nasty virus blocking me from using internet explorer and firefox, among others.

thedaniel · April 29, 2010, 03:15:42 AM

basically, everytime i try to open a program (especially mozilla firefox and explorer), what looks like Windows Security Center pops up, only its a "Vista AntiMalware Firewall Alert"

it says: "Vista AntiMalware has blocked a program from accessing the internet.

firforx is infected with Trojan-BNK.Win32.Keylogger.gen Private data can be stolen by third parties, including credit card details and passwords.

Windows recommend Activate Vista AntiMalware
click "Yes, Activate..." to register your copy of Vista AntiMalware and perform threat removal on your system"

Now, i know its BS, but after this popped up a million times, i checked to see what happens (maybe making it worse), and clicked "activate" and it just prompted me to purchase software.

After many double clicks and alt+F4s, i managed to get a browser up online (in safe mode, btw).

I can't access most of my programs, and those little Windows Alerts in yellow speech bubbles pop up in the lower right hand corner spewing BS warning with bad grammar and syntax (another giveaway that its not any MicroSoft Sanctioned software) like "Danger! Your computer is being attack!"

So far, all i did was try to download AVGfree and everytime i tried to run the installation, nothing would happen (my guess is the virus blocks it too). Tried Avira, same thing. I'm happy that the programs i downloaded from here worked though. also, i have my computer set to automatically boot up into safe mode w/ networking. Here are the logs:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/04/28 23:01
Program Version:      Version 1.3.5.0
Windows Version:      Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0x8E394000   Size: 32768   File Visible: No   Signed: -
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x8E389000   Size: 45056   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x96E9D000   Size: 49152   File Visible: No   Signed: -
Status: -

Processes
-------------------
Path: System
PID: 4   Status: Locked to the Windows API!

==EOF==

thedaniel · April 29, 2010, 03:16:44 AM

Logfile of random's system information tool 1.06 (written by random/random)
Run by Daniel at 2010-04-28 22:57:16
Microsoft® Windows Vista™ Home Basic Service Pack 1
System drive C: has 7 GB (2%) free of 295 GB
Total RAM: 3325 MB (83% free)

HijackThis download failed

======Scheduled tasks folder======

C:\Windows\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{074C1DC5-9320-4A9A-947D-C042949C6216}]
ContributeBHO Class - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16 118784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65EDC0D5-E754-3DD3-85A8-8293CE990D85}]
D - C:\Windows\system32\xwr93964.dll [2009-02-25 176128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]
{517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - Contribute Toolbar - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16 118784]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"Acrobat Assistant 8.0"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2007-05-10 624248]
""= []
"Adobe_ID0EYTHM"=C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE [2007-03-20 1884160]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-11-11 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-05-30 292136]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"=C:\Users\Daniel\Program Files\DNA\btdna.exe [2009-10-07 323392]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-20 202240]
"COMServer"=C:\Users\Daniel\AppData\Local\Temp\comsrvr.exe [2010-04-28 12288]
"mcexecwin"=C:\Users\Daniel\AppData\Local\Temp\hfd0moz.dll [2010-04-28 30000]
"hsf87sdhfush87fsufhuie3fddf"=C:\Users\Daniel\AppData\Local\Temp\y663int.exe [2010-04-28 30001]
"tonunimesa"=C:\ProgramData\fiponedo\fiponedo.dll [2010-01-28 76288]
"hsf87efjhdsf87f3jfsdi7fhsujfd"=C:\Users\Daniel\AppData\Local\Temp\cmd.exe [2010-04-28 36868]
"sysmon64x.exe"=C:\Users\Daniel\AppData\Local\Temp\sysmon64x.exe [2010-04-28 260608]
"axugtgvg"=C:\Users\Daniel\AppData\Local\bdqmptyll\nfrcoeftssd.exe [2010-04-28 270848]
"nfhoywuk^"=C:\Users\Daniel\nfhoywuk^.exe []
"nfhoywukc"=C:\Users\Daniel\nfhoywukc.exe []
"asam"=C:\Users\Daniel\AppData\Local\asam.exe [2010-04-28 60160]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
TabUserW.exe.lnk - C:\Windows\System32\Wtablet\TabUserW.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.exe - open - "C:\Users\Daniel\AppData\Local\ave.exe" /START "%1" %*
.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"

======List of files/folders created in the last 1 months======

2010-04-28 22:57:16 ----D---- C:\rsit
2010-04-28 22:57:16 ----D---- C:\Program Files\trend micro
2010-04-28 22:56:08 ----D---- C:\Windows\ERDNT
2010-04-28 22:55:32 ----D---- C:\Program Files\ERUNT
2010-04-28 19:25:02 ----D---- C:\Windows\pss
2010-04-28 18:52:26 ----A---- C:\Windows\ntbtlog.txt
2010-04-28 18:17:45 ----D---- C:\Users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro
2010-04-28 18:17:35 ----A---- C:\Users\Daniel\AppData\Roaming\wpp.exe
2010-04-28 18:17:22 ----D---- C:\ProgramData\yidurufo
2010-04-28 18:17:22 ----D---- C:\ProgramData\fosepoyo
2010-04-28 18:17:21 ----D---- C:\ProgramData\wepejapu
2010-04-28 18:17:21 ----D---- C:\ProgramData\litikusi
2010-04-28 18:10:40 ----D---- C:\Users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325
2010-04-28 18:10:39 ----D---- C:\ProgramData\wajejofu
2010-04-28 18:10:39 ----D---- C:\ProgramData\loraleka
2010-04-28 18:10:39 ----D---- C:\ProgramData\fiponedo
2010-04-12 21:34:16 ----D---- C:\Users\Daniel\AppData\Roaming\Armagetron
2010-04-12 21:34:13 ----D---- C:\ProgramData\Armagetron
2010-04-04 23:20:41 ----A---- C:\Windows\system32\wvc1dmod.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\vp7vfw.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\sipr3260.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\Pncrt.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\drv43260.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\drv33260.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\drv23260.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\cook3260.dll
2010-04-04 23:20:40 ----D---- C:\Program Files\VSO

======List of files/folders modified in the last 1 months======

2010-04-28 22:57:16 ----RD---- C:\Program Files
2010-04-28 22:56:08 ----D---- C:\Windows
2010-04-28 22:53:34 ----D---- C:\Windows\System32
2010-04-28 22:53:34 ----D---- C:\Windows\inf
2010-04-28 22:53:34 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-04-28 22:53:11 ----D---- C:\Downloads
2010-04-28 19:34:53 ----D---- C:\Users\Daniel\AppData\Roaming\foobar2000
2010-04-28 19:25:16 ----D---- C:\Users\Daniel\AppData\Roaming\DNA
2010-04-28 19:24:37 ----D---- C:\Windows\system32\Tasks
2010-04-28 19:24:35 ----D---- C:\Windows\Tasks
2010-04-28 19:05:35 ----D---- C:\Windows\Temp
2010-04-28 18:17:55 ----D---- C:\Windows\Prefetch
2010-04-28 18:17:22 ----HD---- C:\ProgramData
2010-04-28 18:11:21 ----D---- C:\Users\Daniel\AppData\Roaming\BitTorrent
2010-04-28 02:52:32 ----SHD---- C:\System Volume Information
2010-04-27 20:54:41 ----D---- C:\Ninjastars
2010-04-26 17:52:07 ----D---- C:\ProgramData\Roxio
2010-04-23 01:34:18 ----D---- C:\Images
2010-04-20 23:17:15 ----D---- C:\Projects
2010-04-19 21:03:21 ----D---- C:\Users\Daniel\AppData\Roaming\Vso
2010-04-12 21:34:13 ----D---- C:\Games
2010-04-11 00:00:08 ----D---- C:\Windows\system32\catroot2
2010-04-02 17:51:39 ----D---- C:\Program Files\Mozilla Firefox
2010-03-31 21:18:22 ----D---- C:\Users\Daniel\AppData\Roaming\Adobe
2010-03-31 21:05:33 ----D---- C:\documents

