ntoskrnl-hook trojan

[bildo1]

hello, having a problem removing this trojan (ntoskrnl-hook). I am currently running vista home premium with Mcafee AV. After running the AV it deletes the trojan but it re-installs itself. I've tried combofix, malwarebytes, etc but no luck (root repeal crashes almost immediately). Any help would be greatly appreciated. Attached logs for review!


DDS (Ver_09-06-26.01) - NTFSx86
Run by Bill at 20:15:23.68 on Mon 06/29/2009
Internet Explorer: 7.0.6000.16851 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.894.169 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
SP: McAfee VirusScan *enabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\kbd.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Bill\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpconn~1.lnk - c:\program files\hp connections\6811507\program\HP Connections.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5661/mcfscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\bill\appdata\roaming\mozilla\firefox\profiles\kekd6eon.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\bill\appdata\roaming\mozilla\firefox\profiles\kekd6eon.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-24 92008]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 rootrepeal2;rootrepeal2;c:\windows\system32\drivers\rootrepeal2.sys [2009-6-29 30720]
S3 rootrepeal3;rootrepeal3;c:\windows\system32\drivers\rootrepeal3.sys [2009-6-29 30720]

=============== Created Last 30 ================

2009-06-29 19:50 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-06-29 16:21 <DIR> --d----- c:\users\bill\DoctorWeb
2009-06-29 14:18 <DIR> --d----- c:\windows\McAfee.com
2009-06-29 13:15 30,720 a---h--- c:\windows\system32\drivers\rootrepeal3.sys
2009-06-29 12:45 30,720 a---h--- c:\windows\system32\drivers\rootrepeal2.sys
2009-06-29 10:53 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-06-29 10:53 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-06-29 10:48 <DIR> --d----- c:\users\bill\appdata\roaming\SUPERAntiSpyware.com
2009-06-29 10:48 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-29 10:47 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-28 23:27 <DIR> --d----- C:\MGtools
2009-06-28 20:42 691 a------- c:\users\bill\appdata\roaming\GetValue.vbs
2009-06-28 20:42 35 a------- c:\users\bill\appdata\roaming\SetValue.bat
2009-06-28 20:22 <DIR> --d----- c:\users\bill\appdata\roaming\Malwarebytes
2009-06-28 20:22 38,160 a---h--- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-28 20:22 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-28 20:22 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-28 20:22 19,096 a---h--- c:\windows\system32\drivers\mbam.sys
2009-06-28 20:22 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-28 07:57 161,792 a------- c:\windows\SWREG.exe
2009-06-28 07:57 155,136 a------- c:\windows\PEV.exe
2009-06-28 07:57 98,816 a------- c:\windows\sed.exe
2009-06-13 20:03 428,032 a------- c:\windows\system32\EncDec.dll
2009-06-13 20:03 292,352 a------- c:\windows\system32\psisdecd.dll
2009-06-13 20:03 1,244,672 a------- c:\windows\system32\mcmde.dll
2009-06-13 20:03 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-13 20:03 177,152 a------- c:\windows\system32\mpg2splt.ax
2009-06-13 20:03 68,608 a------- c:\windows\system32\Mpeg2Data.ax
2009-06-13 20:03 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-13 20:03 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-06-10 10:39 2,028,032 a------- c:\windows\system32\win32k.sys

==================== Find3M ====================

2009-05-20 10:00 86,016 a------- c:\windows\inf\infstrng.dat
2009-05-20 10:00 51,200 a------- c:\windows\inf\infpub.dat
2009-05-20 10:00 86,016 a------- c:\windows\inf\infstor.dat
2009-05-20 09:59 319,456 a------- c:\windows\DIFxAPI.dll
2009-05-20 09:58 315,392 a------- c:\windows\HideWin.exe
2009-04-24 12:22 827,392 a------- c:\windows\system32\wininet.dll
2009-04-24 12:14 56,320 a------- c:\windows\system32\iesetup.dll
2009-04-24 12:14 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 12:14 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-04-24 12:11 72,704 a------- c:\windows\system32\admparse.dll
2009-04-24 09:53 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-24 08:25 48,128 a------- c:\windows\system32\mshtmler.dll
2009-04-23 09:01 788,992 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:56 696,832 a------- c:\windows\system32\localspl.dll
2009-01-31 11:12 665,600 a------- c:\windows\inf\drvindex.dat
2008-12-11 10:08 174 a--sh--- c:\program files\desktop.ini
2008-09-23 17:30 76,192 a------- c:\users\bill\appdata\roaming\GDIPFONTCACHEV1.DAT
2008-05-11 14:00 0 a------- c:\users\bill\appdata\roaming\wklnhst.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-11-24 11:59 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-11-24 11:59 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-11-24 11:59 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-02-18 21:51 16,384 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
2008-02-18 21:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008021820080219\index.dat

