninstall List--------
Acrobat.com
Acrobat.com
Actiontec Gateway
Adobe AIR
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
Amazon Games & Software Downloader
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Display Driver
Avira AntiVir Personal - Free Antivirus
Bonjour
Crash Analysis Tool
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell ResourceCD
Dofus
Dofus
Dofus 1.26.0
ERUNT 1.1j
Fishdom
Fishdom (remove only)
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
GTK+ 2.10.13 runtime environment
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Imaging Device Functions 7.0
HP Memories Disc
HP Photosmart and Deskjet 7.0.A
HP Photosmart Essential
HP Solution Center 7.0
Intel Matrix Storage Manager
Intel(R) PRO Network Connections Software v9.2.4.11
Intel(R) PROSafe for Wired Connections
Intel(R) PROSafe for Wired Connections
Internet Explorer Default Page
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_11
Java(TM) 6 Update 15
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Logitech SetPoint
Macromedia Flash Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 97, Professional Edition
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Monopoly Tycoon
MouseWare 9.40
Mozilla Firefox (3.6)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
My Way Search Assistant
OCR Software by I.R.I.S 7.0
Penguin Puzzle
Pharaoh
Pure Networks Port Magic
Quicken 2006
Quicken Financial Suite
QuickTime
Reg (DOFUS Audio Subsystem)
Reg (DOFUS Audio Subsystem)
Security Task Manager 1.6f
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Sierra Utilities
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Spybot - Search & Destroy
The Sims 2
The Sims 2 Glamour Life Stuff
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 University
The Sims File Cop
The Sims Makin' Magic
The Sims™ 2 Apartment Life
The Sims™ 2 Bon Voyage
The Sims™ 2 FreeTime
The Sims™ 2 H&M® Fashion Stuff
The Sims™ 2 Mansion and Garden Stuff
The Sims™ 2 Seasons
TurboTax Deluxe 2005
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
Walgreens PhotoShow Express 4
WexTech AnswerWorks
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinVNC 3.3.3
Yahoo! Messenger
ZoneAlarm

Hi DeciAz.

Thank you for replying.
Your welcome:)
First off please do not make any more changes to your system unless i tell you to do so.


Please disable TeaTimer.
TeaTimer can be re-enabled once the computer is clean.


Run Spybot-S&D in Advanced Mode.
If it is not already set to do this go to the "Mode" menu and select "Advanced Mode".
On the left hand side, click on "Tools".
Then click on the Resident Icon in the List.
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.

Next.

Fix HijackThis entries

Run HijackThis

If using Vista, you must right click (hijackthis.exe) and choose "Run As Administrator".
If you are on the Main Menu page... Click "Do a system scan only"
If you are on the "scan & fix stuff" page... Press the Scan...button.
When the scan finishes...Place a check mark next to the following entries (if they are still present)
Note: Only check those items listed below.

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O20 - AppInit_DLLs: c:\windows\system32\fivuvujo.dll mekijoru.dll c:\windows\system32\kemituba.dll c:\windows\system32\ c:\windows\system32\ c:\windows\system32\sitewifa.dll
O21 - SSODL: belevuziz - {8c71bd42-8c19-47af-a927-c2b83794a1cf} - c:\windows\system32\fivuvujo.dll (file missing)
O21 - SSODL: rusawesof - {b42b2b25-fff7-4ac2-8753-da9931da232e} - c:\windows\system32\kemituba.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {8c71bd42-8c19-47af-a927-c2b83794a1cf} - c:\windows\system32\fivuvujo.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {b42b2b25-fff7-4ac2-8753-da9931da232e} - c:\windows\system32\kemituba.dll (file missing)



After checking these items... CLOSE ALL open windows except HijackThis.
Click the Fix Checked ...button...to remove the entries you checked.
Choose YES...when prompted to fix the selected items.
Once it has fixed them, close HijackThis and reboot your computer normally.


Next.

Please download GMER Rootkit Scanner from Here (http://www.gmer.net/download.php).
Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

http://i266.photobucket.com/albums/ii277/sUBs_/th_Gmer_initScan.gif (http://i266.photobucket.com/albums/ii277/sUBs_/Gmer_initScan.gif)
Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in your next reply**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.


Next.

RSIT (Random's System Information Tool)

Please download RSIT (http://images.malwareremoval.com/random/RSIT.exe) by random/random... and save it to your desktop.

Double click on RSIT.exe to run it.
Please read the disclaimer... click on Continue.
RSIT will start running. When done... 2 logs files...will be produced.
The first one, "log.txt", << will be maximized
The second one, "info.txt", << will be minimized.
Please post both... "log.txt" and "info.txt", file contents in your next reply.
(These logs can be lengthy, so post 1 log per reply please.



Logs/Information to Post in your Next Reply


Gmer.txt log
RSIT log.txt file contents and info.txt file contents.
Please give me an update on your computers performance.

info.txt logfile of random's system information tool 1.06 2010-02-15 20:21:55

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->C:\WINDOWS\UNINST.EXE -f"C:\Program Files\PhotoDeluxe BE 1.0\DeIsL1.isu"
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->msiexec /qb /x {77DCDCE3-2DED-62F3-8154-05E745472D07}
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Actiontec Gateway-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9692FD03-6662-4E62-B08C-30DFF51651E1}\setup.exe" -l0x9
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Download Manager-->"C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}
Amazon Games & Software Downloader-->"C:\Program Files\Amazon\Amazon Games & Software Downloader\uninst\unins000.exe"
AOL Toolbar-->"C:\Program Files\AOL Toolbar\UNWISE.EXE" /u "C:\Program Files\AOL Toolbar\INSTALL.LOG"
AOL Uninstaller (Choose which Products to Remove)-->C:\Program Files\Common Files\AOL\uninstaller.exe
Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-45ED-8F83-8C8A33E65143}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Crash Analysis Tool-->MsiExec.exe /X{D5F881C2-B134-474E-AA60-B25DD218AE0D}
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Dell Digital Jukebox Driver-->C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Driver Reset Tool-->MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Dofus 1.26.0-->C:\Program Files\Dofus\uninstall.exe
Dofus-->msiexec /qb /x {5EBF7AAB-98C5-2C43-0844-4BD9B9FCA7AD}
Dofus-->MsiExec.exe /I{5EBF7AAB-98C5-2C43-0844-4BD9B9FCA7AD}
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
Fishdom (remove only)-->"C:\Program Files\AOL Games\Fishdom\Uninstall.exe"
Fishdom-->"C:\Program Files\Fishdom\unins000.exe"
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_E85CDE7661A53A6A.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
GTK+ 2.10.13 runtime environment-->"C:\Program Files\Common Files\GTK\2.0\setup\unins000.exe"
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Documents and Settings\Sharon\My Documents\Downloads\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.0 (KB932471)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {ECD292A0-0347-4244-8C24-5DBCE990FB40} /package {BAF78226-3200-4DB4-BE33-4D922A799840}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
HP Imaging Device Functions 7.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Memories Disc-->MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Photosmart and Deskjet 7.0.A-->C:\Program Files\HP\Digital Imaging\{A9F5421F-DA70-4C77-BB97-8D77EC33ED5E}\setup\hpzscr01.exe -datfile hposcr09.dat
HP Photosmart Essential-->MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP Solution Center 7.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Intel Matrix Storage Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.exe" -l0409 -INTELUNINST
Intel(R) PRO Network Connections Software v9.2.4.11-->C:\Program Files\Intel\DMIX\uninst\DxSetup.exe /x /qr /le C:\DOCUME~1\Owner\LOCALS~1\Temp\PROSetDX\DMIX\\DxUninst.log
Intel(R) PROSafe for Wired Connections-->MsiExec.exe /I{36BD0774-6CD6-4FF9-A148-83CA09AC123E}
Intel(R) PROSafe for Wired Connections-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
Internet Explorer Default Page-->MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
iTunes-->MsiExec.exe /I{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}
J2SE Runtime Environment 5.0 Update 10-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.2_03-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java 2 Runtime Environment, SE v1.4.2_11-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142110}
Java(TM) 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java(TM) SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Logitech SetPoint-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9
Macromedia Flash Player-->MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 97, Professional Edition-->C:\Program Files\Microsoft Office\Office\Setup\Acme.exe /w Off97Pro.STF
Microsoft Office XP Media Content-->MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Small Business-->MsiExec.exe /I{91130409-6000-11D3-8CFE-0050048383C9}
Microsoft Plus! Digital Media Edition Installer-->MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE-->MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft VC9 runtime libraries-->MsiExec.exe /I{797EE0CA-8165-405C-B5CE-F11EC20F1BB0}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Monopoly Tycoon-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B975F4A1-63B6-11D4-BFEC-005004AF2D32}\Setup.exe"
MouseWare 9.40 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0009 UNINSTALL
Mozilla Firefox (3.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Musicmatch for Windows Media Player-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E93E5EF6-D361-481E-849D-F16EF5C78EBC}\setup.exe" -l0x9 remove
Musicmatch® Jukebox-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
My Way Search Assistant-->rundll32 C:\PROGRA~1\MyWaySA\SrchAsDe\1.bin\desrcas.dll,O
OCR Software by I.R.I.S 7.0-->C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
Penguin Puzzle-->C:\Program Files\Nuclide Games\Penguin Puzzle\uninstall.exe
Pharaoh-->C:\WINDOWS\IsUninst.exe -fC:\SIERRA\Pharaoh\Uninst.isu
Pure Networks Port Magic-->C:\Program Files\Pure Networks\Port Magic\PortAOL.exe -Uninstall -ShowUI
Quicken 2006-->MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
Quicken Financial Suite-->C:\WINDOWS\uninst.exe -fC:\QUICKENW\DeIsL1.isu
QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}
Reg (DOFUS Audio Subsystem)-->msiexec /qb /x {3F900346-A316-BA88-B83C-2513F1260AD7}
Reg (DOFUS Audio Subsystem)-->MsiExec.exe /I{3F900346-A316-BA88-B83C-2513F1260AD7}
Security Task Manager 1.6f-->C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\WINDOWS\ie8updates\KB978207-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977165)-->"C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Sierra Utilities-->.\sutil32.exe uninstall
Sonic DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow Audio-->MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy-->MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data-->MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
The Sims 2 Glamour Life Stuff-->C:\Program Files\EA GAMES\The Sims 2 Glamour Life Stuff\EAUninstall.exe
The Sims 2 Nightlife-->C:\Program Files\EA GAMES\The Sims 2 Nightlife\EAUninstall.exe
The Sims 2 Open For Business-->C:\Program Files\EA GAMES\The Sims 2 Open For Business\EAUninstall.exe
The Sims 2 University-->C:\Program Files\EA GAMES\The Sims 2 University\EAUninstall.exe
The Sims 2-->C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims File Cop-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D6D4828F-A5B2-11D4-8F73-0050DA0F6297}\setup.exe"
The Sims Makin' Magic-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A00D1BA-D03A-44E5-AF28-86A1F377DF61}\setup.exe" -l0009
The Sims™ 2 Apartment Life-->C:\Program Files\EA GAMES\The Sims 2 Apartment Life\EAUninstall.exe
The Sims™ 2 Bon Voyage-->C:\Program Files\EA GAMES\The Sims 2 Bon Voyage\EAUninstall.exe
The Sims™ 2 FreeTime-->C:\Program Files\EA GAMES\The Sims 2 FreeTime\EAUninstall.exe
The Sims™ 2 H&M® Fashion Stuff-->C:\Program Files\EA GAMES\The Sims 2 H&M® Fashion Stuff\EAUninstall.exe
The Sims™ 2 Mansion and Garden Stuff-->C:\Program Files\EA GAMES\The Sims 2 Mansion and Garden Stuff\EAUninstall.exe
The Sims™ 2 Seasons-->C:\Program Files\EA GAMES\The Sims 2 Seasons\EAUninstall.exe
TurboTax Deluxe 2005-->C:\Program Files\TurboTax\Deluxe 2005\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2005\Uninstall.log" -NoGui
TurboTax Deluxe Deduction Maximizer 2006-->C:\Program Files\TurboTax\Deluxe 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2006\Uninstall.log" -NoGui
TurboTax ItsDeductible 2005-->MsiExec.exe /X{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}
TurboTax ItsDeductible 2006-->MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB971930)-->"C:\WINDOWS\ie8updates\KB971930-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Walgreens PhotoShow Express 4-->"C:\Program Files\Walgreens\Walgreens PhotoShow 4\data\Xtras\Uninstall.exe"
WexTech AnswerWorks-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 10-->MsiExec.exe /I{33BB4982-DC52-4886-A03B-F4C5C80BEE89}
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinVNC 3.3.3-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ORL\VNC\Uninst.isu"
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
ZoneAlarm-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

=====HijackThis Backups=====

O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe [2010-02-15]
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) [2010-02-15]
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) [2010-02-15]
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) [2010-02-15]
O20 - AppInit_DLLs: c:\windows\system32\fivuvujo.dll mekijoru.dll c:\windows\system32\kemituba.dll c:\windows\system32\ c:\windows\system32\ c:\windows\system32\sitewifa.dll [2010-02-15]
O21 - SSODL: rusawesof - {b42b2b25-fff7-4ac2-8753-da9931da232e} - c:\windows\system32\kemituba.dll (file missing) [2010-02-15]
O21 - SSODL: belevuziz - {8c71bd42-8c19-47af-a927-c2b83794a1cf} - c:\windows\system32\fivuvujo.dll (file missing) [2010-02-15]
O22 - SharedTaskScheduler: mujuzedij - {8c71bd42-8c19-47af-a927-c2b83794a1cf} - c:\windows\system32\fivuvujo.dll (file missing) [2010-02-15]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [2010-02-15]
O22 - SharedTaskScheduler: kupuhivus - {b42b2b25-fff7-4ac2-8753-da9931da232e} - c:\windows\system32\kemituba.dll (file missing) [2010-02-15]

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: AntiVir Desktop
FW: ZoneAlarm Firewall

======System event log======

Computer Name: GEORGE
Event Code: 45062
Message: CRT invalid display type

Record Number: 6236299
Source Name: ati2mtag
Time Written: 20100126065807.000000-420
Event Type: error
User:

Computer Name: GEORGE
Event Code: 7000
Message: The mrtRate service failed to start due to the following error:
The system cannot find the file specified.