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DLARTL_M;DLARTL_M; C:\Windows\System32\Drivers\DLARTL_M.SYS [2007-07-23 30064]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2008-01-20 220672]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
S2 ASPI32;ASPI32; C:\Windows\system32\drivers\ASPI32.sys []
S2 DLABMFSM;DLABMFSM; C:\Windows\System32\Drivers\DLABMFSM.SYS [2007-07-23 37360]
S2 DLABOIOM;DLABOIOM; C:\Windows\System32\Drivers\DLABOIOM.SYS [2007-07-23 32848]
S2 DLADResM;DLADResM; C:\Windows\System32\Drivers\DLADResM.SYS [2007-07-23 9104]
S2 DLAIFS_M;DLAIFS_M; C:\Windows\System32\Drivers\DLAIFS_M.SYS [2007-07-23 108752]
S2 DLAOPIOM;DLAOPIOM; C:\Windows\System32\Drivers\DLAOPIOM.SYS [2007-07-23 27216]
S2 DLAPoolM;DLAPoolM; C:\Windows\System32\Drivers\DLAPoolM.SYS [2007-07-23 16304]
S2 DLAUDF_M;DLAUDF_M; C:\Windows\System32\Drivers\DLAUDF_M.SYS [2007-07-23 98448]
S2 DLAUDFAM;DLAUDFAM; C:\Windows\System32\Drivers\DLAUDFAM.SYS [2007-07-23 93552]
S2 DRVNDDM;DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [2007-07-23 52000]
S3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2008-08-21 3928576]
S3 cur_bus;Curitel USB Composite Device driver (WDM); C:\Windows\system32\DRIVERS\cur_bus.sys [2005-07-19 57744]
S3 cur_mdfl;Curitel Packet Service Filter; C:\Windows\system32\DRIVERS\cur_mdfl.sys [2005-07-19 8336]
S3 cur_mdm;Curitel Packet Service Drivers; C:\Windows\system32\DRIVERS\cur_mdm.sys [2005-07-19 93328]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2009-01-13 47360]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-20 35328]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-20 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2008-01-20 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
S2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2008-08-21 700416]
S2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
S3 Adobe Version Cue CS3;Adobe Version Cue CS3; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe [2007-03-20 153792]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-12-18 654848]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-05-30 541992]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-07-11 69632]

-----------------EOF-----------------

thedaniel · April 29, 2010, 03:18:01 AM

info.txt logfile of random's system information tool 1.06 2010-04-28 22:57:19

======Uninstall list======

-->C:\Windows\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\HP PrecisionScan\Uninst.isu"
7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"
ACID Pro 7.0-->MsiExec.exe /X{8BAC9DAB-9118-4D13-8CF4-78812CC4755C}
Active iPod Video Converter-->C:\PROGRA~1\ACTIVE~1\UNWISE.EXE
Add or Remove Adobe Creative Suite 3 Master Collection-->C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Setup.exe
Adobe After Effects CS3 Presets-->MsiExec.exe /I{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe BridgeTalk Plugin CS3-->MsiExec.exe /I{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Contribute CS3-->MsiExec.exe /I{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}
Adobe Creative Suite 3 Master Collection-->MsiExec.exe /I{8718DC03-D066-4957-94E5-50C3C5042E8E}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Dreamweaver CS3-->MsiExec.exe /I{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Extension Manager CS3-->MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{7ACFB90E-8FD0-4397-AD3A-5195412623A3}
Adobe Illustrator CS3-->MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe InDesign CS3 Icon Handler-->MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}
Adobe InDesign CS3-->MsiExec.exe /I{CB3F8375-B600-4B9F-83C9-238ED1E583FD}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe MotionPicture Color Files-->MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Premiere Pro CS3 Functional Content-->MsiExec.exe /I{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}
Adobe Premiere Pro CS3 Third Party Content-->MsiExec.exe /I{485ACF57-F364-440A-8496-E1E81C8FA1AA}
Adobe Premiere Pro CS3-->MsiExec.exe /I{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}
Adobe Setup-->MsiExec.exe /I{4458C442-7376-4CF9-AF58-E8CEA6722363}
Adobe SING CS3-->MsiExec.exe /I{B671CBFD-4109-4D35-9252-3062D3CCB7B2}
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe Version Cue CS3 Server-->MsiExec.exe /I{1D58229F-C505-45CA-8223-F35F3A34B963}
Adobe Video Profiles-->MsiExec.exe /I{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}
Adobe WAS CS3-->MsiExec.exe /I{C5BD220A-EFE8-48A5-B70E-9503D535FACE}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP DVA Panels CS3-->MsiExec.exe /I{0224CACC-994D-45F8-B973-D65056EA9C2F}
Adobe XMP Panels CS3-->MsiExec.exe /I{D5A31AB1-345D-47C7-A87B-036A669F6DF1}
AHV content for Acrobat and Flash-->MsiExec.exe /I{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}
Amazon MP3 Downloader 1.0.3-->C:\Program Files\Amazon\MP3 Downloader\Uninstall.exe
Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-45ED-8F83-8C8A33E65143}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Armagetron Advanced 0.2.8.3.1.gcc-->C:\Games\Armagetron Advanced\uninst.exe
Auto Gordian Knot 2.55-->C:\Program Files\AutoGK\uninst.exe
AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe"
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Chipamp-->C:\Program Files\foobar2000\chip\uninstall_chipamp.exe
ConvertXtoDVD 4.0.9.322-->"C:\Program Files\VSO\ConvertX\4\unins000.exe"
Cool Timer 3.6-->"C:\Program Files\Cool Timer\unins000.exe"
DVDFab 6.0.6.0 (04/09/2009)-->"C:\Program Files\DVDFab 6\unins000.exe"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
foobar2000 v0.9.5.6-->"C:\Program Files\foobar2000\uninstall.exe"
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
iTunes-->MsiExec.exe /I{CC5702D7-86E2-45A8-99D7-E8B976ADCC56}
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
K-Lite Codec Pack 4.1.7 (Full)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Max Payne 2 Tools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6CB09F11-AA88-499A-A7CC-709B18FE552F}\Setup.exe" -l0x9
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.6.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Pen Tablet-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FE2FF182-7DB1-43FB-BFDE-7C44C26867AE} /l1033
QuickGamma 2.0.0.3-->"C:\Program Files\QuickGamma\unins000.exe"
QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}
Roxio Activation Module-->MsiExec.exe /I{07159635-9DFE-4105-BFC0-2817DB540C68}
Roxio Creator Audio-->MsiExec.exe /I{83FFCFC7-88C6-41C6-8752-958A45325C82}
Roxio Creator Copy-->MsiExec.exe /I{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}
Roxio Creator Data-->MsiExec.exe /I{0D397393-9B50-4C52-84D5-77E344289F87}
Roxio Creator DE-->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Tools-->MsiExec.exe /I{0394CDC8-FABD-4ED8-B104-03393876DFDF}
Roxio Drag-to-Disc-->MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}
Roxio Express Labeler 3-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Sonic CinePlayer Decoder Pack-->MsiExec.exe /I{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}
Station LaunchPad-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D7447B32-518C-442F-A8E4-DCF12D8A6D75}\Setup.exe" -l0x9
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
VLC media player 0.9.9-->C:\Program Files\VLC\uninstall.exe
VobSub v2.23 (Remove Only)-->"C:\Program Files\VobSub\uninstall.exe"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
XviD MPEG4 Video Codec (remove only)-->"C:\Program Files\XviD\xvid-uninstall.exe"

======Security center information======

AS: Windows Defender

======System event log======

Computer Name: Optimus
Event Code: 10005
Message: DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
Record Number: 64858
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20100429024929.000000-000
Event Type: Error
User:

Computer Name: Optimus
Event Code: 10005
Message: DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server:
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
Record Number: 64860
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20100429024936.000000-000
Event Type: Error
User:

Computer Name: Optimus
Event Code: 10005
Message: DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server:
{9E175B6D-F52A-11D8-B9A5-505054503030}
Record Number: 64861
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20100429024944.000000-000
Event Type: Error
User:

Computer Name: Optimus
Event Code: 7001
Message: The Computer Browser service depends on the Server service which failed to start because of the following error:
The dependency service or group failed to start.
Record Number: 64875
Source Name: Service Control Manager
Time Written: 20100429025040.000000-000
Event Type: Error
User:

Computer Name: Optimus
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
spldr
Wanarpv6
Record Number: 64884
Source Name: Service Control Manager
Time Written: 20100429025040.000000-000
Event Type: Error
User:

=====Application event log=====

Computer Name: Optimus
Event Code: 6000
Message: The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Record Number: 8132
Source Name: Microsoft-Windows-Winlogon
Time Written: 20100429013023.000000-000
Event Type: Warning
User:

Computer Name: Optimus
Event Code: 6000
Message: The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Record Number: 8135
Source Name: Microsoft-Windows-Winlogon
Time Written: 20100429013024.000000-000
Event Type: Warning
User:

Computer Name: Optimus
Event Code: 6000
Message: The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Record Number: 8139
Source Name: Microsoft-Windows-Winlogon
Time Written: 20100429024918.000000-000
Event Type: Warning
User:

Computer Name: Optimus
Event Code: 4609
Message: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043c from line 45 of d:\vistasp1_gdr\com\complus\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Record Number: 8142
Source Name: Microsoft-Windows-EventSystem
Time Written: 20100429024929.000000-000
Event Type: Error
User:

Computer Name: Optimus
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 8145
Source Name: Microsoft-Windows-WMI
Time Written: 20100429025040.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: Optimus
Event Code: 4624
Message: An account was successfully logged on.