============= FINISH: 20:19:04.34 ===============

[CatByte]

Hi and Welcome,

NOTE:

• Malware removal is NOT instantaneous, most infections require more than one round to properly eradicate.
• Absence of symptoms does not always mean the job is complete, you can be certain that I will advise you when the computer is clean.
• Kindly follow my instructions in the order posted.
• Please DO NOT run any scans or fix items without my direction.

Please do the following:


Please download ComboFix from Here or Here to your Desktop.
**Note:**In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:

• Tools->Options->Main tab
• Set to "Always ask me where to Save the files".

• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  -----------------------------------------------------------
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  -----------------------------------------------------------

• Close any open browsers.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

• Press the windows key + R to open a run box
• Copy/paste this command (with quotation marks) "%userprofile%/Desktop/Combo-Fix.exe" /killall into the run box
• Press OK to start ComboFix
• When finished, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[bildo1]

Thank you for the quick follow up. Here is the combo-fix log.


ComboFix 09-06-29.07 - Bill 06/30/2009 19:35.10 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.894.335 [GMT -4:00]
Running from: c:\users\Bill\Desktop\Combo-Fix.exe
"Command switches used" :: "/killall" "| SED "s/\x22//g"
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: McAfee VirusScan *disabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\hjgruitahcfloi.sys
c:\windows\system32\hjgruidtjgrnhr.dll
c:\windows\system32\hjgruifppqulwc.dat
c:\windows\system32\hjgruijmodmevj.dll
c:\windows\system32\hjgruiwjfvmqbj.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiauysmamj
-------\Service_hjgruiauysmamj