Record Number: 6236252
Source Name: Service Control Manager
Time Written: 20100125222548.000000-420
Event Type: error
User:

Computer Name: GEORGE
Event Code: 45062
Message: CRT invalid display type

Record Number: 6236250
Source Name: ati2mtag
Time Written: 20100125222534.000000-420
Event Type: error
User:

Computer Name: GEORGE
Event Code: 7000
Message: The mrtRate service failed to start due to the following error:
The system cannot find the file specified.


Record Number: 6236223
Source Name: Service Control Manager
Time Written: 20100125221711.000000-420
Event Type: error
User:

Computer Name: GEORGE
Event Code: 45062
Message: CRT invalid display type

Record Number: 6236221
Source Name: ati2mtag
Time Written: 20100125221652.000000-420
Event Type: error
User:

=====Application event log=====

Computer Name: GEORGE
Event Code: 32068
Message:
Record Number: 14509
Source Name: Microsoft Fax
Time Written: 20090629065958.000000-420
Event Type: warning
User:

Computer Name: GEORGE
Event Code: 32026
Message:
Record Number: 14508
Source Name: Microsoft Fax
Time Written: 20090629065958.000000-420
Event Type: warning
User:

Computer Name: GEORGE
Event Code: 32068
Message:
Record Number: 14502
Source Name: Microsoft Fax
Time Written: 20090628054910.000000-420
Event Type: warning
User:

Computer Name: GEORGE
Event Code: 32026
Message:
Record Number: 14501
Source Name: Microsoft Fax
Time Written: 20090628054910.000000-420
Event Type: warning
User:

Computer Name: GEORGE
Event Code: 32068
Message:
Record Number: 14497
Source Name: Microsoft Fax
Time Written: 20090627131010.000000-420
Event Type: warning
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 3, GenuineIntel
"PROCESSOR_REVISION"=0403
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SonicCentral"=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
"LANG"=C
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"tvdumpflags"=8

-----------------EOF-----------------

Logfile of random's system information tool 1.06 (written by random/random)
Run by Sharon at 2010-02-15 20:21:35
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 36 GB (50%) free of 73 GB
Total RAM: 1022 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:51 PM, on 2/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sharon\My Documents\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Sharon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html?p=DS
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PORTAO~1.EXE" -Run
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105975379\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat""
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.5a\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199454514156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-chocolatier-2-secret-ingredients/Chocolatier2Web.1.0.0.14.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10019 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-12-21 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-02-12 279664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll [2010-02-12 812528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-02-12 279664]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2005-03-22 339968]
"EM_EXEC"=C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE []
"UserFaultCheck"=C:\WINDOWS\system32\dumprep 0 -u []
"Logitech Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2004-10-21 29696]
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe []
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe []
"Pure Networks Port Magic"=c:\progra~1\purene~1\portma~1\PORTAO~1.EXE -Run []
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup []
"QuickTime Task"=c:\program files\quicktime\qttask .exe -atboottime []
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe []
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"HostManager"=C:\Program Files\Common Files\AOL\1105975379\ee\AOLSoftware.exe []
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-11-22 1037192]
"ISUSScheduler"=c:\progra~1\common~1\instal~1\update~1\issch.exe -start []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-12-22 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-12-11 948672]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2010-02-12 39408]
"Flablt"=C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat [2010-02-05 18732]
"AOL Fast Start"=C:\Program Files\AOL 9.5a\AOL.EXE -b []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe [2009-04-06 247296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-05-08 54840]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe [2006-01-19 11776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Walgreens PhotoShow Media Manager]
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe [2006-04-19 237568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-09-28 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
nusoyeta.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableLUA"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\Program Files\Common Files\AOL\1105975379\EE\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1105975379\EE\AOLServiceHost.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\System Information\sinf.exe"="C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe"="C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL"
"C:\Program Files\Dell Support\DSAgnt.exe"="C:\Program Files\Dell Support\DSAgnt.exe:*:Enabled:Dell Support"
"C:\Program Files\Maxis\The Sims\support\The Sims Makin' Magic_eReg.exe"="C:\Program Files\Maxis\The Sims\support\The Sims Makin' Magic_eReg.exe:*:Enabled:Electronic Registration"
"C:\Program Files\Maxis\The Sims Online\TSOPatch\TSO.exe"="C:\Program Files\Maxis\The Sims Online\TSOPatch\TSO.exe:*:Enabled:The Sims Online (800 x 600)"
"C:\QUICKENW\qw.exe"="C:\QUICKENW\qw.exe:*:Enabled:Quicken 2003 Premier Home & Business"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmjb.exe"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmjb.exe:*:Enabled:Musicmatch Jukebox"
"C:\Program Files\Eisenworld\Alohabob\AlohaBob.exe"="C:\Program Files\Eisenworld\Alohabob\AlohaBob.exe:*:Enabled:PC Relocator Ultra Control"
"C:\psfonts\ATMFM.EXE"="C:\psfonts\ATMFM.EXE:*:Enabled:Adobe Type Manager"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Maxis\SimCity 3000 Unlimited\Apps\Updater\UPDATER.EXE"="C:\Program Files\Maxis\SimCity 3000 Unlimited\Apps\Updater\UPDATER.EXE:*:Enabled:SC3UpdaterMFC"
"C:\Program Files\Infogrames Interactive\Monopoly Tycoon\mc.exe"="C:\Program Files\Infogrames Interactive\Monopoly Tycoon\mc.exe:*:Enabled:Monopoly Tycoon"
"C:\Documents and Settings\Sharon\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\DofusUpdater\DofusUpdater.exe"="C:\Documents and Settings\Sharon\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\DofusUpdater\DofusUpdater.exe:*:Enabled:Installation de Dofus"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\Program Files\Penguin Puzzle\Penguin Puzzle.exe"="C:\Program Files\Penguin Puzzle\Penguin Puzzle.exe:*:Enabled:NcSkel"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe"="C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe"="C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\Program Files\Common Files\AOL\1105975379\EE\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1105975379\EE\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\Program Files\EA GAMES\American McGee's Alice\alice.exe"="C:\Program Files\EA GAMES\American McGee's Alice\alice.exe:*:Disabled:American McGee's Alice"
"C:\Program Files\Ankama Games\Dofus\Dofus.exe"="C:\Program Files\Ankama Games\Dofus\Dofus.exe:*:Enabled:Dofus Client"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\AOL 9.5\waol.exe"="C:\Program Files\AOL 9.5\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe"="C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\Program Files\AOL 9.5a\waol.exe"="C:\Program Files\AOL 9.5a\waol.exe:*:Enabled:AOL"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-02-15 20:21:35 ----D---- C:\rsit
2010-02-13 17:38:39 ----D---- C:\Program Files\Common Files\Adobe AIR
2010-02-13 16:39:50 ----D---- C:\Program Files\NOS
2010-02-13 16:39:50 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2010-02-12 23:25:34 ----A---- C:\WINDOWS\system32\MRT.exe
2010-02-12 23:25:27 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-02-12 23:25:14 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
2010-02-12 23:25:00 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-02-12 23:24:45 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$
2010-02-12 23:24:32 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-02-12 23:24:18 ----HDC---- C:\WINDOWS\$NtUninstallKB978251$
2010-02-12 23:24:00 ----HDC---- C:\WINDOWS\$NtUninstallKB977165$
2010-02-12 23:23:45 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-02-12 23:23:28 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-02-12 14:56:33 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-02-10 12:59:26 ----D---- C:\Program Files\Trend Micro
2010-02-10 12:52:35 ----D---- C:\WINDOWS\ERDNT
2010-02-10 12:29:05 ----D---- C:\Program Files\ERUNT
2010-01-28 15:53:14 ----A---- C:\WINDOWS\system32\vsregexp.dll
2010-01-28 15:53:12 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2010-01-28 15:53:12 ----A---- C:\WINDOWS\system32\zlcomm.dll
2010-01-28 15:53:07 ----A---- C:\WINDOWS\system32\vswmi.dll
2010-01-28 15:53:06 ----D---- C:\WINDOWS\system32\ZoneLabs
2010-01-28 15:53:06 ----A---- C:\WINDOWS\system32\zpeng25.dll
2010-01-28 15:53:06 ----A---- C:\WINDOWS\system32\vsxml.dll
2010-01-28 15:53:06 ----A---- C:\WINDOWS\system32\vspubapi.dll
2010-01-28 15:53:06 ----A---- C:\WINDOWS\system32\vsmonapi.dll
2010-01-28 15:53:05 ----D---- C:\Program Files\Zone Labs
2010-01-28 15:50:06 ----D---- C:\WINDOWS\Internet Logs
2010-01-28 15:50:06 ----A---- C:\WINDOWS\system32\vsutil.dll
2010-01-28 15:50:06 ----A---- C:\WINDOWS\system32\vsinit.dll
2010-01-28 15:50:06 ----A---- C:\WINDOWS\system32\vsdata.dll
2010-01-25 22:46:15 ----D---- C:\Program Files\AOL 9.5a
2010-01-25 16:31:13 ----D---- C:\Documents and Settings\All Users\Application Data\Macromedia
2010-01-25 16:28:56 ----D---- C:\Program Files\AOL 9.5
2010-01-22 10:47:55 ----D---- C:\Documents and Settings\Sharon\Application Data\Malwarebytes
2010-01-22 10:47:45 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes

======List of files/folders modified in the last 1 months======

2010-02-15 20:21:46 ----D---- C:\WINDOWS\Prefetch
2010-02-15 20:18:35 ----D---- C:\WINDOWS\Temp
2010-02-15 20:18:02 ----D---- C:\WINDOWS\system32\CatRoot2
2010-02-15 11:17:47 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-02-15 11:06:35 ----A---- C:\VETlog.txt
2010-02-15 11:06:31 ----A---- C:\WINDOWS\win.ini
2010-02-14 20:35:34 ----D---- C:\Documents and Settings\Sharon\Application Data\Dofus 2
2010-02-14 10:01:52 ----D---- C:\Program Files\Mozilla Firefox
2010-02-13 23:38:16 ----D---- C:\Program Files\Fishdom
2010-02-13 23:26:46 ----A---- C:\WINDOWS\BS.INI
2010-02-13 17:42:28 ----SHD---- C:\WINDOWS\Installer
2010-02-13 17:42:27 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2010-02-13 17:42:01 ----D---- C:\Program Files\Common Files\Adobe
2010-02-13 17:41:44 ----D---- C:\Program Files\Adobe
2010-02-13 17:41:31 ----D---- C:\WINDOWS\system32
2010-02-13 17:38:39 ----D---- C:\Program Files\Common Files
2010-02-13 16:39:50 ----RD---- C:\Program Files
2010-02-13 09:59:04 ----RSHD---- C:\WINDOWS\system32\dllcache
2010-02-13 09:58:57 ----D---- C:\WINDOWS
2010-02-13 09:58:55 ----D---- C:\psfonts
2010-02-13 09:58:53 ----D---- C:\WINDOWS\system32\drivers
2010-02-12 23:57:08 ----HD---- C:\WINDOWS\inf
2010-02-12 23:57:08 ----D---- C:\WINDOWS\system32\CatRoot
2010-02-12 23:54:23 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-12 23:25:16 ----A---- C:\WINDOWS\imsins.BAK
2010-02-12 23:25:05 ----HD---- C:\WINDOWS\$hf_mig$
2010-02-12 23:23:17 ----D---- C:\WINDOWS\WinSxS
2010-02-12 22:38:12 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-02-12 20:36:46 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2010-02-12 20:36:01 ----D---- C:\Program Files\QuickTime
2010-02-12 19:08:08 ----D---- C:\WINDOWS\mui
2010-02-12 18:52:33 ----D---- C:\Program Files\Internet Explorer
2010-02-12 18:48:18 ----D---- C:\Program Files\iTunes
2010-02-12 18:48:06 ----D---- C:\WINDOWS\system32\dla
2010-02-12 18:46:30 ----HDC---- C:\WINDOWS\$NtUninstallKB900485$
2010-02-12 17:15:17 ----SD---- C:\WINDOWS\Tasks
2010-02-12 14:36:08 ----D---- C:\Program Files\Maxis
2010-02-12 13:11:35 ----D---- C:\WINDOWS\java
2010-02-12 12:45:04 ----HDC---- C:\WINDOWS\$NtUninstallKB921398$
2010-02-12 12:44:47 ----D---- C:\WINDOWS\Media
2010-02-12 11:10:14 ----D---- C:\Documents and Settings\Sharon\Application Data\Apple Computer
2010-02-12 09:37:19 ----D---- C:\Program Files\Google
2010-02-12 08:24:54 ----AC---- C:\WINDOWS\wininit.ini
2010-02-10 06:36:59 ----SHD---- C:\System Volume Information
2010-02-10 06:36:59 ----D---- C:\WINDOWS\system32\Restore
2010-02-09 15:16:44 ----D---- C:\Program Files\EA GAMES
2010-02-09 14:57:45 ----D---- C:\Documents and Settings\All Users\Application Data\HipSoft
2010-02-09 14:57:44 ----D---- C:\Program Files\AOL Games
2010-02-05 08:41:01 ----HDC---- C:\WINDOWS\$NtUninstallKB923694$
2010-02-04 11:54:10 ----D---- C:\Documents and Settings\Sharon\Application Data\Adobe
2010-01-25 22:48:50 ----D---- C:\Documents and Settings\Sharon\Application Data\AOL
2010-01-25 22:47:23 ----D---- C:\Program Files\Common Files\AOL
2010-01-25 22:46:20 ----D---- C:\Program Files\Common Files\aolshare
2010-01-25 22:46:15 ----D---- C:\Documents and Settings\All Users\Application Data\AOL
2010-01-25 16:17:40 ----D---- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2010-01-22 16:03:57 ----HDC---- C:\WINDOWS\$NtUninstallKB896727$
2010-01-22 12:17:33 ----D---- C:\WINDOWS\ie8updates

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\system32\DRIVERS\omci.sys [2002-11-08 17217]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2005-05-13 5627]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2005-05-13 23545]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-11-22 486280]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2008-07-04 8552]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2010-01-15 56816]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2005-04-21 40544]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2005-05-31 25725]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2005-05-31 34845]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2005-05-31 4125]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2005-05-31 2241]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2005-05-31 86876]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2005-05-31 15069]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2005-05-31 6365]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2005-05-31 98716]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2005-05-31 100605]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-09-28 2456064]
R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2006-01-31 49664]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2006-01-31 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2006-01-31 21568]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 STHDA;High Definition Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-03-31 180096]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S2 mrtRate;mrtRate; C:\WINDOWS\system32\drivers\mrtRate.sys []
S3 Amsmpu4p;Amsmpu4p; \??\C:\DOCUME~1\Sharon\LOCALS~1\Temp\Amsmpu4p.sys []
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 LHidKe;Logitech SetPoint HID Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidKE.Sys [2004-10-21 24671]
S3 LHidUsbK;Logitech SetPoint USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsbK.Sys [2004-10-21 38691]
S3 LMouKE;Logitech SetPoint Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouKE.Sys [2004-10-21 71535]
S3 NAL;Nal Service ; \??\C:\WINDOWS\system32\Drivers\iqvw32.sys []
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 WinDriver6;Alohabob USB Bridge Cable Driver; C:\WINDOWS\system32\drivers\windrvr6.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Amazon Download Agent;Amazon Download Agent; C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-04-06 319488]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2006-10-23 46640]
R2 AOL TopSpeedMonitor;AOL TopSpeed Monitor; C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe [2004-10-15 100016]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-09-28 483328]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 IAANTMon;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe [2005-04-25 86142]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2001-02-23 270336]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2007-08-09 73728]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-11-22 2384240]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2007-09-28 593920]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-02-12 135664]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 getPlusHelper;getPlus(R) Helper; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-11 182768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-11-12 545568]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

I ran the GMER program, and after 10 hours shut it down, to run the RSIT logs. I tried to save what I had, but it froze the computer completely, none of the usual actions worked, and I had to pull the plug.

After I booted up again, I ran the above logs. I had intended to redo the Gmer and let it run over night, but within 10 minutes, it triggered a BSOD and another unplugging.
An automatic error report was sent to Microsoft on reboot, and returned this warning:

"Troubleshoot a problem with a device driver

You received this message because a device driver installed on your computer caused Windows to stop unexpectedly. This type of error is referred to as a "stop error." A stop error requires you to restart your computer........"

I will wait for your thoughts on this, before continuing to try to run the GMER Rootkit scanner. :scratch:

Hi DeciAz

I ran the GMER program, and after 10 hours shut it down.
This can happen with Gmer on some systems don't worry about if for now.
Please continue with the instructions below.

Please navigate to Start >> All Programs >> ERUNT, then double-click ERUNT from the menu.
Click on OK within the pop-up menu.
In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
System registry.
Current user registry.
Next click on "OK"... at the prompt... reply "Yes".
After a short duration the Registry backup is complete! pop-up message will appear.
Now click on "OK". A registry backup has now been created.

Next.

Download and run OTM

Download OTM (http://oldtimer.geekstogo.com/OTM.exe) by Old Timer and save it to your Desktop.

Double-click OTM.exe to run it.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area. Do not include the word Code.

:Processes

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

:Files
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

:Commands
[emptytemp]
[start explorer]
[Reboot]


Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Next.

Re-run - RSIT (Random's System Information Tool)

You should still have this program on your desktop.
Double click on RSIT.exe to run it.
Please read the disclaimer... click on Continue.
RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced. (it will be maximized)
Please post ONLY the "log.txt", file contents in your next reply.
(This log can be lengthy, so a separate post may be needed.)


Next.

Upload a File to Jotti

Please go to jotti.org (http://virusscan.jotti.org/en)

Copy/paste this file and path into the white box at the top:

C:\WINDOWS\BS.INI
Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

If you have trouble using jotti try Virustotal (http://www.virustotal.com/)



Logs/Information to Post in your Next Reply


OTM log.
RSIT log.txt.
jotti or virustotal results.
Please give me an update on your computers performance.

Jotti:
Scanners
[ArcaVir]
2010-02-10 Found nothing
[F-Secure Anti-Virus]
2010-02-16 Found nothing
[A-Squared]
2010-02-16 Found nothing
[G DATA]
2010-02-16 Found nothing
[Avast! antivirus]
2010-02-16 Found nothing
[Ikarus]
2010-02-16 Found nothing
[Grisoft AVG Anti-Virus]
2010-02-16 Found nothing
[Kaspersky Anti-Virus]
2010-02-16 Found nothing
[Avira AntiVir]
2010-02-16 Found nothing
[ESET NOD32]
2010-02-16 Found nothing
[Softwin BitDefender]
2010-02-16 Found nothing
[Panda Antivirus]
2010-02-15 Found nothing
[ClamAV]
2010-02-16 Found nothing
[Quick Heal]
2010-02-16 Found nothing
[CPsecure]
2010-02-16 Found nothing
[Sophos]
2010-02-16 Found nothing
[Dr.Web]
2010-02-16 Found nothing
[VirusBlokAda VBA32]
2010-02-15 Found nothing
[Frisk F-Prot Antivirus]
2010-02-15 Found nothing
[VirusBuster]
2010-02-16 Found nothing

OTM log:
All processes killed
========== PROCESSES ==========
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
========== FILES ==========
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: All Users

User: default

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 538527 bytes
->Temporary Internet Files folder emptied: 41349313 bytes

User: Sharon
->Temp folder emptied: 29803985 bytes
->Temporary Internet Files folder emptied: 130197908 bytes
->Java cache emptied: 114366683 bytes
->FireFox cache emptied: 94847004 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2675729 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1023907 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 4217715 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 400.00 mb


OTM by OldTimer - Version 3.1.8.0 log created on 02162010_065412

Files moved on Reboot...
C:\Documents and Settings\Sharon\Local Settings\Temp\~DFEE36.tmp moved successfully.
File C:\WINDOWS\temp\ZLT000e1.TMP not found!

Registry entries deleted on Reboot...

RSIT log.txt:
Logfile of random's system information tool 1.06 (written by random/random)
Run by Sharon at 2010-02-16 07:00:45
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 37 GB (50%) free of 73 GB
Total RAM: 1022 MB (56% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:00 AM, on 2/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sharon\My Documents\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Sharon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html?p=DS
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PORTAO~1.EXE" -Run
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105975379\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat""
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.5a\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199454514156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-chocolatier-2-secret-ingredients/Chocolatier2Web.1.0.0.14.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10043 bytes
======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-12-21 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-02-12 279664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll [2010-02-12 812528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-02-12 279664]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2005-03-22 339968]
"EM_EXEC"=C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE []
"UserFaultCheck"=C:\WINDOWS\system32\dumprep 0 -u []
"Logitech Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2004-10-21 29696]
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe []
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe []
"Pure Networks Port Magic"=c:\progra~1\purene~1\portma~1\PORTAO~1.EXE -Run []
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup []
"QuickTime Task"=c:\program files\quicktime\qttask .exe -atboottime []
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe []
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"HostManager"=C:\Program Files\Common Files\AOL\1105975379\ee\AOLSoftware.exe []
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-11-22 1037192]
"ISUSScheduler"=c:\progra~1\common~1\instal~1\update~1\issch.exe -start []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-12-22 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-12-11 948672]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2010-02-12 39408]
"Flablt"=C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat [2010-02-05 18732]
"AOL Fast Start"=C:\Program Files\AOL 9.5a\AOL.EXE -b []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe [2009-04-06 247296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-05-08 54840]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe [2006-01-19 11776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Walgreens PhotoShow Media Manager]
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe [2006-04-19 237568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-09-28 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableLUA"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\Program Files\Common Files\AOL\1105975379\EE\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1105975379\EE\AOLServiceHost.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\System Information\sinf.exe"="C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe"="C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL"
"C:\Program Files\Dell Support\DSAgnt.exe"="C:\Program Files\Dell Support\DSAgnt.exe:*:Enabled:Dell Support"
"C:\Program Files\Maxis\The Sims\support\The Sims Makin' Magic_eReg.exe"="C:\Program Files\Maxis\The Sims\support\The Sims Makin' Magic_eReg.exe:*:Enabled:Electronic Registration"
"C:\Program Files\Maxis\The Sims Online\TSOPatch\TSO.exe"="C:\Program Files\Maxis\The Sims Online\TSOPatch\TSO.exe:*:Enabled:The Sims Online (800 x 600)"
"C:\QUICKENW\qw.exe"="C:\QUICKENW\qw.exe:*:Enabled:Quicken 2003 Premier Home & Business"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmjb.exe"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmjb.exe:*:Enabled:Musicmatch Jukebox"
"C:\Program Files\Eisenworld\Alohabob\AlohaBob.exe"="C:\Program Files\Eisenworld\Alohabob\AlohaBob.exe:*:Enabled:PC Relocator Ultra Control"
"C:\psfonts\ATMFM.EXE"="C:\psfonts\ATMFM.EXE:*:Enabled:Adobe Type Manager"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Maxis\SimCity 3000 Unlimited\Apps\Updater\UPDATER.EXE"="C:\Program Files\Maxis\SimCity 3000 Unlimited\Apps\Updater\UPDATER.EXE:*:Enabled:SC3UpdaterMFC"
"C:\Program Files\Infogrames Interactive\Monopoly Tycoon\mc.exe"="C:\Program Files\Infogrames Interactive\Monopoly Tycoon\mc.exe:*:Enabled:Monopoly Tycoon"
"C:\Documents and Settings\Sharon\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\DofusUpdater\DofusUpdater.exe"="C:\Documents and Settings\Sharon\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\DofusUpdater\DofusUpdater.exe:*:Enabled:Installation de Dofus"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\Program Files\Penguin Puzzle\Penguin Puzzle.exe"="C:\Program Files\Penguin Puzzle\Penguin Puzzle.exe:*:Enabled:NcSkel"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe"="C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe"="C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\Program Files\Common Files\AOL\1105975379\EE\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1105975379\EE\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\Program Files\EA GAMES\American McGee's Alice\alice.exe"="C:\Program Files\EA GAMES\American McGee's Alice\alice.exe:*:Disabled:American McGee's Alice"
"C:\Program Files\Ankama Games\Dofus\Dofus.exe"="C:\Program Files\Ankama Games\Dofus\Dofus.exe:*:Enabled:Dofus Client"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\AOL 9.5\waol.exe"="C:\Program Files\AOL 9.5\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe"="C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\Program Files\AOL 9.5a\waol.exe"="C:\Program Files\AOL 9.5a\waol.exe:*:Enabled:AOL"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