Subject:
   Security ID:      S-1-5-18
   Account Name:      OPTIMUS$
   Account Domain:      WORKGROUP
   Logon ID:      0x3e7

Logon Type:         2

New Logon:
   Security ID:      S-1-5-21-2629204746-2472350728-1553552098-1000
   Account Name:      Daniel
   Account Domain:      Optimus
   Logon ID:      0x16b29
   Logon GUID:      {00000000-0000-0000-0000-000000000000}

Process Information:
   Process ID:      0x230
   Process Name:      C:\Windows\System32\winlogon.exe

Network Information:
   Workstation Name:   OPTIMUS
   Source Network Address:   127.0.0.1
   Source Port:      0

Detailed Authentication Information:
   Logon Process:      User32
   Authentication Package:   Negotiate
   Transited Services:   -
   Package Name (NTLM only):   -
   Key Length:      0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
   - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
   - Transited services indicate which intermediate services have participated in this logon request.
   - Package name indicates which sub-protocol was used among the NTLM protocols.
   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 18073
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100429024917.562650-000
Event Type: Audit Success
User:

Computer Name: Optimus
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
   Security ID:      S-1-5-21-2629204746-2472350728-1553552098-1000
   Account Name:      Daniel
   Account Domain:      Optimus
   Logon ID:      0x16b29

Privileges:      SeSecurityPrivilege
         SeTakeOwnershipPrivilege
         SeLoadDriverPrivilege
         SeBackupPrivilege
         SeRestorePrivilege
         SeDebugPrivilege
         SeSystemEnvironmentPrivilege
         SeImpersonatePrivilege
Record Number: 18074
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100429024917.562650-000
Event Type: Audit Success
User:

Computer Name: Optimus
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
   Security ID:      S-1-5-18
   Account Name:      OPTIMUS$
   Account Domain:      WORKGROUP
   Logon ID:      0x3e7
   Logon GUID:      {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
   Account Name:      SYSTEM
   Account Domain:      NT AUTHORITY
   Logon GUID:      {00000000-0000-0000-0000-000000000000}

Target Server:
   Target Server Name:   localhost
   Additional Information:   localhost

Process Information:
   Process ID:      0x24c
   Process Name:      C:\Windows\System32\services.exe

Network Information:
   Network Address:   -
   Port:         -

This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 18075
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100429024933.490352-000
Event Type: Audit Success
User:

Computer Name: Optimus
Event Code: 4624
Message: An account was successfully logged on.

Subject:
   Security ID:      S-1-5-18
   Account Name:      OPTIMUS$
   Account Domain:      WORKGROUP
   Logon ID:      0x3e7

Logon Type:         5

New Logon:
   Security ID:      S-1-5-18
   Account Name:      SYSTEM
   Account Domain:      NT AUTHORITY
   Logon ID:      0x3e7
   Logon GUID:      {00000000-0000-0000-0000-000000000000}

Process Information:
   Process ID:      0x24c
   Process Name:      C:\Windows\System32\services.exe

Network Information:
   Workstation Name:
   Source Network Address:   -
   Source Port:      -

Detailed Authentication Information:
   Logon Process:      Advapi
   Authentication Package:   Negotiate
   Transited Services:   -
   Package Name (NTLM only):   -
   Key Length:      0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
   - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
   - Transited services indicate which intermediate services have participated in this logon request.
   - Package name indicates which sub-protocol was used among the NTLM protocols.
   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 18076
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100429024933.490352-000
Event Type: Audit Success
User:

Computer Name: Optimus
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
   Security ID:      S-1-5-18
   Account Name:      SYSTEM
   Account Domain:      NT AUTHORITY
   Logon ID:      0x3e7

Privileges:      SeAssignPrimaryTokenPrivilege
         SeTcbPrivilege
         SeSecurityPrivilege
         SeTakeOwnershipPrivilege
         SeLoadDriverPrivilege
         SeBackupPrivilege
         SeRestorePrivilege
         SeDebugPrivilege
         SeAuditPrivilege
         SeSystemEnvironmentPrivilege
         SeImpersonatePrivilege
Record Number: 18077
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100429024933.490352-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\MaxPayne2Dev\Rasmaker2;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=1706
"NUMBER_OF_PROCESSORS"=2
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
"DFSTRACINGON"=FALSE
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"SAFEBOOT_OPTION"=NETWORK

-----------------EOF-----------------

Corrine · April 29, 2010, 02:27:07 PM

Hi, thedaniel.

Welcome to LandzDown Forum.

We will do our best to assist you. However, in order to do so, please follow all instructions provided in the sequence given. Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use. This may cause conflicts with the tools being used in the cleanup process.

If you have questions regarding any of the instructions or problems running any tools, please let us know.

Let's start by giving you some wiggle-room and then address the additional problems on your computer. To do so, you will need to do the following:

First, if you are unable to download from this computer, from another computer, please download Malwarebytes' Anti-Malware Download Link and save it to an external media such as a USB flash drive.

Next, with the rogue Vista Antimalware running, please do the following.

1. Launch Notepad (If you do not know where to locate Notepad do the following: Click Start->Run (or WinKey+R). Input: "command". Press Enter or click OK. Type the word notepad following the > symbol. >notepad and press enter.

2. Copy and past the text in the code box below into Notepad:

Code Select

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]
[-HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[-HKEY_CLASSES_ROOT\secfile]

3. Save the file as "FixExe.reg" (without quotation-marks) to your Desktop. NOTE: choose Save as type: All files

4. Double-click on the FixExe.reg file. When Windows prompts whether or not you want to allow the data to be added to your computer, click on the Yes button.

Next, please install Malwarebytes (MBAM) from the external media.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware and
Launch Malwarebytes' Anti-Malware
Click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, be sure Quick scan is selected, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
Click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here on Windows XP: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt and C:\Users\UserName\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt on Windows Vista and Windows 7.
Please post contents of that file in your next reply.

thedaniel · April 29, 2010, 09:22:13 PM

Much thanks! Here is the log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4052

Windows 6.0.6001 Service Pack 1 (Safe Mode)
Internet Explorer 8.0.6001.18813

4/29/2010 5:20:50 PM
mbam-log-2010-04-29 (17-20-50).txt

Scan type: Quick scan
Objects scanned: 105206
Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 9
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 84

Memory Processes Infected:
C:\Users\Daniel\AppData\Local\ave.exe (Rogue.MultipleAV)

-> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{65edc0d5-e754-3dd3-85a8-

8293ce990d85} (Trojan.Vundo.H) -> Quarantined and

deleted successfully.
HKEY_CLASSES_ROOT\D (Trojan.Agent) -> Quarantined and

deleted successfully.
HKEY_CLASSES_ROOT\D.1 (Trojan.Agent) -> Quarantined and

deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert)

-> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) ->

Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite

(Rogue.AntivirusSuite) -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer

sion\Explorer\Browser Helper Objects\{65edc0d5-e754-

3dd3-85a8-8293ce990d85} (Trojan.Vundo.H) -> Quarantined

and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVers

ion\Explorer\winid (Malware.Trace) -> Quarantined and

deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVers

ion\Run\asam (Trojan.Agent) -> Quarantined and deleted

successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVers

ion\Run\axugtgvg (Rogue.AntivirusSuite.Gen) ->

Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVers

ion\Run\comserver (Trojan.Downloader) -> Quarantined and

deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVers

ion\Run\hsf87efjhdsf87f3jfsdi7fhsujfd (Trojan.Clicker)

-> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVers

ion\Run\hsf87sdhfush87fsufhuie3fddf (Trojan.Ertfor) ->

Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVers

ion\Run\mcexecwin (Trojan.Ertfor) -> Quarantined and

deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVers

ion\Run\sysmon64x.exe (Rogue.YourProtection) ->

Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVers

ion\Run\tonunimesa (Trojan.Agent) -> Quarantined and

deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FI

REFOX.EXE\shell\open\command\(default)

(Hijack.StartMenuInternet) -> Bad:

("C:\Users\Daniel\AppData\Local\ave.exe" /START

"C:\Program Files\Mozilla Firefox\firefox.exe") Good:

(firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FI

REFOX.EXE\shell\safemode\command\(default)

(Hijack.StartMenuInternet) -> Bad:

("C:\Users\Daniel\AppData\Local\ave.exe" /START

"C:\Program Files\Mozilla Firefox\firefox.exe" -safe-

mode) Good: (firefox.exe -safe-mode) -> Quarantined and

deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IE

XPLORE.EXE\shell\open\command\(default)

(Hijack.StartMenuInternet) -> Bad:

("C:\Users\Daniel\AppData\Local\ave.exe" /START

"C:\Program Files\Internet Explorer\iexplore.exe") Good:

(iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ProgramData\fiponedo\fiponedo.dll (Trojan.Agent) ->

Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\Temp\00000a7b

(Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\Temp\2454885191.exe

(Trojan.Clicker) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\2709557120.exe

(Trojan.Clicker) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\2985839.exe

(Trojan.Otlard) -> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\Temp\9709597.exe

(Trojan.Cutwail) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\BNB6FF.tmp

(Trojan.Sasfis) -> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMA101d.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMA12ea.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMA1692.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMA8f69.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMA96aa.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMA9765.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMA9ba9.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMA9e67.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAa460.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAa78b.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAa930.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAacb9.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAae8d.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAb13b.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAb457.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAb753.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAb8d9.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAba6f.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAbf8d.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAc104.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAc2a9.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAc45e.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAc5e4.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAc76a.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAca76.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAce1e.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAcfe2.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAd426.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAd899.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAda9c.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAdcae.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAe150.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAe584.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAea06.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAef34.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAf608.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAf8d5.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\PRAGMAfd77.tmp