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-30 23:46 . 2009-06-30 23:50 -------- d-----w- c:\users\Bill\AppData\Local\temp
2009-06-30 23:30 . 2009-06-30 23:30 -------- d-sh--w- C:\found.000
2009-06-29 20:21 . 2009-06-29 20:21 -------- d-----w- c:\users\Bill\DoctorWeb
2009-06-29 18:18 . 2009-06-29 18:18 -------- d-----w- c:\windows\McAfee.com
2009-06-29 17:15 . 2009-06-29 17:15 30720 ---ha-w- c:\windows\system32\drivers\rootrepeal3.sys
2009-06-29 16:45 . 2009-06-29 16:45 30720 ---ha-w- c:\windows\system32\drivers\rootrepeal2.sys
2009-06-29 14:53 . 2009-06-30 23:50 117760 ----a-w- c:\users\Bill\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-29 14:53 . 2009-06-29 14:53 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-06-29 14:48 . 2009-06-29 14:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-29 14:48 . 2009-06-29 14:48 -------- d-----w- c:\users\Bill\AppData\Roaming\SUPERAntiSpyware.com
2009-06-29 14:47 . 2009-06-29 14:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-29 03:27 . 2009-06-29 03:35 -------- d-----w- C:\MGtools
2009-06-29 00:42 . 2009-06-29 00:42 35 ----a-w- c:\users\Bill\AppData\Roaming\SetValue.bat
2009-06-29 00:22 . 2009-06-29 00:22 -------- d-----w- c:\users\Bill\AppData\Roaming\Malwarebytes
2009-06-29 00:22 . 2009-06-17 15:27 38160 ---ha-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-29 00:22 . 2009-06-29 00:22 -------- d-----w- c:\programdata\Malwarebytes
2009-06-29 00:22 . 2009-06-29 00:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 00:22 . 2009-06-17 15:27 19096 ---ha-w- c:\windows\system32\drivers\mbam.sys
2009-06-14 00:03 . 2009-04-30 12:42 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-06-14 00:03 . 2009-04-30 12:52 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-14 00:03 . 2009-04-30 12:44 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-06-10 14:39 . 2009-04-21 12:04 2028032 ----a-w- c:\windows\system32\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 22:21 . 2008-11-19 02:07 -------- d-----w- c:\users\Bill\AppData\Roaming\LimeWire
2009-06-30 16:40 . 2008-06-11 19:51 -------- d-----w- c:\programdata\Google Updater
2009-06-29 16:43 . 2009-02-07 03:10 1356 ----a-w- c:\users\Bill\AppData\Local\d3d9caps.dat
2009-06-29 00:42 . 2009-06-29 00:42 691 ----a-w- c:\users\Bill\AppData\Roaming\GetValue.vbs
2009-06-11 12:33 . 2006-12-06 10:48 -------- d-----w- c:\program files\Microsoft Works
2009-05-27 15:37 . 2009-05-27 15:37 -------- d-----w- c:\programdata\TomTom
2009-05-27 15:37 . 2009-05-27 15:37 -------- d-----w- c:\users\Bill\AppData\Roaming\TomTom
2009-05-27 15:37 . 2009-05-27 15:37 -------- d-----w- c:\program files\TomTom International B.V
2009-05-27 15:36 . 2009-05-27 15:36 -------- d-----w- c:\program files\TomTom HOME 2
2009-05-27 15:35 . 2009-05-27 15:35 -------- d-----w- c:\program files\TomTom DesktopSuite
2009-05-20 14:03 . 2009-05-20 14:03 -------- d-----w- c:\programdata\HP Product Assistant
2009-05-20 13:59 . 2006-12-06 10:40 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-05-20 13:58 . 2006-12-06 10:40 -------- d-----w- c:\program files\Realtek
2009-05-20 13:58 . 2009-05-20 13:58 315392 ----a-w- c:\windows\HideWin.exe
2009-05-19 05:36 . 2009-06-18 01:04 2884832 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 05:36 . 2009-06-18 01:04 28 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 05:36 . 2009-06-18 01:04 25 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 05:36 . 2009-06-18 01:04 1484856 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 05:36 . 2009-06-18 01:04 97072 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 05:36 . 2009-06-18 01:04 142040 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 05:36 . 2009-06-18 01:04 30512 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 05:36 . 2009-06-18 01:04 111920 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-05-15 12:13 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-04-24 16:22 . 2009-06-10 14:38 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:14 . 2009-06-10 14:38 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-04-24 16:14 . 2009-06-10 14:38 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 16:11 . 2009-06-10 14:38 72704 ----a-w- c:\windows\system32\admparse.dll
2009-04-24 13:53 . 2009-06-10 14:38 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-24 12:25 . 2009-06-10 14:38 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-04-23 13:01 . 2009-06-10 14:38 788992 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:56 . 2009-06-10 14:38 696832 ----a-w- c:\windows\system32\localspl.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-29_19.12.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-06 10:38 . 2009-06-30 23:35 65918 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-06-30 23:51 67936 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-02-07 03:24 . 2009-06-30 23:51 12914 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3894153940-1004314661-1835172318-1000_UserData.bin
+ 2007-02-07 00:30 . 2009-06-30 22:58 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-02-07 00:30 . 2009-06-29 18:56 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-02-07 00:30 . 2009-06-29 18:56 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-07 00:30 . 2009-06-30 22:58 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-07 00:30 . 2009-06-30 22:58 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-02-07 00:30 . 2009-06-29 18:56 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-02-07 03:16 . 2009-06-28 13:30 3142 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2007-02-07 03:16 . 2009-06-30 07:53 3142 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-06-30 23:48 . 2009-06-30 23:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-06-30 23:48 . 2009-06-30 23:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-06-30 23:40 618410 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-06-30 23:40 103818 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-11 68856]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-24 251240]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Connections.lnk - c:\program files\HP Connections\6811507\Program\HP Connections.exe [2006-12-6 34520]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F4A58D1D-2CA8-4CBB-93A8-D8C58A609B56}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{494A0034-C164-4D1C-B055-62161FE104B9}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{1D330436-B627-49F2-A720-776DA9993972}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{00A32700-EC97-46F4-8EF2-7BBEBEF6820C}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{6510483C-5A38-4254-842D-97B93A2CD46F}"= c:\program files\HP Connections\6811507\Program\HP Connections:HP Connections
"{87B1FF95-8300-4339-B548-4A797EF9C780}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{DBEB81E1-64DC-493F-9AAA-A7EB76640D9E}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{A8EF4AF7-133A-4B37-9825-07F9350B9DDB}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D328B60A-42A0-4C80-ACD0-E158740EAFA6}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{7DB51BF5-1A70-47B7-AED0-672033451E22}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{EFF7F79B-BDCC-472E-B70F-76572D54DB8B}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D3A83F63-FC55-4F6D-90B7-610EA8A3DE75}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{3AFCA708-C472-40C1-9C13-0B42DB9AAA3D}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{BF9ABCD6-FC4F-4204-A9A1-7855EB1B683A}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{68DEE4F5-2EAD-4337-A167-0AFD08904DF5}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{71E66A83-E890-40E8-AE95-83EBB3E4BA78}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{7B28B094-8D9F-4A85-8F79-3146E1D74428}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{BB659196-FE93-4895-AF93-E118B61BA9F6}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{72188E16-282F-403F-A59D-FCBCA56A6E13}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{9F472A69-C848-4BE6-B6EE-BF5066CDDD0D}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{096B7C0B-BED0-4A8E-908F-98F042587B0A}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{54AF8D08-8824-4301-B3AA-9981CD4C92DD}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{B1C9E989-B937-4DF1-93D4-1B38D43A3455}"= TCP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{49052ACE-54C0-4059-85BC-99ABCEFAC9C4}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C4B1C2C7-EB73-42E2-BF63-BF0F92BC07EE}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C445F929-033A-4AD5-AD99-60178F4E12A5}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{CC8FB4E7-D2A7-428B-A5FE-6598ABDFDE7F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{027BB4A2-3B64-4909-94F9-4AC188AFE152}"= Disabled:UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{442DE6D0-62BA-4C00-A9FD-257DC88C7234}"= Disabled:TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{8EADED8A-0781-4335-ACB1-670569DF3FB5}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/24/2009 7:57 AM 92008]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 rootrepeal2;rootrepeal2;c:\windows\System32\drivers\rootrepeal2.sys [6/29/2009 12:45 PM 30720]
S3 rootrepeal3;rootrepeal3;c:\windows\System32\drivers\rootrepeal3.sys [6/29/2009 1:15 PM 30720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2009-06-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-11 04:15]