======List of files/folders created in the last 1 months======

2010-02-16 06:54:12 ----D---- C:\_OTM
2010-02-15 20:21:35 ----D---- C:\rsit
2010-02-13 17:38:39 ----D---- C:\Program Files\Common Files\Adobe AIR
2010-02-13 16:39:50 ----D---- C:\Program Files\NOS
2010-02-13 16:39:50 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2010-02-12 23:25:34 ----A---- C:\WINDOWS\system32\MRT.exe
2010-02-12 23:25:27 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-02-12 23:25:14 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
2010-02-12 23:25:00 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-02-12 23:24:45 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$
2010-02-12 23:24:32 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-02-12 23:24:18 ----HDC---- C:\WINDOWS\$NtUninstallKB978251$
2010-02-12 23:24:00 ----HDC---- C:\WINDOWS\$NtUninstallKB977165$
2010-02-12 23:23:45 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-02-12 23:23:28 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-02-12 14:56:33 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-02-10 12:59:26 ----D---- C:\Program Files\Trend Micro
2010-02-10 12:52:35 ----D---- C:\WINDOWS\ERDNT
2010-02-10 12:29:05 ----D---- C:\Program Files\ERUNT
2010-01-28 15:53:14 ----A---- C:\WINDOWS\system32\vsregexp.dll
2010-01-28 15:53:12 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2010-01-28 15:53:12 ----A---- C:\WINDOWS\system32\zlcomm.dll
2010-01-28 15:53:07 ----A---- C:\WINDOWS\system32\vswmi.dll
2010-01-28 15:53:06 ----D---- C:\WINDOWS\system32\ZoneLabs
2010-01-28 15:53:06 ----A---- C:\WINDOWS\system32\zpeng25.dll
2010-01-28 15:53:06 ----A---- C:\WINDOWS\system32\vsxml.dll
2010-01-28 15:53:06 ----A---- C:\WINDOWS\system32\vspubapi.dll
2010-01-28 15:53:06 ----A---- C:\WINDOWS\system32\vsmonapi.dll
2010-01-28 15:53:05 ----D---- C:\Program Files\Zone Labs
2010-01-28 15:50:06 ----D---- C:\WINDOWS\Internet Logs
2010-01-28 15:50:06 ----A---- C:\WINDOWS\system32\vsutil.dll
2010-01-28 15:50:06 ----A---- C:\WINDOWS\system32\vsinit.dll
2010-01-28 15:50:06 ----A---- C:\WINDOWS\system32\vsdata.dll
2010-01-25 22:46:15 ----D---- C:\Program Files\AOL 9.5a
2010-01-25 16:31:13 ----D---- C:\Documents and Settings\All Users\Application Data\Macromedia
2010-01-25 16:28:56 ----D---- C:\Program Files\AOL 9.5
2010-01-22 10:47:55 ----D---- C:\Documents and Settings\Sharon\Application Data\Malwarebytes
2010-01-22 10:47:45 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes

======List of files/folders modified in the last 1 months======

2010-02-16 06:59:19 ----D---- C:\WINDOWS\Prefetch
2010-02-16 06:59:02 ----D---- C:\WINDOWS\Temp
2010-02-16 06:58:22 ----D---- C:\WINDOWS\system32\CatRoot2
2010-02-16 06:57:35 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-02-16 06:57:06 ----D---- C:\WINDOWS\system32
2010-02-16 06:57:05 ----D---- C:\WINDOWS
2010-02-16 06:54:14 ----SD---- C:\WINDOWS\Tasks
2010-02-16 06:51:01 ----A---- C:\VETlog.txt
2010-02-16 06:51:00 ----A---- C:\WINDOWS\win.ini
2010-02-15 21:56:50 ----D---- C:\Program Files\Fishdom
2010-02-15 20:41:07 ----D---- C:\WINDOWS\Minidump
2010-02-14 20:35:34 ----D---- C:\Documents and Settings\Sharon\Application Data\Dofus 2
2010-02-14 10:01:52 ----D---- C:\Program Files\Mozilla Firefox
2010-02-13 23:26:46 ----A---- C:\WINDOWS\BS.INI
2010-02-13 17:42:28 ----SHD---- C:\WINDOWS\Installer
2010-02-13 17:42:27 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2010-02-13 17:42:01 ----D---- C:\Program Files\Common Files\Adobe
2010-02-13 17:41:44 ----D---- C:\Program Files\Adobe
2010-02-13 17:38:39 ----D---- C:\Program Files\Common Files
2010-02-13 16:39:50 ----RD---- C:\Program Files
2010-02-13 09:59:04 ----RSHD---- C:\WINDOWS\system32\dllcache
2010-02-13 09:58:55 ----D---- C:\psfonts
2010-02-13 09:58:53 ----D---- C:\WINDOWS\system32\drivers
2010-02-12 23:57:08 ----HD---- C:\WINDOWS\inf
2010-02-12 23:57:08 ----D---- C:\WINDOWS\system32\CatRoot
2010-02-12 23:54:23 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-12 23:25:16 ----A---- C:\WINDOWS\imsins.BAK
2010-02-12 23:25:05 ----HD---- C:\WINDOWS\$hf_mig$
2010-02-12 23:23:17 ----D---- C:\WINDOWS\WinSxS
2010-02-12 22:38:12 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-02-12 20:36:46 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2010-02-12 20:36:01 ----D---- C:\Program Files\QuickTime
2010-02-12 19:08:08 ----D---- C:\WINDOWS\mui
2010-02-12 18:52:33 ----D---- C:\Program Files\Internet Explorer
2010-02-12 18:48:18 ----D---- C:\Program Files\iTunes
2010-02-12 18:48:06 ----D---- C:\WINDOWS\system32\dla
2010-02-12 18:46:30 ----HDC---- C:\WINDOWS\$NtUninstallKB900485$
2010-02-12 14:36:08 ----D---- C:\Program Files\Maxis
2010-02-12 13:11:35 ----D---- C:\WINDOWS\java
2010-02-12 12:45:04 ----HDC---- C:\WINDOWS\$NtUninstallKB921398$
2010-02-12 12:44:47 ----D---- C:\WINDOWS\Media
2010-02-12 11:10:14 ----D---- C:\Documents and Settings\Sharon\Application Data\Apple Computer
2010-02-12 09:37:19 ----D---- C:\Program Files\Google
2010-02-12 08:24:54 ----AC---- C:\WINDOWS\wininit.ini
2010-02-10 06:36:59 ----SHD---- C:\System Volume Information
2010-02-10 06:36:59 ----D---- C:\WINDOWS\system32\Restore
2010-02-09 15:16:44 ----D---- C:\Program Files\EA GAMES
2010-02-09 14:57:45 ----D---- C:\Documents and Settings\All Users\Application Data\HipSoft
2010-02-09 14:57:44 ----D---- C:\Program Files\AOL Games
2010-02-05 08:41:01 ----HDC---- C:\WINDOWS\$NtUninstallKB923694$
2010-02-04 11:54:10 ----D---- C:\Documents and Settings\Sharon\Application Data\Adobe
2010-01-25 22:48:50 ----D---- C:\Documents and Settings\Sharon\Application Data\AOL
2010-01-25 22:47:23 ----D---- C:\Program Files\Common Files\AOL
2010-01-25 22:46:20 ----D---- C:\Program Files\Common Files\aolshare
2010-01-25 22:46:15 ----D---- C:\Documents and Settings\All Users\Application Data\AOL
2010-01-25 16:17:40 ----D---- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2010-01-22 16:03:57 ----HDC---- C:\WINDOWS\$NtUninstallKB896727$
2010-01-22 12:17:33 ----D---- C:\WINDOWS\ie8updates

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\system32\DRIVERS\omci.sys [2002-11-08 17217]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2005-05-13 5627]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2005-05-13 23545]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-11-22 486280]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2008-07-04 8552]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2010-01-15 56816]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2005-04-21 40544]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2005-05-31 25725]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2005-05-31 34845]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2005-05-31 4125]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2005-05-31 2241]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2005-05-31 86876]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2005-05-31 15069]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2005-05-31 6365]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2005-05-31 98716]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2005-05-31 100605]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-09-28 2456064]
R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2006-01-31 49664]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2006-01-31 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2006-01-31 21568]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 STHDA;High Definition Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-03-31 180096]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S2 mrtRate;mrtRate; C:\WINDOWS\system32\drivers\mrtRate.sys []
S3 Amsmpu4p;Amsmpu4p; \??\C:\DOCUME~1\Sharon\LOCALS~1\Temp\Amsmpu4p.sys []
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 LHidKe;Logitech SetPoint HID Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidKE.Sys [2004-10-21 24671]
S3 LHidUsbK;Logitech SetPoint USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsbK.Sys [2004-10-21 38691]
S3 LMouKE;Logitech SetPoint Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouKE.Sys [2004-10-21 71535]
S3 NAL;Nal Service ; \??\C:\WINDOWS\system32\Drivers\iqvw32.sys []
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 WinDriver6;Alohabob USB Bridge Cable Driver; C:\WINDOWS\system32\drivers\windrvr6.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Amazon Download Agent;Amazon Download Agent; C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-04-06 319488]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2006-10-23 46640]
R2 AOL TopSpeedMonitor;AOL TopSpeed Monitor; C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe [2004-10-15 100016]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-09-28 483328]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 IAANTMon;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe [2005-04-25 86142]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2001-02-23 270336]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2007-08-09 73728]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-11-22 2384240]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2007-09-28 593920]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-02-12 135664]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 getPlusHelper;getPlus(R) Helper; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-11 182768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-11-12 545568]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

The computer performance is pretty much where it was when we started.... Good, but with suspicious details.<.<

*Still get the Rundll32.exe warnings on boot up.
*Still have the funky virus-changed icons beside 'Program Files' and 'AOL 9.5' on the start button menu. (these are the icons that the virus change my desktop programs to, until I was able to use Malwarebytes and remove....whichever one it was that was doing that...??)

I don't know if this is good or bad, but my task manager and taskbar tray are unusually empty. I only have ZoneAlarm and Avira, where I usually have AOL, Quicktime, Volume control...and occasionally, other assorted items from the start up menu. Yesterday I also had SpyBot, but it left after one of the reboots.

I did end processes during the attack, but that has never kept them from returning on boot-up before....even when I tried to stop them. =P

I have not tried to reboot in Safe Mode since we started, so I don't have an update on that.

None of these look like much, but since I don't know how such a massive attack on my system got thru a running (and up to date) ZoneAlarm, Avira and Spybot in the first place...maybe I am just being too twitchy???:red:

Hi DeciAz.
Good work so far thank you.
Please continue with the instructions below.

Add/Remove programs
Click on start
Then Run
In the open text entry box please copy/paste appwiz.cpl Then click enter.
Press the "Remove" or "Change/Remove"...button to uninstall the following.

My Way Search Assistant
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_11
Java(TM) 6 Update 15
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1


Next.

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.If you use Firefox browser Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Next.

Malwarebytes Anti-Malware:


Launch the application, Check for Updates >> Perform Quick Scan.
When the scan is complete, click OK, then Show Results to view the results.
Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Next.

Upload a File to Jotti

Please go to jotti.org (http://virusscan.jotti.org/en)

Copy/paste this file and path into the white box at the top:

C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat
Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

If you have trouble using jotti try Virustotal (http://www.virustotal.com/)



Logs/Information to Post in your Next Reply


Malwarebytes log.
jotti or virustotal results.

Add/Remove:

My Way Search Assistant ~ could not remove, error message:

"Error loading C:\Progra~1\MyWaySA\1.bin\desrcas.dll
The specific module could not be found."

Removed all the others with no problems.