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\RarSFX0\hor0410e.exe

(Adware.Adrotator) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\TMP84AF.tmp

(Malware.Packer.Gen) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\anomserwcx.exe

(Adware.AdRotator) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\cmd.exe

(Trojan.Clicker) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\comsrvr.exe

(Trojan.Downloader) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\debug.exe

(Trojan.Clicker) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\drweb.exe

(Trojan.Clicker) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\geurge.exe

(Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\Temp\gmfrxpgv.exe

(Trojan.Downloader) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\hexdump.exe

(Trojan.Clicker) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\hfd0moz.dll

(Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\Temp\jisfije9fjoiee.tmp

(Trojan.Downloader) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\labur3acy.exe

(Trojan.Clicker) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\login.exe

(Trojan.Clicker) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\lsass.exe

(Trojan.Clicker) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\mexowcarns.exe

(Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\Temp\mwsnxaeorc.exe

(Trojan.Dropper) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\notepad.exe

(Trojan.Clicker) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\q1ist8q.exe

(Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\Temp\setup.exe

(Trojan.Clicker) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\stp94117.exe

(Trojan.FraudTool) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\sysmon64x.exe

(Rogue.YourProtection) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\taskmgr.exe

(Trojan.Clicker) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\topwesitjh

(Rogue.YourProtection) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\user.exe

(Trojan.Clicker) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\wcmxrsnaoe.exe

(Trojan.Downloader) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Local\Temp\y663int.exe

(Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\asam.exe (Trojan.Agent) ->

Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\ave.exe (Rogue.MultipleAV)

-> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\bdqmptyll\nfrcoeftssd.exe

(Rogue.AntivirusSuite.Gen) -> Quarantined and deleted

successfully.
C:\Users\Daniel\AppData\Roaming\wpp.exe

(Rogue.WindowsPolicePro) -> Quarantined and deleted

successfully.
C:\Users\Daniel\Desktop\nudetube.com.lnk (Rogue.Link) ->

Quarantined and deleted successfully.
C:\Users\Daniel\Favorites\_favdata.dat (Malware.Trace)

-> Quarantined and deleted successfully.
C:\Users\Daniel\Local Settings\Application Data\Windows

Server\rhhlty.dll (Trojan.Agent) -> Quarantined and

deleted successfully.
C:\Users\Daniel\Local Settings\Application Data\ave.exe

(Rogue.MultipleAV) -> Quarantined and deleted

successfully.
C:\Windows\System32\wr93964.dll (Trojan.BHO) ->

Quarantined and deleted successfully.
C:\Windows\System32\xwr93964.dll (Trojan.Vundo.H) ->

Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-

FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and

deleted successfully.
C:\Windows\Temp\mws448A.tmp (Trojan.Dropper) ->

Quarantined and deleted successfully.

Corrine · April 29, 2010, 09:53:38 PM

It appears that the log got cut off due to forums software restrictions. Please open the log from C:\Users\UserName\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt and copy/paste the remainder from where your post ended.

Can you get to normal mode now? If so, please download and install HijackThis© from one of the following sites:

At the download prompt, choose "Save"

Navigate to the saved file and double-click the installer, HJTsetup.exe
By default, HijackThis© will be installed on your computer at C:\Program Files\Trend Micro\HijackThis, making an entry in the Start menu and also providing a Desktop shortcut

Next, please double-click RSIT.exe on your desktop and post the resultant log.

thedaniel · April 30, 2010, 01:07:30 AM

Sorry for the lag between replies.

The log posted in its entirety. At least what was in the txt file. I am able to get into normal mode and run applications again. Every now and then, a small iexplorer window pops up but is blocked from whatever address it is trying to access.

Anyways, installing hijackthis right now.

thedaniel · April 30, 2010, 01:12:01 AM

Logfile of random's system information tool 1.06 (written by random/random)
Run by Daniel at 2010-04-29 21:10:33
Microsoft® Windows Vista™ Home Basic Service Pack 1
System drive C: has 2 GB (1%) free of 295 GB
Total RAM: 3325 MB (63% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:37 PM, on 4/29/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Users\Daniel\AppData\Local\Temp\Ulf.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Users\Daniel\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Sony\ACID Pro 7.0\acid70.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Daniel\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Daniel.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Daniel\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [nfhoywuk^] C:\Users\Daniel\nfhoywuk^.exe
O4 - HKCU\..\Run: [nfhoywukc] C:\Users\Daniel\nfhoywukc.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: TabUserW.exe.lnk = C:\Windows\System32\Wtablet\TabUserW.exe
O8 - Extra context menu item: Append to existing PDF - res://c:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://c:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://c:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://c:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7279 bytes

======Scheduled tasks folder======

C:\Windows\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{074C1DC5-9320-4A9A-947D-C042949C6216}]
ContributeBHO Class - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16 118784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]
{517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - Contribute Toolbar - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16 118784]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"Acrobat Assistant 8.0"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2007-05-10 624248]
""= []
"Adobe_ID0EYTHM"=C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE [2007-03-20 1884160]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-11-11 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-05-30 292136]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-03-30 1086856]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"=C:\Users\Daniel\Program Files\DNA\btdna.exe [2009-10-07 323392]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-20 202240]
"nfhoywuk^"=C:\Users\Daniel\nfhoywuk^.exe []
"nfhoywukc"=C:\Users\Daniel\nfhoywukc.exe []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
TabUserW.exe.lnk - C:\Windows\System32\Wtablet\TabUserW.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\rootrepeal.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"

======List of files/folders created in the last 1 months======

2010-04-29 17:03:04 ----D---- C:\Users\Daniel\AppData\Roaming\Malwarebytes
2010-04-29 17:02:50 ----D---- C:\ProgramData\Malwarebytes
2010-04-29 17:02:50 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-04-28 23:01:21 ----A---- C:\RootRepeal report 04-28-10 (23-01-21).txt
2010-04-28 22:57:16 ----D---- C:\rsit
2010-04-28 22:57:16 ----D---- C:\Program Files\trend micro
2010-04-28 22:56:08 ----D---- C:\Windows\ERDNT
2010-04-28 22:55:32 ----D---- C:\Program Files\ERUNT
2010-04-28 19:25:02 ----D---- C:\Windows\pss
2010-04-28 18:52:26 ----A---- C:\Windows\ntbtlog.txt
2010-04-28 18:17:45 ----D---- C:\Users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro
2010-04-28 18:17:22 ----D---- C:\ProgramData\yidurufo
2010-04-28 18:17:22 ----D---- C:\ProgramData\fosepoyo
2010-04-28 18:17:21 ----D---- C:\ProgramData\wepejapu
2010-04-28 18:17:21 ----D---- C:\ProgramData\litikusi
2010-04-28 18:10:40 ----D---- C:\Users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325
2010-04-28 18:10:39 ----D---- C:\ProgramData\wajejofu
2010-04-28 18:10:39 ----D---- C:\ProgramData\loraleka
2010-04-28 18:10:39 ----D---- C:\ProgramData\fiponedo
2010-04-12 21:34:16 ----D---- C:\Users\Daniel\AppData\Roaming\Armagetron
2010-04-12 21:34:13 ----D---- C:\ProgramData\Armagetron
2010-04-04 23:20:41 ----A---- C:\Windows\system32\wvc1dmod.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\vp7vfw.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\sipr3260.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\Pncrt.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\drv43260.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\drv33260.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\drv23260.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\cook3260.dll
2010-04-04 23:20:40 ----D---- C:\Program Files\VSO

======List of files/folders modified in the last 1 months======

2010-04-29 21:10:37 ----D---- C:\Windows\Prefetch
2010-04-29 21:10:35 ----D---- C:\Windows\Temp
2010-04-29 21:08:30 ----D---- C:\Users\Daniel\AppData\Roaming\DNA
2010-04-29 20:16:02 ----D---- C:\Ninjastars
2010-04-29 19:31:26 ----D---- C:\Windows\System32
2010-04-29 19:31:26 ----D---- C:\Windows\inf
2010-04-29 19:31:26 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-04-29 19:24:38 ----SHD---- C:\System Volume Information
2010-04-29 17:27:56 ----D---- C:\Windows\Tasks
2010-04-29 17:23:24 ----D---- C:\Windows\system32\drivers
2010-04-29 17:22:41 ----D---- C:\Windows\tracing
2010-04-29 17:02:50 ----RD---- C:\Program Files
2010-04-29 17:02:50 ----HD---- C:\ProgramData
2010-04-28 22:56:08 ----D---- C:\Windows
2010-04-28 22:53:11 ----D---- C:\Downloads
2010-04-28 19:34:53 ----D---- C:\Users\Daniel\AppData\Roaming\foobar2000
2010-04-28 19:24:37 ----D---- C:\Windows\system32\Tasks
2010-04-28 18:11:21 ----D---- C:\Users\Daniel\AppData\Roaming\BitTorrent
2010-04-26 17:52:07 ----D---- C:\ProgramData\Roxio
2010-04-23 01:34:18 ----D---- C:\Images
2010-04-20 23:17:15 ----D---- C:\Projects
2010-04-19 21:03:21 ----D---- C:\Users\Daniel\AppData\Roaming\Vso
2010-04-12 21:34:13 ----D---- C:\Games
2010-04-11 00:00:08 ----D---- C:\Windows\system32\catroot2
2010-04-02 17:51:39 ----D---- C:\Program Files\Mozilla Firefox
2010-03-31 21:18:22 ----D---- C:\Users\Daniel\AppData\Roaming\Adobe
2010-03-31 21:05:33 ----D---- C:\documents