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-04-05 14:53]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-04-05 14:53]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\kekd6eon.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\kekd6eon.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 19:49
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\microsoft shared\VS7Debug\mdm.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-06-30 19:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-30 23:57
ComboFix2.txt 2009-06-29 23:52
ComboFix3.txt 2009-06-29 23:38
ComboFix4.txt 2009-06-29 23:19
ComboFix5.txt 2009-06-30 23:18

Pre-Run: 185,019,265,024 bytes free
Post-Run: 184,735,674,368 bytes free

290 --- E O F --- 2009-06-29 15:44

[CatByte]

Hi,

Please do the following:

• Please open your MalwareBytes AntiMalware Program
• Click the Update Tab and search for updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

**Vista users - right click on the IE icon and run as administrator

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

[bildo1]

here is the included log for malwarebyte and attached for kaspersky...thanks!

Malwarebytes' Anti-Malware 1.38
Database version: 2357
Windows 6.0.6000

6/30/2009 8:50:10 PM
mbam-log-2009-06-30 (20-50-10).txt

Scan type: Quick Scan
Objects scanned: 79718
Time elapsed: 7 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[CatByte]

Hi,

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

I have attached a script into this post for you to use with combofix.

SAVE this script to your desktop then follow the rest of the instructions

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

[bildo1]

please find new combo-fix log attached!

[CatByte]

Hi,

Please paste a fresh DDS log into your next reply and describe in detail how your computer is running now and if there are any outstanding issues.

[bildo1]

hello,

pc seems to be running much better! The trojan disrupted service to the cd-rom/burner but it is back online now. System hasn't crashed either...was getting the occasional blue screen. It appears to be clean! Is it okay to run Mcafee at this point?

here is the dds log - and supplemental attach log. Thanks.