Malwarebytes was clean, here is the log:
Malwarebytes' Anti-Malware 1.44
Database version: 3746
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/16/2010 10:42:02 AM
mbam-log-2010-02-16 (10-42-02).txt

Scan type: Quick Scan
Objects scanned: 132023
Time elapsed: 5 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Jotti was clean:

Jotti's malware scan
Filename: wndcor.dat
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Tue 16 Feb 2010 19:24:55 (CET) Permalink

Additional info
File size: 18732 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: a809dc8410e0f79d097f8163bb4d9b96
SHA1: 153b11642798ae118c98feab5ee4c803fadee54b




Scanners
[ArcaVir]
2010-02-10 Found nothing
[F-Secure Anti-Virus]
2010-02-16 Found nothing
[A-Squared]
2010-02-16 Found nothing
[G DATA]
2010-02-16 Found nothing
[Avast! antivirus]
2010-02-16 Found nothing
[Ikarus]
2010-02-16 Found nothing
[Grisoft AVG Anti-Virus]
2010-02-16 Found nothing
[Kaspersky Anti-Virus]
2010-02-16 Found nothing
[Avira AntiVir]
2010-02-16 Found nothing
[ESET NOD32]
2010-02-16 Found nothing
[Softwin BitDefender]
2010-02-16 Found nothing
[Panda Antivirus]
2010-02-16 Found nothing
[ClamAV]
2010-02-16 Found nothing
[Quick Heal]
2010-02-16 Found nothing
[CPsecure]
2010-02-16 Found nothing
[Sophos]
2010-02-16 Found nothing
[Dr.Web]
2010-02-16 Found nothing
[VirusBlokAda VBA32]
2010-02-16 Found nothing
[Frisk F-Prot Antivirus]
2010-02-16 Found nothing
[VirusBuster]
2010-02-16 Found nothing

EDIT Double post.

Hi DeciAz.
Your logs are looking good so far, the scans you ran before posting here has took care of most of it.
About your taskbar tray see if you can restore the Volume control.
Right-click on the taskbar and select Properties > Notification Area.
Make sure Volume is ticked then Apply > Ok.
Let me know if that worked.


Next.


Disable Avira anti-virus


Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/antivir.png )
right click it-> untick the option AntiVir Guard enable.
You should now see a closed, white umbrella on a red background (looks to this: http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/antivir_disabled.png )
Note: Don't forget to re-enable it after the below scan.


Next.


Please Download SysProt Antirootkit from one of the links below.


Link 1 (http://www.softpedia.com/get/Security/Security-Related/SysProt-AntiRootkit.shtml)
Link 2 (http://majorgeeks.com/SysProt_AntiRootkit_d5708.html)
Link 3 (http://fileforum.betanews.com/detail/SysProt-AntiRootkit/1190650161/1)


Extract (unzip) its contents to your desktop.
Double click Sysprot.exe to start the program.
Click on the Log tab. In the Write to log box select all items.
See images below.

http://i752.photobucket.com/albums/xx167/Cypher_photo/2009-11-18_191323-1.jpg?t=1258571821

And check Hidden objects only at the bottom.
http://i752.photobucket.com/albums/xx167/Cypher_photo/2009-11-18_192132.jpg?t=1258572201

At the bottom of the window.Click on the Create Log button on the bottom right. After a few seconds a new window should appear. Select Scan Root Drive. Click on the Start button. When it is complete a new window will appear to indicate that the scan is finished. The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Logs/Information to Post in your Next Reply


SysProt log
Is your Volume control back?

SysProt AntiRootkit v1.0.1.0
by swatkat

**********************************************************
**********************************************************

No Hidden Processes found

**********************************************************
**********************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iastor.sys
Service Name: ---
Module Base: EB56C000
Module End: EB641000
Hidden: Yes

**********************************************************
**********************************************************
SSDT:
Function Name: ZwConnectPort
Address: F23BF630
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateFile
Address: F23B8D80
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateKey
Address: F7B06216
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreatePort
Address: F23BFE40
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcess
Address: F23D6D30
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcessEx
Address: F23D7150
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateSection
Address: F23E1240
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateThread
Address: F7B0620C
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateWaitablePort
Address: F23BFFB0
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteFile
Address: F23B9C60
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteKey
Address: F7B0621B
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteValueKey
Address: F7B06225
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDuplicateObject
Address: F23D5E70
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwLoadKey
Address: F7B0622A
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwLoadKey2
Address: F23DF2B0
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenFile
Address: F23B9750
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenProcess
Address: F23D9450
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenThread
Address: F23D9020
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRenameKey
Address: F23E0430
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwReplaceKey
Address: F7B06234
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwRequestWaitReplyPort
Address: F23BF180
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRestoreKey
Address: F7B0622F
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSecureConnectPort
Address: F23BF910
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetInformationFile
Address: F23BA080
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetSecurityObject
Address: F23E08E0
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetValueKey
Address: F7B06220
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSystemDebugControl
Address: F23D7D20
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwTerminateProcess
Address: F23D7A50
Driver Base: F238B000
Driver End: F241B000
Driver Name: \SystemRoot\System32\vsdatant.sys

**********************************************************
**********************************************************
No Kernel Hooks found

**********************************************************
**********************************************************
IRP Hooks:
Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: F23ED3B0
Hooking Module: C:\WINDOWS\System32\vsdatant.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: F23ED3B0
Hooking Module: C:\WINDOWS\System32\vsdatant.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: F23ED3B0
Hooking Module: C:\WINDOWS\System32\vsdatant.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: F23ED3B0
Hooking Module: C:\WINDOWS\System32\vsdatant.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: F23ED3B0
Hooking Module: C:\WINDOWS\System32\vsdatant.sys

******************************************************************************************
******************************************************************************************
Ports:
Local Address: GEORGE.DOMAIN_NOT_SET.INVALID:1035
Remote Address: 210-202.AMAZON.COM:HTTP
Type: TCP
Process: C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
State: ESTABLISHED

Local Address: GEORGE.DOMAIN_NOT_SET.INVALID:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: GEORGE:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: GEORGE:11533
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
State: LISTENING

Local Address: GEORGE:11532
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
State: LISTENING

Local Address: GEORGE:11531
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
State: LISTENING

Local Address: GEORGE:11530
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
State: LISTENING

Local Address: GEORGE:11529
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
State: LISTENING

Local Address: GEORGE:11528
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
State: LISTENING

Local Address: GEORGE:11527
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
State: LISTENING

Local Address: GEORGE:11526
Remote Address: LOCALHOST:1552
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: GEORGE:11526
Remote Address: LOCALHOST:1551
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: GEORGE:11526
Remote Address: LOCALHOST:1550
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: GEORGE:11526
Remote Address: LOCALHOST:1549
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: GEORGE:11526
Remote Address: LOCALHOST:1548
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: GEORGE:11526
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
State: LISTENING

Local Address: GEORGE:11500
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
State: LISTENING

Local Address: GEORGE:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: GEORGE:1244
Remote Address: LOCALHOST:1243
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: GEORGE:1243
Remote Address: LOCALHOST:1244
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: GEORGE:1241
Remote Address: LOCALHOST:1240
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: GEORGE:1240
Remote Address: LOCALHOST:1241
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: GEORGE:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: GEORGE:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: GEORGE.DOMAIN_NOT_SET.INVALID:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: GEORGE.DOMAIN_NOT_SET.INVALID:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: GEORGE.DOMAIN_NOT_SET.INVALID:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: GEORGE.DOMAIN_NOT_SET.INVALID:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: GEORGE.DOMAIN_NOT_SET.INVALID:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: GEORGE:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: GEORGE:1156
Remote Address: NA
Type: UDP
Process: C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
State: NA

Local Address: GEORGE:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: GEORGE:49249
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: GEORGE:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: GEORGE:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: GEORGE:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: GEORGE:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

**********************************************************
**********************************************************
No hidden files/folders found



Task Manager:

I found the Volume Control in Customize under 'Past Items'. It was set to 'Hide when Inactive'....along with Quicken, alerts, iTunes and "XP Antspyware 2010'... =O...I hope this is just a dead tag????
I set Volume Control to 'always on', applied, ok'd and rebooted....and it still does not show in the tray.

I also tested opening in Safe Mode....still the BSOD, on that.

Hi DeciAz

"XP Antspyware 2010'... =O...I hope this is just a dead tag
There is no evidence of Antspyware 2010 in your logs at all.
I would like you to run one more scan for me and update your java.

Java SE Runtime Environment (JRE).

Please download from HERE (http://java.sun.com/javase/downloads/index.jsp)
Find Java SE Runtime Environment (JRE) 6 Update 18.
Click the Download JRE button to the right.
Choose the correct Platform and Multi-language. Next, check the box that says I agree to the Java SE Runtime Environment 6 License Agreement.
Click the Continue button.
Click on the filename under Windows Offline Installation and save it to your desktop.
Close all active windows.
Install the program.


Next.

Please run ATF Cleaner , it should still be on your Desktop.



Next.

Disable Avira anti-virus


Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/antivir.png )
right click it-> untick the option AntiVir Guard enable.
You should now see a closed, white umbrella on a red background (looks to this: http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/antivir_disabled.png )
Note: Don't forget to re-enable it after the below scan.

Next.

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


Please go Here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

Logs/Information to Post in your Next Reply


ESET log.

ESET log:

C:\i386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent application

Hi DeciAz.

Please go to C: > i386 << Delete this.

Next.

TDSSKiller


Please Download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it on your desktop.
Extract (unzip) its contents to your Desktop.
Double-click the TDSSKiller Folder on your desktop.
Right-click on TDSSKiller.exe and click Copy then Paste it directly on to your Desktop.
Highlight and copy the text in the codebox below, Do not include the word Code:

"%userprofile%\Desktop\TDSSKiller.exe" -v
Click Start, click Run... and paste the text above into the Open: line and click OK.
If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
a log file should be created on your C: drive named something like TDSSKiller 2.1.1 Dec 20 2009 02:40:02
To find the log click Start > Computer > C:.
Please post the contents of that log in your next reply.

Logs/Information to Post in your Next Reply


tdsskiller.txt log.
Please give me an update on your computers performance.

07:40:58:812 3608 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
07:40:58:828 3608 ================================================================================
07:40:58:828 3608 SystemInfo:

07:40:58:828 3608 OS Version: 5.1.2600 ServicePack: 3.0
07:40:58:828 3608 Product type: Workstation
07:40:58:828 3608 ComputerName: GEORGE
07:40:58:828 3608 UserName: Sharon
07:40:58:828 3608 Windows directory: C:\WINDOWS
07:40:58:828 3608 Processor architecture: Intel x86
07:40:58:828 3608 Number of processors: 2
07:40:58:828 3608 Page size: 0x1000
07:40:58:828 3608 Boot type: Normal boot
07:40:58:828 3608 ================================================================================
07:40:58:828 3608 UnloadDriverW: NtUnloadDriver error 2
07:40:58:828 3608 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
07:40:58:828 3608 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
07:40:58:828 3608 UtilityInit: KLMD drop and load success
07:40:58:828 3608 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
07:40:58:828 3608 UtilityInit: KLMD open success
07:40:58:828 3608 UtilityInit: Initialize success
07:40:58:828 3608
07:40:58:828 3608 Scanning Services ...
07:40:58:828 3608 CreateRegParser: Registry parser init started
07:40:58:828 3608 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
07:40:58:828 3608 CreateRegParser: DisableWow64Redirection error
07:40:58:828 3608 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
07:40:58:828 3608 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
07:40:58:828 3608 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
07:40:58:828 3608 wfopen_ex: Trying to KLMD file open
07:40:58:828 3608 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
07:40:58:828 3608 wfopen_ex: File opened ok (Flags 2)
07:40:58:828 3608 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384A00
07:40:58:828 3608 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
07:40:58:828 3608 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
07:40:58:828 3608 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
07:40:58:828 3608 wfopen_ex: Trying to KLMD file open
07:40:58:828 3608 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
07:40:58:828 3608 wfopen_ex: File opened ok (Flags 2)
07:40:58:828 3608 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384AA8
07:40:58:828 3608 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
07:40:58:828 3608 CreateRegParser: EnableWow64Redirection error
07:40:58:828 3608 CreateRegParser: RegParser init completed
07:40:58:890 3608 GetAdvancedServicesInfo: Raw services enum returned 365 services
07:40:58:890 3608 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
07:40:58:890 3608 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
07:40:58:890 3608
07:40:58:890 3608 Scanning Kernel memory ...
07:40:58:890 3608 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
07:40:58:890 3608 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86DC67B8
07:40:58:890 3608 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
07:40:58:890 3608
07:40:58:890 3608 DetectCureTDL3: DEVICE_OBJECT: 864628A0
07:40:58:890 3608 KLMD_GetLowerDeviceObject: Trying to get lower device object for 864628A0
07:40:58:890 3608 KLMD_ReadMem: Trying to ReadMemory 0x864628A0[0x38]
07:40:58:890 3608 DetectCureTDL3: DRIVER_OBJECT: 86DC67B8
07:40:58:890 3608 KLMD_ReadMem: Trying to ReadMemory 0x86DC67B8[0xA8]
07:40:58:890 3608 KLMD_ReadMem: Trying to ReadMemory 0xE17E9808[0x18]
07:40:58:890 3608 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_CREATE : F74D8BB0
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4562
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_CLOSE : F74D8BB0
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_READ : F74D2D1F
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_WRITE : F74D2D1F
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4562
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4562
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4562
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_SET_EA : 804F4562
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F74D32E2
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4562
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F74D33BB
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F74D6F28
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_SHUTDOWN : F74D32E2
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4562
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4562
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4562
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4562
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4562
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_POWER : F74D4C82
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F74D999E
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4562
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4562
07:40:58:890 3608 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4562
07:40:58:890 3608 TDL3_FileDetect: Processing driver: Disk
07:40:58:890 3608 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
07:40:58:890 3608 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
07:40:58:890 3608 TDL3_FileDetect: Processing driver: Disk
07:40:58:890 3608 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
07:40:58:890 3608 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
07:40:58:890 3608 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
07:40:58:906 3608
07:40:58:906 3608 DetectCureTDL3: DEVICE_OBJECT: 86462C68
07:40:58:906 3608 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86462C68
07:40:58:906 3608 KLMD_ReadMem: Trying to ReadMemory 0x86462C68[0x38]
07:40:58:906 3608 DetectCureTDL3: DRIVER_OBJECT: 86DC67B8
07:40:58:906 3608 KLMD_ReadMem: Trying to ReadMemory 0x86DC67B8[0xA8]
07:40:58:906 3608 KLMD_ReadMem: Trying to ReadMemory 0xE17E9808[0x18]
07:40:58:906 3608 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_CREATE : F74D8BB0
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_CLOSE : F74D8BB0
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_READ : F74D2D1F
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_WRITE : F74D2D1F
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SET_EA : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F74D32E2
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F74D33BB
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F74D6F28
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SHUTDOWN : F74D32E2
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_POWER : F74D4C82
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F74D999E
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4562
07:40:58:906 3608 TDL3_FileDetect: Processing driver: Disk
07:40:58:906 3608 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
07:40:58:906 3608 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
07:40:58:906 3608 TDL3_FileDetect: Processing driver: Disk
07:40:58:906 3608 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
07:40:58:906 3608 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
07:40:58:906 3608 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
07:40:58:906 3608
07:40:58:906 3608 DetectCureTDL3: DEVICE_OBJECT: 86462030
07:40:58:906 3608 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86462030
07:40:58:906 3608 KLMD_ReadMem: Trying to ReadMemory 0x86462030[0x38]
07:40:58:906 3608 DetectCureTDL3: DRIVER_OBJECT: 86DC67B8
07:40:58:906 3608 KLMD_ReadMem: Trying to ReadMemory 0x86DC67B8[0xA8]
07:40:58:906 3608 KLMD_ReadMem: Trying to ReadMemory 0xE17E9808[0x18]
07:40:58:906 3608 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_CREATE : F74D8BB0
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_CLOSE : F74D8BB0
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_READ : F74D2D1F
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_WRITE : F74D2D1F
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SET_EA : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F74D32E2
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F74D33BB
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F74D6F28
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SHUTDOWN : F74D32E2
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_POWER : F74D4C82
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F74D999E
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4562
07:40:58:906 3608 TDL3_FileDetect: Processing driver: Disk
07:40:58:906 3608 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
07:40:58:906 3608 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
07:40:58:906 3608 TDL3_FileDetect: Processing driver: Disk
07:40:58:906 3608 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
07:40:58:906 3608 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
07:40:58:906 3608 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
07:40:58:906 3608
07:40:58:906 3608 DetectCureTDL3: DEVICE_OBJECT: 86D813B0
07:40:58:906 3608 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86D813B0
07:40:58:906 3608 DetectCureTDL3: DEVICE_OBJECT: 86864030
07:40:58:906 3608 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86864030
07:40:58:906 3608 KLMD_ReadMem: Trying to ReadMemory 0x86864030[0x38]
07:40:58:906 3608 DetectCureTDL3: DRIVER_OBJECT: 86DA6420
07:40:58:906 3608 KLMD_ReadMem: Trying to ReadMemory 0x86DA6420[0xA8]
07:40:58:906 3608 KLMD_ReadMem: Trying to ReadMemory 0xE17DFFA0[0x1C]
07:40:58:906 3608 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iastor, Driver Name: iastor
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_CREATE : F7255144
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_CLOSE : F7255144
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_READ : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_WRITE : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SET_EA : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F7258824
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F7258AE6
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_POWER : F725D87E
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F725D90A
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4562
07:40:58:906 3608 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4562
07:40:58:906 3608 TDL3_FileDetect: Processing driver: iastor
07:40:58:906 3608 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\iastor.sys
07:40:58:906 3608 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\iastor.sys
07:40:58:953 3608 TDL3_FileDetect: Processing driver: iastor
07:40:58:953 3608 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\iastor.sys
07:40:58:953 3608 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\iastor.sys
07:40:58:968 3608 TDL3_FileDetect: C:\WINDOWS\system32\drivers\iastor.sys - Verdict: Clean
07:40:58:968 3608
07:40:58:968 3608 Completed
07:40:58:968 3608
07:40:58:968 3608 Results:
07:40:58:968 3608 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
07:40:58:968 3608 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
07:40:58:968 3608 File objects infected / cured / cured on reboot: 0 / 0 / 0
07:40:58:968 3608
07:40:58:968 3608 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
07:40:58:968 3608 UtilityDeinit: KLMD(ARK) unloaded successfully
------------------

State of the Computer:

The Rundll32.exe and Rundll messages still appear on boot-up.

After starting the computer with the ethernet cable unplugged (which I have begun doing since the attack), I had generic blank window icons on my Start Button menu. When I rebooted, after deleting the C: file this morning, I had the weird virus icons back on that menu.

Some where in yesterday's activities, I lost my Flashplayer. I still have all the other Adobe software listed on my Add/Remove menu, including the Flashplayer 10 plugin.

Some programs accessed from AOL do not work, one mentioned needing 'scripting' permissions. Videos on AOL do not work, but the ones on Firefox do.

I can not use any of the menu tools on this reply window, either. (I am in Firefox for this forum)

Java and Adobe have asked to install updates/programs, but I have been refusing permission, until talking to you.

Thank you for all your help and patience. =)

Hi DeciAz.
Your logs are looking clean so far but i want to check one thing out.


SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

:dir
C:\Documents and Settings\All Users\Application Data\NOS


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Here is the log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 09:52 on 17/02/2010 by Sharon (Administrator - Elevation successful)

========== dir ==========

C:\Documents and Settings\All Users\Application Data\NOS - Parameters: "(none)"

---Files---
getUninst_E2883E8F-472F-4fb0-9522-AC9BF37916A7.dat --a--- 1530 bytes [23:39 13/02/2010] [00:34 14/02/2010]

---Folders---
Adobe_Downloads d----- [00:34 14/02/2010]
GP_GUI_Adobe d----- [23:39 13/02/2010]

-=End Of File=-

Ok lets try this.

Please navigate to Start >> All Programs >> ERUNT, then double-click ERUNT from the menu.
Click on OK within the pop-up menu.
In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
System registry.
Current user registry.
Next click on "OK"... at the prompt... reply "Yes".
After a short duration the Registry backup is complete! pop-up message will appear.
Now click on "OK". A registry backup has now been created.


Next.


Please run ATF Cleaner. it should still be on your Desktop


Next.

Disable Avira anti-virus


Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/antivir.png )
right click it-> untick the option AntiVir Guard enable.
You should now see a closed, white umbrella on a red background (looks to this: http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/antivir_disabled.png )
Note: Don't forget to re-enable it after the fix.


Next.

Download and Run ComboFix

Please download ComboFix from one of the following links.

Link 1. (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

Link 2. (http://www.forospyware.com/sUBs/ComboFix.exe)

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

Please disable any Antivirus or Firewall you have active, as shown in this topic (http://www.bleepingcomputer.com/forums/topic114351.html). Please close all open application windows.
Double click on ComboFix.exe & follow the prompts
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Consolehttp://img.photobucket.com/albums/v666/sUBs/Query_RC.gif
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v666/sUBs/RC_successful.gif


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Logs/Information to Post in your Next Reply


ComboFix log.
Please give me an update on your computers performance.

I ran the ComboFix, it installed a Windows Recovery Console and then ran.

It deleted a short list of files, including, it appear from my brief glimpse, the pop-up file I am getting.

But when it came to preparing a log, I got the BSOD, with an error code referencing mbr.sys address ( I copied the error code down if you would like to see it).

When I rebooted, the pop-ups appeared and my ZoneAlarm and Avira were running, even tho I had disabled them before running the program....so a restore point, maybe?

Should I run again?

Ok see if there is a ComboFix log It can be found at C:\ComboFix.txt .
Also post the error code in your next reply.

Next.

MBR Rootkit Detector:

Please download MBR Rootkit Detector (http://www2.gmer.net/mbr/mbr.exe) by GMER and save it to your desktop.


Double click on the MBR.exe file to run it.
A window will open briefly then close.
A log will be produced & saved to the desktop, called MBR.log.
Please post the contents of that log in your next reply.

Logs/Information to Post in your Next Reply


ComboFix.txt if found
MBR.log
Error code.

I already searched for the log, but could not find it.

The error code was:
Stop: 0x000000D1 (0X353900,0X0000001C,0X00000001,0XF775B41D)

mbr.sys-address F775B41D base at F775AWQ (or 000 can't read my own handwriting) date stamp 4add63e5


This is the MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Hi DeciAz.
Don't do anything else for now.
I will have a think about this and get back to you as soon as possible.

Hi DeciAz.
ComboFix includes the MBR scan i just had you run.
It looks like the mbr.sys driver crashed before the scan was completed.

Ok run ComboFix again.
Please be sure that your Antivirus is disabled before running ComboFix.
Post the log in your next reply.

ComboFix 10-02-16.03 - Sharon 02/17/2010 13:58:38.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.686 [GMT -7:00]
Running from: c:\documents and settings\Sharon\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\rundll32 .exe
c:\windows\system32\twain.dll
c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-17 to 2010-02-17 )))))))))))))))))))))))))))))))
.

2010-02-16 20:20 . 2010-02-16 20:20 -------- d-----w- c:\program files\Common Files\Java
2010-02-16 20:20 . 2010-02-16 20:20 503808 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-157a94d2-n\msvcp71.dll
2010-02-16 20:20 . 2010-02-16 20:20 499712 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-157a94d2-n\jmc.dll
2010-02-16 20:20 . 2010-02-16 20:20 348160 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-157a94d2-n\msvcr71.dll
2010-02-16 20:20 . 2010-02-16 20:20 61440 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-793db118-n\decora-sse.dll
2010-02-16 20:20 . 2010-02-16 20:20 12800 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-793db118-n\decora-d3d.dll
2010-02-16 13:54 . 2010-02-16 13:54 -------- d-----w- C:\_OTM
2010-02-16 03:21 . 2010-02-16 03:21 -------- d-----w- C:\rsit
2010-02-14 00:38 . 2010-02-14 00:38 38784 ----a-w- c:\documents and settings\Sharon\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-14 00:38 . 2010-02-14 00:38 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-14 00:34 . 2010-02-14 00:35 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-13 23:39 . 2010-02-14 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-13 23:39 . 2010-02-13 23:39 -------- d-----w- c:\program files\NOS
2010-02-13 23:39 . 2010-01-25 17:02 31936 ----a-w- c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\aa101x97.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-02-13 23:39 . 2010-01-25 17:02 29344 ----a-w- c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\aa101x97.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-02-13 06:32 . 2010-02-13 06:32 -------- d-sh--w- c:\documents and settings\Sharon\IECompatCache
2010-02-12 21:56 . 2010-02-13 01:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 16:40 . 2010-02-12 16:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-10 19:59 . 2010-02-10 19:59 -------- d-----w- c:\program files\Trend Micro
2010-02-10 19:29 . 2010-02-10 20:01 -------- d-----w- c:\program files\ERUNT
2010-02-10 00:23 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-10 00:23 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-09 02:02 . 2010-02-09 02:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-09 02:02 . 2010-02-09 02:02 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-01-28 22:53 . 2010-01-28 22:53 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-28 22:53 . 2009-11-22 22:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-01-28 22:53 . 2009-11-22 22:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-01-28 22:53 . 2010-01-28 22:53 -------- d-----w- c:\windows\system32\ZoneLabs
2010-01-28 22:53 . 2009-11-22 22:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-01-28 22:53 . 2010-01-28 22:53 -------- d-----w- c:\program files\Zone Labs
2010-01-28 22:50 . 2010-02-17 18:59 -------- d-----w- c:\windows\Internet Logs
2010-01-26 05:46 . 2010-02-13 02:27 -------- d-----w- c:\program files\AOL 9.5a
2010-01-25 23:28 . 2010-01-26 05:17 -------- d-----w- c:\program files\AOL 9.5
2010-01-25 23:17 . 2010-01-25 23:26 43732816 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\setup.exe
2010-01-25 23:17 . 2010-01-25 23:17 42960 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\noneCodesignFilesBundle.exe
2010-01-22 17:47 . 2010-01-22 17:47 -------- d-----w- c:\documents and settings\Sharon\Application Data\Malwarebytes
2010-01-22 17:47 . 2010-01-22 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 17:51 . 2010-01-29 13:18 5261146 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-02-16 20:19 . 2008-12-09 05:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-16 17:27 . 2005-07-16 16:52 -------- d-----w- c:\program files\Java
2010-02-16 04:56 . 2009-05-23 16:55 -------- d-----w- c:\program files\Fishdom
2010-02-15 03:35 . 2009-12-02 18:22 -------- d-----w- c:\documents and settings\Sharon\Application Data\Dofus 2
2010-02-14 00:42 . 2005-07-23 17:26 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-13 06:54 . 2005-07-27 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-13 05:38 . 2005-07-27 19:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-13 03:36 . 2009-12-19 16:57 -------- d-----w- c:\program files\QuickTime
2010-02-13 01:48 . 2009-12-19 17:00 -------- d-----w- c:\program files\iTunes
2010-02-12 21:36 . 2005-07-23 19:50 -------- d-----w- c:\program files\Maxis
2010-02-12 18:10 . 2005-12-05 18:44 -------- d-----w- c:\documents and settings\Sharon\Application Data\Apple Computer
2010-02-12 16:37 . 2007-04-08 08:37 -------- d-----w- c:\program files\Google
2010-02-09 22:16 . 2005-11-03 23:19 -------- d-----w- c:\program files\EA GAMES
2010-02-09 21:57 . 2008-11-17 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\HipSoft
2010-02-09 21:57 . 2007-01-08 23:08 -------- d-----w- c:\program files\AOL Games
2010-01-26 05:48 . 2005-07-24 16:33 -------- d-----w- c:\documents and settings\Sharon\Application Data\AOL
2010-01-26 05:47 . 2005-07-23 19:24 -------- d-----w- c:\program files\Common Files\AOL
2010-01-26 05:46 . 2005-12-31 20:25 -------- d-----w- c:\program files\Common Files\aolshare
2010-01-26 05:46 . 2005-07-24 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-01-25 23:17 . 2005-07-24 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-01-22 23:06 . 2002-01-23 14:37 70768 -c--a-w- c:\documents and settings\Sharon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-15 17:14 . 2010-01-14 17:13 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-14 17:13 . 2010-01-14 17:13 -------- d-----w- c:\program files\Avira
2010-01-14 17:13 . 2010-01-14 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-04 18:41 . 2007-12-19 03:48 -------- d-----w- c:\program files\Dofus
2009-12-31 16:50 . 2005-07-16 16:37 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 16:48 . 2009-12-19 16:48 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-16 18:43 . 2008-09-04 17:24 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-10 17:51 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 03:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2005-07-16 16:37 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-10 17:51 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 05:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-10 17:51 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-10 17:51 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 05:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 15:51 . 2004-08-10 17:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-02-15 18:25 . 2006-04-08 19:36 480624 -c--a-w- c:\program files\2005 Porter R Tax Return.tax
.