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DLARTL_M;DLARTL_M; C:\Windows\System32\Drivers\DLARTL_M.SYS [2007-07-23 30064]
R2 DLABMFSM;DLABMFSM; C:\Windows\System32\Drivers\DLABMFSM.SYS [2007-07-23 37360]
R2 DLABOIOM;DLABOIOM; C:\Windows\System32\Drivers\DLABOIOM.SYS [2007-07-23 32848]
R2 DLADResM;DLADResM; C:\Windows\System32\Drivers\DLADResM.SYS [2007-07-23 9104]
R2 DLAIFS_M;DLAIFS_M; C:\Windows\System32\Drivers\DLAIFS_M.SYS [2007-07-23 108752]
R2 DLAOPIOM;DLAOPIOM; C:\Windows\System32\Drivers\DLAOPIOM.SYS [2007-07-23 27216]
R2 DLAPoolM;DLAPoolM; C:\Windows\System32\Drivers\DLAPoolM.SYS [2007-07-23 16304]
R2 DLAUDF_M;DLAUDF_M; C:\Windows\System32\Drivers\DLAUDF_M.SYS [2007-07-23 98448]
R2 DLAUDFAM;DLAUDFAM; C:\Windows\System32\Drivers\DLAUDFAM.SYS [2007-07-23 93552]
R2 DRVNDDM;DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [2007-07-23 52000]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2008-08-21 3928576]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2008-01-20 220672]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2009-01-13 47360]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S2 ASPI32;ASPI32; C:\Windows\system32\drivers\ASPI32.sys []
S3 cur_bus;Curitel USB Composite Device driver (WDM); C:\Windows\system32\DRIVERS\cur_bus.sys [2005-07-19 57744]
S3 cur_mdfl;Curitel Packet Service Filter; C:\Windows\system32\DRIVERS\cur_mdfl.sys [2005-07-19 8336]
S3 cur_mdm;Curitel Packet Service Drivers; C:\Windows\system32\DRIVERS\cur_mdm.sys [2005-07-19 93328]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-20 35328]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-20 39936]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2008-01-20 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2008-08-21 700416]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-12-18 654848]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-05-30 541992]
S3 Adobe Version Cue CS3;Adobe Version Cue CS3; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe [2007-03-20 153792]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-07-11 69632]

-----------------EOF-----------------

Corrine · April 30, 2010, 01:47:47 PM

Thank you, thedaniel. I can see where there are still problems.

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. This can usually be accomplished by a right-click on the icon in the System Tray.

Note: If you use AVG, you must also open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar as well as the following:

Click on Tools.
Select Advanced Settings.
In the left hand pane, scroll down to "Resident Shield".
In the main pane, deselect the option to "Enable Resident Shield."
To re-enable AVG 8, please select "Enable Resident Shield" again.

Now, please run ComboFix:

Note: If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
Double-click ComboFix.exe on your desktop and follow the prompts.
As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click "Yes" to continue scanning for malware.

When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

thedaniel · April 30, 2010, 02:27:58 PM

Combo Fix Log

ComboFix 10-04-29.05 - Daniel 04/30/2010 10:18:28.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.3325.2516 [GMT -4:00]
Running from: c:\users\Daniel\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Daniel\AppData\Local\Microsoft\Windows\Temporary Internet Files\1s7U24a1.jpg
c:\users\Daniel\AppData\Local\Microsoft\Windows\Temporary Internet Files\gBVcQNMd.jpg
c:\users\Daniel\AppData\Local\Microsoft\Windows\Temporary Internet Files\gW53qfsr.jpg
c:\users\Daniel\AppData\Local\Microsoft\Windows\Temporary Internet Files\IyjPew0.jpg
c:\users\Daniel\AppData\Local\syssvc.exe
c:\users\Daniel\AppData\Local\Windows Server
c:\users\Daniel\AppData\Local\Windows Server\flags.ini
c:\users\Daniel\AppData\Local\Windows Server\uses32.dat
c:\users\Daniel\AppData\Roaming\inst.exe
c:\users\Daniel\AppData\Roaming\Microsoft\Windows\Templates\memory.tmp
c:\windows\system32\ccrpTmr6.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-30 )))))))))))))))))))))))))))))))
.

2010-04-30 14:23 . 2010-04-30 14:23   --------   d-----w-   c:\users\Daniel\AppData\Local\temp
2010-04-30 14:23 . 2010-04-30 14:23   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-04-29 02:55 . 2010-04-29 02:55   --------   d-----w-   c:\program files\ERUNT
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro
2010-04-28 22:17 . 2010-04-28 22:17   1047552   ----a-w-   c:\users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\programdata\fosepoyo
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\programdata\yidurufo
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\programdata\wepejapu
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\programdata\litikusi
2010-04-28 22:11 . 2010-04-29 21:20   --------   d-----w-   c:\users\Daniel\AppData\Local\bdqmptyll
2010-04-28 22:10 . 2010-04-28 22:10   730624   ----a-w-   c:\users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325\newupdate1142C.exe
2010-04-28 22:10 . 2010-04-28 22:10   --------   d-----w-   c:\users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325
2010-04-28 22:10 . 2010-04-29 21:20   --------   d-----w-   c:\programdata\fiponedo
2010-04-28 22:10 . 2010-04-28 22:10   --------   d-----w-   c:\programdata\wajejofu
2010-04-28 22:10 . 2010-04-28 22:10   --------   d-----w-   c:\programdata\loraleka
2010-04-13 01:34 . 2010-04-13 01:40   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Armagetron
2010-04-13 01:34 . 2010-04-13 01:34   --------   d-----w-   c:\programdata\Armagetron
2010-04-05 03:20 . 2009-09-03 01:58   626688   ----a-w-   c:\windows\system32\vp7vfw.dll
2010-04-05 03:20 . 2009-09-03 01:58   65602   ----a-w-   c:\windows\system32\cook3260.dll
2010-04-05 03:20 . 2009-09-03 01:58   217127   ----a-w-   c:\windows\system32\drv43260.dll
2010-04-05 03:20 . 2009-09-03 01:58   208935   ----a-w-   c:\windows\system32\drv33260.dll
2010-04-05 03:20 . 2009-09-03 01:58   176165   ----a-w-   c:\windows\system32\drv23260.dll
2010-04-05 03:20 . 2009-09-03 01:58   102439   ----a-w-   c:\windows\system32\sipr3260.dll
2010-04-05 03:20 . 2009-09-03 01:57   1184984   ----a-w-   c:\windows\system32\wvc1dmod.dll
2010-04-05 03:20 . 2010-04-05 03:20   --------   d-----w-   c:\program files\VSO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-30 14:23 . 2008-12-19 18:08   --------   d-----w-   c:\users\Daniel\AppData\Roaming\DNA
2010-04-30 07:19 . 2008-12-19 02:11   --------   d-----w-   c:\users\Daniel\AppData\Roaming\foobar2000
2010-04-30 01:03 . 2010-04-29 02:57   --------   d-----w-   c:\program files\trend micro
2010-04-29 21:03 . 2010-04-29 21:03   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Malwarebytes
2010-04-29 21:02 . 2010-04-29 21:02   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-04-29 21:02 . 2010-04-29 21:02   --------   d-----w-   c:\programdata\Malwarebytes
2010-04-28 22:11 . 2008-12-19 18:09   --------   d-----w-   c:\users\Daniel\AppData\Roaming\BitTorrent
2010-04-26 21:52 . 2008-12-19 01:16   --------   d-----w-   c:\programdata\Roxio
2010-04-20 01:03 . 2009-01-13 06:22   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Vso
2010-04-06 12:35 . 2008-12-19 01:42   680   ----a-w-   c:\users\Daniel\AppData\Local\d3d9caps.dat
2010-03-30 04:46 . 2010-04-29 21:02   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-04-29 21:02   20824   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-03-26 09:20 . 2009-06-25 11:07   --------   d-----w-   c:\users\Daniel\AppData\Roaming\vlc
2010-03-26 09:20 . 2008-12-19 04:24   --------   d-----w-   c:\programdata\FLEXnet
2010-03-25 05:20 . 2008-12-19 02:26   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Publish Providers
2010-03-16 01:56 . 2010-03-16 01:56   1080   ----a-w-   c:\windows\AUTOLNCH.REG
2010-03-16 01:56 . 2010-03-16 01:56   --------   d-----w-   c:\program files\Hewlett-Packard
2010-03-03 18:42 . 2009-03-24 21:04   --------   d-----w-   c:\users\Daniel\AppData\Roaming\dvdcss
2010-02-28 18:00 . 2010-02-28 18:00   50354   ----a-w-   c:\users\Daniel\AppData\Roaming\Facebook\uninstall.exe
2010-02-26 06:41 . 2010-02-26 06:41   847040   ----a-w-   c:\users\Daniel\AppData\Roaming\Facebook\axfbootloader.dll
2010-02-26 06:41 . 2010-02-26 06:41   5582848   ----a-w-   c:\users\Daniel\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
2010-02-24 14:16 . 2009-10-06 05:43   181632   ------w-   c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\users\Daniel\Program Files\DNA\btdna.exe" [2009-10-07 323392]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
TabUserW.exe.lnk - c:\windows\System32\Wtablet\TabUserW.exe [2003-5-29 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\cur_bus.sys [2005-07-19 57744]
R3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\DRIVERS\cur_mdfl.sys [2005-07-19 8336]
R3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\DRIVERS\cur_mdm.sys [2005-07-19 93328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ     PLA DPS BFE mpssvc
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\users\Daniel\AppData\Roaming\Mozilla\Firefox\Profiles\z0708kj1.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\Daniel\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\Daniel\AppData\Roaming\Mozilla\Firefox\Profiles\z0708kj1.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll
FF - plugin: c:\users\Daniel\Program Files\DNA\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-nfhoywuk^ - c:\users\Daniel\nfhoywuk^.exe
HKCU-Run-nfhoywukc - c:\users\Daniel\nfhoywukc.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-30 10:23
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-30 10:24:33
ComboFix-quarantined-files.txt 2010-04-30 14:24