DDS (Ver_09-06-26.01) - NTFSx86
Run by Bill at 11:25:56.60 on Wed 07/01/2009
Internet Explorer: 7.0.6000.16851 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.894.201 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
SP: McAfee VirusScan *enabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\kbd.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Windows\System32\mstsc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Bill\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpconn~1.lnk - c:\program files\hp connections\6811507\program\HP Connections.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5661/mcfscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\bill\appdata\roaming\mozilla\firefox\profiles\kekd6eon.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\bill\appdata\roaming\mozilla\firefox\profiles\kekd6eon.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-07-01 08:41 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-07-01 08:31 <DIR> --ds---- C:\Combo-Fix
2009-06-30 19:30 <DIR> --dsh--- C:\found.000
2009-06-29 16:21 <DIR> --d----- c:\users\bill\DoctorWeb
2009-06-29 14:18 <DIR> --d----- c:\windows\McAfee.com
2009-06-29 13:15 30,720 a---h--- c:\windows\system32\drivers\rootrepeal3.sys
2009-06-29 12:45 30,720 a---h--- c:\windows\system32\drivers\rootrepeal2.sys
2009-06-29 10:53 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-06-29 10:53 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-06-29 10:48 <DIR> --d----- c:\users\bill\appdata\roaming\SUPERAntiSpyware.com
2009-06-29 10:48 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-29 10:47 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-28 23:27 <DIR> --d----- C:\MGtools
2009-06-28 20:42 691 a------- c:\users\bill\appdata\roaming\GetValue.vbs
2009-06-28 20:42 35 a------- c:\users\bill\appdata\roaming\SetValue.bat
2009-06-28 20:22 <DIR> --d----- c:\users\bill\appdata\roaming\Malwarebytes
2009-06-28 20:22 38,160 a---h--- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-28 20:22 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-28 20:22 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-28 20:22 19,096 a---h--- c:\windows\system32\drivers\mbam.sys
2009-06-28 20:22 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-28 07:57 161,792 a------- c:\windows\SWREG.exe
2009-06-28 07:57 155,136 a------- c:\windows\PEV.exe
2009-06-28 07:57 98,816 a------- c:\windows\sed.exe
2009-06-13 20:03 428,032 a------- c:\windows\system32\EncDec.dll
2009-06-13 20:03 292,352 a------- c:\windows\system32\psisdecd.dll
2009-06-13 20:03 1,244,672 a------- c:\windows\system32\mcmde.dll
2009-06-13 20:03 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-13 20:03 177,152 a------- c:\windows\system32\mpg2splt.ax
2009-06-13 20:03 68,608 a------- c:\windows\system32\Mpeg2Data.ax
2009-06-13 20:03 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-13 20:03 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-06-10 10:39 2,028,032 a------- c:\windows\system32\win32k.sys

==================== Find3M ====================

2009-05-20 10:00 86,016 a------- c:\windows\inf\infstrng.dat
2009-05-20 10:00 51,200 a------- c:\windows\inf\infpub.dat
2009-05-20 10:00 86,016 a------- c:\windows\inf\infstor.dat
2009-05-20 09:59 319,456 a------- c:\windows\DIFxAPI.dll
2009-05-20 09:58 315,392 a------- c:\windows\HideWin.exe
2009-04-24 12:22 827,392 a------- c:\windows\system32\wininet.dll
2009-04-24 12:14 56,320 a------- c:\windows\system32\iesetup.dll
2009-04-24 12:14 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 12:14 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-04-24 12:11 72,704 a------- c:\windows\system32\admparse.dll
2009-04-24 09:53 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-24 08:25 48,128 a------- c:\windows\system32\mshtmler.dll
2009-04-23 09:01 788,992 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:56 696,832 a------- c:\windows\system32\localspl.dll
2009-01-31 11:12 665,600 a------- c:\windows\inf\drvindex.dat
2008-12-11 10:08 174 a--sh--- c:\program files\desktop.ini
2008-09-23 17:30 76,192 a------- c:\users\bill\appdata\roaming\GDIPFONTCACHEV1.DAT
2008-05-11 14:00 0 a------- c:\users\bill\appdata\roaming\wklnhst.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-11-24 11:59 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-11-24 11:59 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-11-24 11:59 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-02-18 21:51 16,384 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
2008-02-18 21:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008021820080219\index.dat

============= FINISH: 11:28:56.95 ===============

[CatByte]

Hi,

Your log is clean,

let me clean up the tools and clear out the Combofix quarantine files or your AV is just going to detect them.

Please do the following:

You can delete the DDS and GMER folders from your desktop.

NEXT

Follow these steps to uninstall Combofix

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

• Keep Windows updated by regularly checking their website at :
  http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
  
• SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  
  
• SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  
  
• Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
• ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  
  WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
  WOT has an addon available for both Firefox and IE
  
  
• For Firefox, I highly recommend this add-on to keep your PC even more secure.
  • NoScript - for blocking ads and other potential website attacks
• Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  
• In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
  Think Prevention.
  PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

[bildo1]

thank you for all your help. I will definitely act upon your previous post and download/install the noted software as well make the changes to guard against future intrusions.

[CatByte]

You are more than welcome

stay safe

CB