<pre>
c:\program files\AOL 9.5a\aol .exe
c:\program files\Common Files\AOL\1105975379\EE\aolsoftware .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\MouseWare\system\em_exec .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\windows\system32\dla\tfswctrl .exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb07 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-12 39408]
"Flablt"="c:\documents and settings\Sharon\Application Data\Adobe\Update\wndcor.dat" [2010-02-05 18732]
"AOL Fast Start"="c:\program files\AOL 9.5a\AOL.EXE" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"EM_EXEC"="c:\progra~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [N/A]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [N/A]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [N/A]
"Pure Networks Port Magic"="c:\progra~1\purene~1\portma~1\PORTAO~1.EXE" [N/A]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"HostManager"="c:\program files\Common Files\AOL\1105975379\ee\AOLSoftware.exe" [N/A]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISUSScheduler"="c:\progra~1\common~1\instal~1\update~1\issch.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Flablt"="c:\documents and settings\Sharon\Application Data\Adobe\Update\wndcor.dat" [2010-02-05 18732]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
2009-04-06 23:35 247296 ----a-w- c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
c:\program files\Common Files\InstallShield\UpdateService\issch.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 18:06 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Walgreens PhotoShow Media Manager]
2006-04-20 06:35 237568 ----a-w- c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1105975379\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Maxis\\The Sims\\support\\The Sims Makin' Magic_eReg.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mmjb.exe"=
"c:\\psfonts\\ATMFM.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Infogrames Interactive\\Monopoly Tycoon\\mc.exe"=
"c:\\Documents and Settings\\Sharon\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\DofusUpdater\\DofusUpdater.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\AOL 9.5a\\waol.exe"=

R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [5/23/2009 9:51 AM 319488]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/14/2010 10:13 AM 108289]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/12/2010 9:38 AM 135664]
S2 mrtRate;mrtRate; [x]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Sharon\Desktop\SysProt\SysProtDrv.sys [2/16/2010 12:26 PM 44288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 16:37]

2010-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 16:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://aolsvc.aol.com/onlinegames/free-trial-chocolatier-2-secret-ingredients/Chocolatier2Web.1.0.0.14.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
FF - ProfilePath - c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\aa101x97.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\aa101x97.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Port Magic - c:\program files\Pure Networks\Port Magic\PortAOL.exe
AddRemove-Quicken Financial Suite - c:\quickenw\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-17 14:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,d3,17,99,3b,08,83,47,8e,f6,6a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,d3,17,99,3b,08,83,47,8e,f6,6a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-02-17 14:12:07
ComboFix-quarantined-files.txt 2010-02-17 21:12

Pre-Run: 38,173,761,536 bytes free
Post-Run: 38,051,131,392 bytes free

- - End Of File - - 280B830112916B60A1304638307462FC

Hi DeciAz.
Looks like you have a Vundo file infector.

Please continue with the instructions below.

Disable Avira anti-virus


Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/antivir.png )
right click it-> untick the option AntiVir Guard enable.
You should now see a closed, white umbrella on a red background (looks to this: http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/antivir_disabled.png )
Note: Don't forget to re-enable it after the fix.

Next.

ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
Please open Notepad and copy/paste all the text below... into the window:


RenV::
c:\program files\AOL 9.5a\aol .exe
c:\program files\Common Files\AOL\1105975379\EE\aolsoftware .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\MouseWare\system\em_exec .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\windows\system32\dla\tfswctrl .exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb07 .exe


Save it to your desktop as CFScript.txt
Please disable any Antivirus or Firewall you have active, as shown in this topic (http://www.bleepingcomputer.com/forums/topic114351.html). Please close all open application windows.
*Only* when the 2 items above (Step 3) have been taken care of...
Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
http://i526.photobucket.com/albums/cc345/MPKwings/ComboFixScriptDrag.gif
This will cause ComboFix to run again.
Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
Do Not touch your computer when ComboFix is running!
When finished ComboFix will create a log file... you can save this file to a convenient place.
Please copy/paste the ComboFix log file in your next reply.



Logs/Information to Post in your Next Reply


ComboFix log.
Please give me an update on your computers performance.

ComboFix 10-02-16.03 - Sharon 02/18/2010 7:25.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.667 [GMT -7:00]
Running from: c:\documents and settings\Sharon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sharon\Desktop\CFScript.txt.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wbem\WMIsvc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINMGMT
-------\Service_winmgmt


((((((((((((((((((((((((( Files Created from 2010-01-18 to 2010-02-18 )))))))))))))))))))))))))))))))
.

2010-02-16 20:20 . 2010-02-16 20:20 -------- d-----w- c:\program files\Common Files\Java
2010-02-16 13:54 . 2010-02-16 13:54 -------- d-----w- C:\_OTM
2010-02-16 03:21 . 2010-02-16 03:21 -------- d-----w- C:\rsit
2010-02-14 00:38 . 2010-02-14 00:38 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-13 23:39 . 2010-02-14 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-13 23:39 . 2010-02-13 23:39 -------- d-----w- c:\program files\NOS
2010-02-13 06:32 . 2010-02-13 06:32 -------- d-sh--w- c:\documents and settings\Sharon\IECompatCache
2010-02-12 21:56 . 2010-02-18 14:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 16:40 . 2010-02-12 16:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-10 19:59 . 2010-02-10 19:59 -------- d-----w- c:\program files\Trend Micro
2010-02-10 19:29 . 2010-02-10 20:01 -------- d-----w- c:\program files\ERUNT
2010-02-10 00:23 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-10 00:23 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-09 02:02 . 2010-02-09 02:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-09 02:02 . 2010-02-09 02:02 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-01-28 22:53 . 2010-01-28 22:53 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-28 22:53 . 2009-11-22 22:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-01-28 22:53 . 2009-11-22 22:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-01-28 22:53 . 2010-01-28 22:53 -------- d-----w- c:\windows\system32\ZoneLabs
2010-01-28 22:53 . 2009-11-22 22:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-01-28 22:53 . 2010-01-28 22:53 -------- d-----w- c:\program files\Zone Labs
2010-01-28 22:50 . 2010-02-18 14:35 -------- d-----w- c:\windows\Internet Logs
2010-01-26 05:46 . 2010-02-18 14:24 -------- d-----w- c:\program files\AOL 9.5a
2010-01-25 23:28 . 2010-01-26 05:17 -------- d-----w- c:\program files\AOL 9.5
2010-01-22 17:47 . 2010-01-22 17:47 -------- d-----w- c:\documents and settings\Sharon\Application Data\Malwarebytes
2010-01-22 17:47 . 2010-01-22 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 14:25 . 2009-12-19 16:57 -------- d-----w- c:\program files\QuickTime
2010-02-18 14:24 . 2009-12-19 17:00 -------- d-----w- c:\program files\iTunes
2010-02-18 13:49 . 2010-02-18 14:10 1739264 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-02-18 05:46 . 2010-02-18 14:10 1719808 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-02-17 21:17 . 2010-01-29 13:18 6945016 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-02-16 20:20 . 2010-02-16 20:20 503808 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-157a94d2-n\msvcp71.dll
2010-02-16 20:20 . 2010-02-16 20:20 499712 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-157a94d2-n\jmc.dll
2010-02-16 20:20 . 2010-02-16 20:20 348160 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-157a94d2-n\msvcr71.dll
2010-02-16 20:20 . 2010-02-16 20:20 61440 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-793db118-n\decora-sse.dll
2010-02-16 20:20 . 2010-02-16 20:20 12800 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-793db118-n\decora-d3d.dll
2010-02-16 20:19 . 2008-12-09 05:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-16 17:27 . 2005-07-16 16:52 -------- d-----w- c:\program files\Java
2010-02-16 04:56 . 2009-05-23 16:55 -------- d-----w- c:\program files\Fishdom
2010-02-15 03:35 . 2009-12-02 18:22 -------- d-----w- c:\documents and settings\Sharon\Application Data\Dofus 2
2010-02-14 00:42 . 2005-07-23 17:26 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-14 00:38 . 2010-02-14 00:38 38784 ----a-w- c:\documents and settings\Sharon\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-14 00:35 . 2010-02-14 00:34 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-13 06:54 . 2005-07-27 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-13 05:38 . 2005-07-27 19:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-12 21:36 . 2005-07-23 19:50 -------- d-----w- c:\program files\Maxis
2010-02-12 18:10 . 2005-12-05 18:44 -------- d-----w- c:\documents and settings\Sharon\Application Data\Apple Computer
2010-02-12 16:37 . 2007-04-08 08:37 -------- d-----w- c:\program files\Google
2010-02-09 22:16 . 2005-11-03 23:19 -------- d-----w- c:\program files\EA GAMES
2010-02-09 21:57 . 2008-11-17 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\HipSoft
2010-02-09 21:57 . 2007-01-08 23:08 -------- d-----w- c:\program files\AOL Games
2010-01-26 05:48 . 2005-07-24 16:33 -------- d-----w- c:\documents and settings\Sharon\Application Data\AOL
2010-01-26 05:47 . 2005-07-23 19:24 -------- d-----w- c:\program files\Common Files\AOL
2010-01-26 05:46 . 2005-12-31 20:25 -------- d-----w- c:\program files\Common Files\aolshare
2010-01-26 05:46 . 2005-07-24 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-01-25 23:26 . 2010-01-25 23:17 43732816 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\setup.exe
2010-01-25 23:17 . 2010-01-25 23:17 42960 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\noneCodesignFilesBundle.exe
2010-01-25 23:17 . 2005-07-24 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-01-25 17:02 . 2010-02-13 23:39 31936 ----a-w- c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\aa101x97.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-01-25 17:02 . 2010-02-13 23:39 29344 ----a-w- c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\aa101x97.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-01-22 23:06 . 2002-01-23 14:37 70768 -c--a-w- c:\documents and settings\Sharon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-15 17:14 . 2010-01-14 17:13 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-14 17:13 . 2010-01-14 17:13 -------- d-----w- c:\program files\Avira
2010-01-14 17:13 . 2010-01-14 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-04 18:41 . 2007-12-19 03:48 -------- d-----w- c:\program files\Dofus
2009-12-31 16:50 . 2005-07-16 16:37 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-10 17:51 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 16:48 . 2009-12-19 16:48 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-16 18:43 . 2008-09-04 17:24 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-10 17:51 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2005-07-16 16:37 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-10 17:51 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 05:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-10 17:51 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-10 17:51 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 05:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 15:51 . 2004-08-10 17:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-02-15 18:25 . 2006-04-08 19:36 480624 -c--a-w- c:\program files\2005 Porter R Tax Return.tax
.