Pre-Run: 17,136,336,896 bytes free
Post-Run: 20,834,828,288 bytes free

- - End Of File - - 47330B989CECE5A0D60C533C5729AC65

thedaniel · April 30, 2010, 02:30:19 PM

HijackThis Log

Logfile of random's system information tool 1.06 (written by random/random)
Run by Daniel at 2010-04-30 10:28:33
Microsoft® Windows Vista™ Home Basic Service Pack 1
System drive C: has 20 GB (7%) free of 295 GB
Total RAM: 3325 MB (71% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:35 AM, on 4/30/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Users\Daniel\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Daniel\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Daniel.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Daniel\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\Windows\System32\Wtablet\TabUserW.exe
O8 - Extra context menu item: Append to existing PDF - res://c:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://c:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://c:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://c:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6245 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{074C1DC5-9320-4A9A-947D-C042949C6216}]
ContributeBHO Class - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16 118784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]
{517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - Contribute Toolbar - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16 118784]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"Acrobat Assistant 8.0"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2007-05-10 624248]
"Adobe_ID0EYTHM"=C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE [2007-03-20 1884160]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-11-11 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-05-30 292136]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-03-30 1086856]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"=C:\Users\Daniel\Program Files\DNA\btdna.exe [2009-10-07 323392]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-20 202240]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
TabUserW.exe.lnk - C:\Windows\System32\Wtablet\TabUserW.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\rootrepeal.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1

======List of files/folders created in the last 1 months======

2010-04-30 10:24:35 ----SHD---- C:\$RECYCLE.BIN
2010-04-30 10:24:34 ----D---- C:\Windows\temp
2010-04-30 10:24:33 ----A---- C:\ComboFix.txt
2010-04-30 10:16:57 ----A---- C:\Windows\zip.exe
2010-04-30 10:16:57 ----A---- C:\Windows\SWSC.exe
2010-04-30 10:16:57 ----A---- C:\Windows\SWREG.exe
2010-04-30 10:16:57 ----A---- C:\Windows\sed.exe
2010-04-30 10:16:57 ----A---- C:\Windows\PEV.exe
2010-04-30 10:16:57 ----A---- C:\Windows\NIRCMD.exe
2010-04-30 10:16:57 ----A---- C:\Windows\MBR.exe
2010-04-30 10:16:57 ----A---- C:\Windows\grep.exe
2010-04-30 10:16:23 ----D---- C:\Qoobox
2010-04-30 10:16:12 ----A---- C:\Windows\SWXCACLS.exe
2010-04-29 17:03:04 ----D---- C:\Users\Daniel\AppData\Roaming\Malwarebytes
2010-04-29 17:02:50 ----D---- C:\ProgramData\Malwarebytes
2010-04-29 17:02:50 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-04-28 23:01:21 ----A---- C:\RootRepeal report 04-28-10 (23-01-21).txt
2010-04-28 22:57:16 ----D---- C:\rsit
2010-04-28 22:57:16 ----D---- C:\Program Files\trend micro
2010-04-28 22:56:08 ----D---- C:\Windows\ERDNT
2010-04-28 22:55:32 ----D---- C:\Program Files\ERUNT
2010-04-28 19:25:02 ----D---- C:\Windows\pss
2010-04-28 18:52:26 ----A---- C:\Windows\ntbtlog.txt
2010-04-28 18:17:45 ----D---- C:\Users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro
2010-04-28 18:17:22 ----D---- C:\ProgramData\yidurufo
2010-04-28 18:17:22 ----D---- C:\ProgramData\fosepoyo
2010-04-28 18:17:21 ----D---- C:\ProgramData\wepejapu
2010-04-28 18:17:21 ----D---- C:\ProgramData\litikusi
2010-04-28 18:10:40 ----D---- C:\Users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325
2010-04-28 18:10:39 ----D---- C:\ProgramData\wajejofu
2010-04-28 18:10:39 ----D---- C:\ProgramData\loraleka
2010-04-28 18:10:39 ----D---- C:\ProgramData\fiponedo
2010-04-12 21:34:16 ----D---- C:\Users\Daniel\AppData\Roaming\Armagetron
2010-04-12 21:34:13 ----D---- C:\ProgramData\Armagetron
2010-04-04 23:20:41 ----A---- C:\Windows\system32\wvc1dmod.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\vp7vfw.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\sipr3260.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\Pncrt.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\drv43260.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\drv33260.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\drv23260.dll
2010-04-04 23:20:41 ----A---- C:\Windows\system32\cook3260.dll
2010-04-04 23:20:40 ----D---- C:\Program Files\VSO

======List of files/folders modified in the last 1 months======

2010-04-30 10:24:35 ----D---- C:\Windows\Prefetch
2010-04-30 10:24:34 ----D---- C:\Windows
2010-04-30 10:23:11 ----A---- C:\Windows\system.ini
2010-04-30 10:23:08 ----D---- C:\Users\Daniel\AppData\Roaming\DNA
2010-04-30 10:22:44 ----D---- C:\Windows\System32
2010-04-30 10:21:24 ----D---- C:\Windows\system32\drivers
2010-04-30 10:21:24 ----D---- C:\Windows\AppPatch
2010-04-30 10:21:24 ----D---- C:\Program Files\Common Files
2010-04-30 10:18:13 ----D---- C:\Windows\inf
2010-04-30 10:18:13 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-04-30 03:19:10 ----D---- C:\Users\Daniel\AppData\Roaming\foobar2000
2010-04-30 02:38:44 ----D---- C:\Ninjastars
2010-04-30 02:18:19 ----SHD---- C:\System Volume Information
2010-04-30 02:09:59 ----D---- C:\Windows\Tasks
2010-04-30 02:09:59 ----D---- C:\Windows\system32\Tasks
2010-04-29 17:23:24 ----D---- C:\Windows\tracing
2010-04-29 17:02:50 ----RD---- C:\Program Files
2010-04-29 17:02:50 ----D---- C:\ProgramData
2010-04-28 22:53:11 ----D---- C:\Downloads
2010-04-28 18:11:21 ----D---- C:\Users\Daniel\AppData\Roaming\BitTorrent
2010-04-26 17:52:07 ----D---- C:\ProgramData\Roxio
2010-04-23 01:34:18 ----D---- C:\Images
2010-04-20 23:17:15 ----D---- C:\Projects
2010-04-19 21:03:21 ----D---- C:\Users\Daniel\AppData\Roaming\Vso
2010-04-12 21:34:13 ----D---- C:\Games
2010-04-11 00:00:08 ----D---- C:\Windows\system32\catroot2
2010-04-02 17:51:39 ----D---- C:\Program Files\Mozilla Firefox
2010-03-31 21:18:22 ----D---- C:\Users\Daniel\AppData\Roaming\Adobe
2010-03-31 21:05:33 ----D---- C:\documents