<pre>
c:\program files\Spybot - Search & Destroy\teatimer .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 68856]
"Flablt"="c:\documents and settings\Sharon\Application Data\Adobe\Update\wndcor.dat" [2010-02-05 18732]
"AOL Fast Start"="c:\program files\AOL 9.5a\AOL.EXE" [2009-10-28 50536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"EM_EXEC"="c:\progra~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-08-24 35328]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-09 188416]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Pure Networks Port Magic"="c:\progra~1\purene~1\portma~1\PORTAO~1.EXE" [N/A]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"HostManager"="c:\program files\Common Files\AOL\1105975379\ee\AOLSoftware.exe" [2009-07-20 41264]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISUSScheduler"="c:\progra~1\common~1\instal~1\update~1\issch.exe" [2004-07-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Flablt"="c:\documents and settings\Sharon\Application Data\Adobe\Update\wndcor.dat" [2010-02-05 18732]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
2009-04-06 23:35 247296 ----a-w- c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 18:06 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Walgreens PhotoShow Media Manager]
2006-04-20 06:35 237568 ----a-w- c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 135664]
R2 mrtRate;mrtRate; [x]
R3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Sharon\Desktop\SysProt\SysProtDrv.sys [2010-02-16 44288]
S2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-04-06 319488]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc
napagent
hkmsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 16:37]

2010-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 16:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://aolsvc.aol.com/onlinegames/free-trial-chocolatier-2-secret-ingredients/Chocolatier2Web.1.0.0.14.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
FF - ProfilePath - c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\aa101x97.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\aa101x97.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-18 07:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,d3,17,99,3b,08,83,47,8e,f6,6a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,d3,17,99,3b,08,83,47,8e,f6,6a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(380)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\HPZipm12.exe
c:\windows\stsystra.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-18 07:43:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-18 14:42
ComboFix2.txt 2010-02-17 21:12

Pre-Run: 38,280,667,136 bytes free
Post-Run: 38,126,444,544 bytes free

- - End Of File - - A829669E746085F272D43957587F6134


State of the Computer:

The good news, is that the virus-installed icons on the Start Button menu are gone, and the proper ones are now showing.

AOL is back in the Task Tray....it was weird to see it gone, when nothing I have ever been able to do, would remove it past a reboot. =P

Everything seems to be running smoother and quicker, than it has recently.

The bad news, is that the Rundll pop-up messages are still popping up, on reboot.

I don't know if it matters to these issues, but Volume Control is not back in the Task tray, in spite of being 'always show'.

When ComboFix rebooted, Avira and ZoneAlarm reopened automatically....I shut them down as fast as I could, but they were slow to respond, while ComboFix was still working. =[

I appreciate all your efforts, tremendously! I would never have been able to pick this all apart, to find and kill the the little monsters. :heart:

Hi DeciAz.

I appreciate all your efforts, tremendously!
You are most welcome.
Now we are starting to get somewhere.
You will need to uninstall Spybot - Search & Destroy but you can reinstall it once your PC is clean.
Please continue with the instructions below.


Add/Remove programs
Click on start
Then Run
In the open text entry box please copy/paste appwiz.cpl Then click enter.
Press the "Remove" or "Change/Remove"...button to uninstall the following.

Spybot - Search & Destroy

Note: "If asked whether you want to remove all settings, answer YES"
(This will remove the immunization and Teatimer settings.)

Now please reboot your system.



Next.

Disable Avira anti-virus


Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/antivir.png )
right click it-> untick the option AntiVir Guard enable.
You should now see a closed, white umbrella on a red background (looks to this: http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/antivir_disabled.png )
Note: Don't forget to re-enable it after the below scan.

Next.

Kaspersky Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Please go to the Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan. * This will take a while. Please be patient *.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Logs/Information to Post in your Next Reply


kaspersky log.
Please give me an update on your computers performance.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, February 18, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, February 18, 2010 18:43:35
Records in database: 3551741
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: no

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 238690
Threats found: 2
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 02:56:47


File name / Threat / Threats count
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\ORL\VNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1
C:\Program Files\ORL\VNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

Selected area has been scanned.

----------------------------------

The computer is the same as this morning, except that Quick Time is now in its usual place on the task tray.

The Rundll error messages still pop-up after reboot.

Hi DeciAz.
Good to hear things are running much better :)

Re-run OTM

Double-click OTM.exe to run it.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area. Do not include the word Code.

:Processes

:Files
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz
C:\Program Files\ORL\VNC\VNCHooks.dll
C:\Program Files\ORL\VNC\vncviewer.exe

:Commands
[emptytemp]
[start explorer]
[Reboot]


Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Logs/Information to Post in your Next Reply


OTM log.
Please give me an update on your computers performance.

All processes killed
========== PROCESSES ==========
========== FILES ==========
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz moved successfully.
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\ORL\VNC\VNCHooks.dll
C:\Program Files\ORL\VNC\VNCHooks.dll moved successfully.
C:\Program Files\ORL\VNC\vncviewer.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: default

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Sharon
->Temp folder emptied: 97296092 bytes
->Temporary Internet Files folder emptied: 23264462 bytes
->Java cache emptied: 128123 bytes
->FireFox cache emptied: 78037377 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 920 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 190.00 mb


OTM by OldTimer - Version 3.1.8.0 log created on 02192010_060537

Files moved on Reboot...
C:\Documents and Settings\Sharon\Local Settings\Temp\~DF4588.tmp moved successfully.
File C:\WINDOWS\temp\ZLT05d25.TMP not found!

Registry entries deleted on Reboot...
----------

State of the Computer

The Rundll messages popped up again on reboot; Volume Control is still not showing.:confused:

But as you may notice, I can use the tool bar/smilies on the reply page of this forum, again....:devil:

Hi DeciAz.
About your volume and Rundll issues i can give you links to a tech support site, They should be able to help you fix those problems.

For one last look please post a new New HJT Log.



Start HijackThis.
If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
From the Main Menu... Press the "Do System Scan and Save a Log File"...button.
When completed...Notepad will open with the new "hijackthis.log" file contents.
Copy/paste the entire (hijackthis.log) file contents in your next reply.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:11 AM, on 2/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\AOL\1105975379\ee\AOLSoftware.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\progra~1\common~1\instal~1\update~1\issch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AOL 9.5a\waol.exe
C:\Program Files\AOL 9.5a\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PORTAO~1.EXE" -Run
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105975379\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat""
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.5a\AOL.EXE" -b
O4 - HKUS\S-1-5-21-1891338530-402997292-3403417891-1006\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')
O4 - HKUS\S-1-5-21-1891338530-402997292-3403417891-1006\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User '?')
O4 - HKUS\S-1-5-21-1891338530-402997292-3403417891-1006\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.5a\AOL.EXE" -b (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199454514156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-chocolatier-2-secret-ingredients/Chocolatier2Web.1.0.0.14.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10657 bytes

Lets try this.

Fix HijackThis entries

Run HijackThis

If using Vista, you must right click (hijackthis.exe) and choose "Run As Administrator".
If you are on the Main Menu page... Click "Do a system scan only"
If you are on the "scan & fix stuff" page... Press the Scan...button.
When the scan finishes...Place a check mark next to the following entries (if they are still present)
Note: Only check those items listed below.

O4 - HKCU\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat""
O4 - HKUS\S-1-5-21-1891338530-402997292-3403417891-1006\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User 'Default user')


After checking these items... CLOSE ALL open windows except HijackThis.
Click the Fix Checked ...button...to remove the entries you checked.
Choose YES...when prompted to fix the selected items.[/b]

Next.

Re-run OTM

Double-click OTM.exe to run it.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area. Do not include the word Code.


:Processes

:Files
C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat

:Commands
[resethosts]
[emptytemp]
[start explorer]
[Reboot]


Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next.

Post a New HJT Log

Start HijackThis.
If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
From the Main Menu... Press the "Do System Scan and Save a Log File"...button.
When completed...Notepad will open with the new "hijackthis.log" file contents.
Copy/paste the entire (hijackthis.log) file contents in your next reply.

Logs/Information to Post in your Next Reply


OTM log.
hijackthis log.
Please give me an update on your computers performance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:29 AM, on 2/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\AOL\1105975379\ee\AOLSoftware.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\progra~1\common~1\instal~1\update~1\issch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AOL 9.5a\waol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AOL 9.5a\shellmon.exe
C:\Program Files\Common Files\AOL\1105975379\EE\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O1 - Hosts: ~127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PORTAO~1.EXE" -Run
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105975379\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.5a\AOL.EXE" -b
O4 - HKUS\S-1-5-21-1891338530-402997292-3403417891-1006\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')
O4 - HKUS\S-1-5-21-1891338530-402997292-3403417891-1006\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.5a\AOL.EXE" -b (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199454514156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-chocolatier-2-secret-ingredients/Chocolatier2Web.1.0.0.14.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10144 bytes

After the reboot, I accidentally hit cancel instead of allow on the log request for OTM .:oops:

However, as far as removing the code, it worked! :bigthumb:

The Rundll32.exe did not pop-up after the reboot. I rebooted again, just to make sure it was gone.:D:

Hi DeciAz.

The Rundll32.exe did not pop-up after the reboot.
Success good :bigthumb:

Here are a couple of links where you can get advice about any other problems that remain.

Tech support guy (http://forums.techguy.org/)

Windows (http://forums.techguy.org/49-operating-systems/) - problems with operating systems and windows problems.
All other software (http://forums.techguy.org/18-all-other-software/) - problems with all other software.

And

What the tech (http://forums.whatthetech.com/forums.html)

Windows (http://forums.whatthetech.com/Microsoft_Windows_f119.html) - problems with operating systems and windows problems.
All other software (http://forums.whatthetech.com/Other_software_f124.html) - problems with all other software.

your latest set of logs appear to be clean! :)
This is my general post for when your logs show no more signs of malware.

Time for some housekeeping

Click on Start >> Run...
Now type in ComboFix /Uninstall into the and click OK.
Note the space between the X and the /Uninstall, it needs to be there.
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/CF-Uninstall.png

The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.

Next.

Clean up with OTM


Double-click OTM.exe to start the program, This tool will remove all the tools we used to clean your pc.
Close all other programs apart from OTMoveIt3 as this step will require a reboot
On the OTM main screen, press the CleanUp! button
Say Yes to the prompt and then allow the program to reboot your computer.



You can now delete any tools we used that remain on your Desktop.



Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.


Here are some free programs I recommend that could help you improve your computer's security.



Install Sitehound
SiteHound is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
You can find more information and download it from Here (http://www.firetrust.com/en/products/sitehound)

Install WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
For more information, please visit HERE (http://www.winpatrol.com/)

MVPS Hosts

Install MVPS Hosts File From Here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE (http://www.mvps.org/winhelp2002/hosts.htm)

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft often to get the latest updates for your computer
You can do that HERE (http://www.update.microsoft.com)

Read some information HERE (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) On how to prevent Malware

Is your pc running slow?
Read What to do if your Computer is running slowly (http://www.malwareremoval.com/tutorials/runningslowly.php)

I would be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Safe surfing!

Everything seems to be going great! Thank you so much for all your help!:bighug:

This whole thing was quite an eye-opener, because I have been on the computer since before there was a world wide web (www), and I thought I was being a safe surfer! :red: This is the first virus/trojan, that I have ever had.....that I knew of, anyway.

Thanks for the links, I guess I am going to have to study up, and take stricter measures when I go on the internetz.

:thanks:

Hi DeciAz.
Your most welcome glad i could help.
Among others you had what's called a Vundo file infector.
Neither myself or my colleagues have see this for some time, thats why it took a while to track it down. Let me know if you have any other questions and if not i will have this topic closed, good luck :)

Just one quick, minor question about seeking tech support.
One of my games does not work now, and it keeps sending error reports to Microsoft.
In light of the work we did this week, is this likely to be a Windows problem.....or other software?

Other than that, all else seems to be working fine.:yahoo:

I believe you can close the thread.

Thank you, again.

In light of the work we did this week, is this likely to be a Windows problem.....or other software?
Without direct access to your computer i wouldn't know for sure.
If possible try uninstalling the game then install it again that might work:)