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DLARTL_M;DLARTL_M; C:\Windows\System32\Drivers\DLARTL_M.SYS [2007-07-23 30064]
R2 DLABMFSM;DLABMFSM; C:\Windows\System32\Drivers\DLABMFSM.SYS [2007-07-23 37360]
R2 DLABOIOM;DLABOIOM; C:\Windows\System32\Drivers\DLABOIOM.SYS [2007-07-23 32848]
R2 DLADResM;DLADResM; C:\Windows\System32\Drivers\DLADResM.SYS [2007-07-23 9104]
R2 DLAIFS_M;DLAIFS_M; C:\Windows\System32\Drivers\DLAIFS_M.SYS [2007-07-23 108752]
R2 DLAOPIOM;DLAOPIOM; C:\Windows\System32\Drivers\DLAOPIOM.SYS [2007-07-23 27216]
R2 DLAPoolM;DLAPoolM; C:\Windows\System32\Drivers\DLAPoolM.SYS [2007-07-23 16304]
R2 DLAUDF_M;DLAUDF_M; C:\Windows\System32\Drivers\DLAUDF_M.SYS [2007-07-23 98448]
R2 DLAUDFAM;DLAUDFAM; C:\Windows\System32\Drivers\DLAUDFAM.SYS [2007-07-23 93552]
R2 DRVNDDM;DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [2007-07-23 52000]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2008-08-21 3928576]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2008-01-20 220672]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2009-01-13 47360]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S2 ASPI32;ASPI32; C:\Windows\system32\drivers\ASPI32.sys []
S3 catchme;catchme; \??\C:\Users\Daniel\AppData\Local\Temp\catchme.sys []
S3 cur_bus;Curitel USB Composite Device driver (WDM); C:\Windows\system32\DRIVERS\cur_bus.sys [2005-07-19 57744]
S3 cur_mdfl;Curitel Packet Service Filter; C:\Windows\system32\DRIVERS\cur_mdfl.sys [2005-07-19 8336]
S3 cur_mdm;Curitel Packet Service Drivers; C:\Windows\system32\DRIVERS\cur_mdm.sys [2005-07-19 93328]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 mbr;mbr; \??\C:\Users\Daniel\AppData\Local\Temp\mbr.sys []
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-20 35328]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-20 39936]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2008-01-20 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2008-08-21 700416]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-12-18 654848]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-05-30 541992]
S3 Adobe Version Cue CS3;Adobe Version Cue CS3; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe [2007-03-20 153792]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-07-11 69632]

-----------------EOF-----------------

Corrine · April 30, 2010, 11:49:04 PM

Hi, thedaniel.

This time, please be sure to disable Windows Defender prior to running ComboFix.

-- Launch Windows Defender and go to Tools -> Options.
-- Under Administrator options, Deselect the Use Windows Defender box and press the Save button.
-- Confirm the UAC Prompt.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:

Code Select

File::
c:\users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro
c:\users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe
c:\programdata\fosepoyo
c:\programdata\yidurufo
c:\programdata\wepejapu
c:\programdata\litikusi
c:\users\Daniel\AppData\Local\bdqmptyll
c:\users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325\newupdate1142C.exe
c:\users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325
c:\programdata\fiponedo
c:\programdata\wajejofu
c:\programdata\loraleka

Save this as CFScript.txt and place it on your desktop.
Close any open browsers.
Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please let me know how your computer is now.

thedaniel · May 01, 2010, 03:32:47 AM

Turned off Windows Defender and did as directed. I'm able to use programs and freely go online now, though i'm sure there might be underlying problems that are probably being fixed with combofix. Here is the resulting log:

ComboFix 10-04-29.05 - Daniel 04/30/2010 23:24:34.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.3325.2255 [GMT -4:00]
Running from: c:\users\Daniel\Desktop\ComboFix.exe
Command switches used :: c:\users\Daniel\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\programdata\fiponedo"
"c:\programdata\fosepoyo"
"c:\programdata\litikusi"
"c:\programdata\loraleka"
"c:\programdata\wajejofu"
"c:\programdata\wepejapu"
"c:\programdata\yidurufo"
"c:\users\Daniel\AppData\Local\bdqmptyll"
"c:\users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro"
"c:\users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe"
"c:\users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325"
"c:\users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325\newupdate1142C.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe
c:\users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325\newupdate1142C.exe

.
((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))
.

2010-05-01 03:27 . 2010-05-01 03:27   --------   d-----w-   c:\users\Daniel\AppData\Local\temp
2010-05-01 03:27 . 2010-05-01 03:27   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-05-01 03:27 . 2010-05-01 03:27   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-04-29 21:03 . 2010-04-29 21:03   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Malwarebytes
2010-04-29 21:02 . 2010-03-30 04:46   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:02 . 2010-04-29 21:02   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-04-29 21:02 . 2010-04-29 21:02   --------   d-----w-   c:\programdata\Malwarebytes
2010-04-29 21:02 . 2010-03-30 04:45   20824   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-29 02:57 . 2010-04-30 01:03   --------   d-----w-   c:\program files\trend micro
2010-04-29 02:57 . 2010-04-29 02:57   --------   d-----w-   C:\rsit
2010-04-29 02:55 . 2010-04-29 02:55   --------   d-----w-   c:\program files\ERUNT
2010-04-28 22:17 . 2010-05-01 03:27   --------   d-----w-   c:\users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\programdata\fosepoyo
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\programdata\yidurufo
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\programdata\wepejapu
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\programdata\litikusi
2010-04-28 22:11 . 2010-04-29 21:20   --------   d-----w-   c:\users\Daniel\AppData\Local\bdqmptyll
2010-04-28 22:10 . 2010-05-01 03:27   --------   d-----w-   c:\users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325
2010-04-28 22:10 . 2010-04-29 21:20   --------   d-----w-   c:\programdata\fiponedo
2010-04-28 22:10 . 2010-04-28 22:10   --------   d-----w-   c:\programdata\wajejofu
2010-04-28 22:10 . 2010-04-28 22:10   --------   d-----w-   c:\programdata\loraleka
2010-04-13 01:34 . 2010-04-13 01:40   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Armagetron
2010-04-13 01:34 . 2010-04-13 01:34   --------   d-----w-   c:\programdata\Armagetron
2010-04-05 03:20 . 2009-09-03 01:58   626688   ----a-w-   c:\windows\system32\vp7vfw.dll
2010-04-05 03:20 . 2009-09-03 01:58   65602   ----a-w-   c:\windows\system32\cook3260.dll
2010-04-05 03:20 . 2009-09-03 01:58   217127   ----a-w-   c:\windows\system32\drv43260.dll
2010-04-05 03:20 . 2009-09-03 01:58   208935   ----a-w-   c:\windows\system32\drv33260.dll
2010-04-05 03:20 . 2009-09-03 01:58   176165   ----a-w-   c:\windows\system32\drv23260.dll
2010-04-05 03:20 . 2009-09-03 01:58   102439   ----a-w-   c:\windows\system32\sipr3260.dll
2010-04-05 03:20 . 2009-09-03 01:57   1184984   ----a-w-   c:\windows\system32\wvc1dmod.dll
2010-04-05 03:20 . 2010-04-05 03:20   --------   d-----w-   c:\program files\VSO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 03:24 . 2008-12-19 18:08   --------   d-----w-   c:\users\Daniel\AppData\Roaming\DNA
2010-04-30 18:23 . 2008-12-19 01:16   --------   d-----w-   c:\programdata\Roxio
2010-04-30 17:00 . 2008-12-19 02:11   --------   d-----w-   c:\users\Daniel\AppData\Roaming\foobar2000
2010-04-28 22:11 . 2008-12-19 18:09   --------   d-----w-   c:\users\Daniel\AppData\Roaming\BitTorrent
2010-04-20 01:03 . 2009-01-13 06:22   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Vso
2010-04-06 12:35 . 2008-12-19 01:42   680   ----a-w-   c:\users\Daniel\AppData\Local\d3d9caps.dat
2010-03-26 09:20 . 2009-06-25 11:07   --------   d-----w-   c:\users\Daniel\AppData\Roaming\vlc
2010-03-26 09:20 . 2008-12-19 04:24   --------   d-----w-   c:\programdata\FLEXnet
2010-03-25 05:20 . 2008-12-19 02:26   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Publish Providers
2010-03-16 01:56 . 2010-03-16 01:56   1080   ----a-w-   c:\windows\AUTOLNCH.REG
2010-03-16 01:56 . 2010-03-16 01:56   --------   d-----w-   c:\program files\Hewlett-Packard
2010-03-03 18:42 . 2009-03-24 21:04   --------   d-----w-   c:\users\Daniel\AppData\Roaming\dvdcss
2010-02-28 18:00 . 2010-02-28 18:00   50354   ----a-w-   c:\users\Daniel\AppData\Roaming\Facebook\uninstall.exe
2010-02-26 06:41 . 2010-02-26 06:41   847040   ----a-w-   c:\users\Daniel\AppData\Roaming\Facebook\axfbootloader.dll
2010-02-26 06:41 . 2010-02-26 06:41   5582848   ----a-w-   c:\users\Daniel\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
2010-02-24 14:16 . 2009-10-06 05:43   181632   ------w-   c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\users\Daniel\Program Files\DNA\btdna.exe" [2009-10-07 323392]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
TabUserW.exe.lnk - c:\windows\System32\Wtablet\TabUserW.exe [2003-5-29 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\cur_bus.sys [2005-07-19 57744]
R3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\DRIVERS\cur_mdfl.sys [2005-07-19 8336]
R3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\DRIVERS\cur_mdm.sys [2005-07-19 93328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ     PLA DPS BFE mpssvc
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\users\Daniel\AppData\Roaming\Mozilla\Firefox\Profiles\z0708kj1.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\Daniel\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\Daniel\AppData\Roaming\Mozilla\Firefox\Profiles\z0708kj1.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll
FF - plugin: c:\users\Daniel\Program Files\DNA\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-30 23:27
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

dØÒß Ã~dØÓß6É_ [-1210555390] 0x006D006F
dØÒß Ã~dØÓß6É_ [-1210555390] 0x0061004E

0x001ED800

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-30 23:28:57
ComboFix-quarantined-files.txt 2010-05-01 03:28
ComboFix2.txt 2010-04-30 14:24

Pre-Run: 15,867,920,384 bytes free
Post-Run: 15,739,711,488 bytes free

- - End Of File - - 886AD11F8CF9590E1FAF191DE2FBCD91

Corrine · May 01, 2010, 10:36:28 PM

Hi, thedaniel.

After further research, I should have included the registry keys below in the previous run. Let's see what we get with this and an online scan.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:

Code Select


RegLockDel::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

Save this as CFScript.txt and place it on your desktop.
Close any open browsers.
Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please go here to run an on-line scan from ESET.

Note: It is easiest if you use Internet explorer for this scan. (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.

thedaniel · May 02, 2010, 06:17:43 AM

Here is the log file from combofix (part deux)

ComboFix 10-04-29.05 - Daniel 05/02/2010 2:07.4.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.3325.2551 [GMT -4:00]
Running from: c:\users\Daniel\Desktop\ComboFix.exe
Command switches used :: c:\users\Daniel\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-04-02 to 2010-05-02 )))))))))))))))))))))))))))))))
.

2010-05-02 06:11 . 2010-05-02 06:11   --------   d-----w-   c:\users\Daniel\AppData\Local\temp
2010-05-02 06:11 . 2010-05-02 06:11   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-05-02 06:11 . 2010-05-02 06:11   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-05-01 03:44 . 2010-05-01 03:44   --------   d-----w-   c:\program files\Fostex
2010-04-29 21:03 . 2010-04-29 21:03   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Malwarebytes
2010-04-29 21:02 . 2010-03-30 04:46   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:02 . 2010-04-29 21:02   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-04-29 21:02 . 2010-04-29 21:02   --------   d-----w-   c:\programdata\Malwarebytes
2010-04-29 21:02 . 2010-03-30 04:45   20824   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-29 02:57 . 2010-04-30 01:03   --------   d-----w-   c:\program files\trend micro
2010-04-29 02:57 . 2010-04-29 02:57   --------   d-----w-   C:\rsit
2010-04-29 02:55 . 2010-04-29 02:55   --------   d-----w-   c:\program files\ERUNT
2010-04-28 22:17 . 2010-05-01 03:27   --------   d-----w-   c:\users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\programdata\fosepoyo
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\programdata\yidurufo
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\programdata\wepejapu
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\programdata\litikusi
2010-04-28 22:11 . 2010-04-29 21:20   --------   d-----w-   c:\users\Daniel\AppData\Local\bdqmptyll
2010-04-28 22:10 . 2010-05-01 03:27   --------   d-----w-   c:\users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325
2010-04-28 22:10 . 2010-04-29 21:20   --------   d-----w-   c:\programdata\fiponedo
2010-04-28 22:10 . 2010-04-28 22:10   --------   d-----w-   c:\programdata\wajejofu
2010-04-28 22:10 . 2010-04-28 22:10   --------   d-----w-   c:\programdata\loraleka
2010-04-13 01:34 . 2010-04-13 01:40   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Armagetron
2010-04-13 01:34 . 2010-04-13 01:34   --------   d-----w-   c:\programdata\Armagetron
2010-04-05 03:20 . 2009-09-03 01:58   626688   ----a-w-   c:\windows\system32\vp7vfw.dll
2010-04-05 03:20 . 2009-09-03 01:58   65602   ----a-w-   c:\windows\system32\cook3260.dll
2010-04-05 03:20 . 2009-09-03 01:58   217127   ----a-w-   c:\windows\system32\drv43260.dll
2010-04-05 03:20 . 2009-09-03 01:58   208935   ----a-w-   c:\windows\system32\drv33260.dll
2010-04-05 03:20 . 2009-09-03 01:58   176165   ----a-w-   c:\windows\system32\drv23260.dll
2010-04-05 03:20 . 2009-09-03 01:58   102439   ----a-w-   c:\windows\system32\sipr3260.dll
2010-04-05 03:20 . 2009-09-03 01:57   1184984   ----a-w-   c:\windows\system32\wvc1dmod.dll
2010-04-05 03:20 . 2010-04-05 03:20   --------   d-----w-   c:\program files\VSO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-02 06:02 . 2008-12-19 18:08   --------   d-----w-   c:\users\Daniel\AppData\Roaming\DNA
2010-05-02 05:25 . 2008-12-19 02:11   --------   d-----w-   c:\users\Daniel\AppData\Roaming\foobar2000
2010-04-30 18:23 . 2008-12-19 01:16   --------   d-----w-   c:\programdata\Roxio
2010-04-28 22:11 . 2008-12-19 18:09   --------   d-----w-   c:\users\Daniel\AppData\Roaming\BitTorrent
2010-04-20 01:03 . 2009-01-13 06:22   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Vso
2010-04-06 12:35 . 2008-12-19 01:42   680   ----a-w-   c:\users\Daniel\AppData\Local\d3d9caps.dat
2010-03-26 09:20 . 2009-06-25 11:07   --------   d-----w-   c:\users\Daniel\AppData\Roaming\vlc
2010-03-26 09:20 . 2008-12-19 04:24   --------   d-----w-   c:\programdata\FLEXnet
2010-03-25 05:20 . 2008-12-19 02:26   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Publish Providers
2010-03-16 01:56 . 2010-03-16 01:56   1080   ----a-w-   c:\windows\AUTOLNCH.REG
2010-03-16 01:56 . 2010-03-16 01:56   --------   d-----w-   c:\program files\Hewlett-Packard
2010-03-03 18:42 . 2009-03-24 21:04   --------   d-----w-   c:\users\Daniel\AppData\Roaming\dvdcss
2010-02-28 18:00 . 2010-02-28 18:00   50354   ----a-w-   c:\users\Daniel\AppData\Roaming\Facebook\uninstall.exe
2010-02-26 06:41 . 2010-02-26 06:41   847040   ----a-w-   c:\users\Daniel\AppData\Roaming\Facebook\axfbootloader.dll
2010-02-26 06:41 . 2010-02-26 06:41   5582848   ----a-w-   c:\users\Daniel\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
2010-02-24 14:16 . 2009-10-06 05:43   181632   ------w-   c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-04-30_14.23.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2010-05-02 06:04   33778 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2010-05-02 06:04   59038 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-12-19 01:12 . 2010-04-30 14:14   6914 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2629204746-2472350728-1553552098-1000_UserData.bin
+ 2008-12-19 01:12 . 2010-05-02 06:04   6914 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2629204746-2472350728-1553552098-1000_UserData.bin
- 2010-04-30 14:12 . 2010-04-30 14:12   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-05-02 06:02 . 2010-05-02 06:02   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-05-02 06:02 . 2010-05-02 06:02   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-04-30 14:12 . 2010-04-30 14:12   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2010-05-02 06:07   595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-04-30 14:18   595446 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-05-02 06:07   101144 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2010-04-30 14:18   101144 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\users\Daniel\Program Files\DNA\btdna.exe" [2009-10-07 323392]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
TabUserW.exe.lnk - c:\windows\System32\Wtablet\TabUserW.exe [2003-5-29 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\cur_bus.sys [2005-07-19 57744]
R3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\DRIVERS\cur_mdfl.sys [2005-07-19 8336]
R3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\DRIVERS\cur_mdm.sys [2005-07-19 93328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ     PLA DPS BFE mpssvc
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\users\Daniel\AppData\Roaming\Mozilla\Firefox\Profiles\z0708kj1.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\Daniel\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\Daniel\AppData\Roaming\Mozilla\Firefox\Profiles\z0708kj1.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll
FF - plugin: c:\users\Daniel\Program Files\DNA\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-02 02:11
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-02 02:12:38
ComboFix-quarantined-files.txt 2010-05-02 06:12
ComboFix2.txt 2010-05-02 06:00
ComboFix3.txt 2010-05-01 03:28
ComboFix4.txt 2010-04-30 14:24

Pre-Run: 16,444,915,712 bytes free
Post-Run: 16,414,679,040 bytes free

- - End Of File - - C106222859735A20FC8B53D6F92437FF