help cleaning computer

[silentfox618]

Trying to fix my brother's old laptop that has some sort of virus infection. After starting the computer and logging in, the desktop background changes, a pop-up keeps appearing in the bottom right, a pop-up saying there is a virus comes up eventually, and when I tryed opening some programs (including that DDS program I was supposed to run and post a log for) I get a message saying it is infected. Take a look at the pictures to see the errors and such. I'll just attach the GMER .txt file since THAT at least worked.

http://i151.photobucket.com/albums/s...in618/pic2.jpg

http://i151.photobucket.com/albums/s...in618/pic1.jpg

I looked up the trojan in the error message "TrojanSPM/LX" on google and found this page and tried running SmitFraudFix to get rid of it, can't boot into safe mode (always blue screen error in safe mode, also occasional blue screen when logging in normally, sometimes it won't finish loading desktop) so tried with normal boot, I get the "file is infected" error. Not really sure what else to try, so I thought I would ask you experts :)

[CatByte]

Hi,

Please do the following:



Download Combofix from either of the links below. You must rename it to combafix.exe before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  
  -----------------------------------------------------------
• NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.
  
  
  -----------------------------------------------------------

• Double click on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

-----------------------------------------------------------

[silentfox618]

Ok did that, but it didn't work. Combofix detects rootkit activity and restarts the computer. After reboot I log in. MY wallpaper image loads and Combofix comand prompt comes up right away with this text:

"Please wait.
Combofix is preparing to run."

A while later, the desktops loads (windows taskbar, desktop icons). Then the desktop changes to a "desktop recovery". Then the background switches to that "YOUR SYSTEM IS INFECTED" picture. Then that bubble in bottom right (see earlier pics) appears (then disappears after a while, then reappears, over and over). A few seconds later the combafix comand prompt closes without displaying any more text and there's no log (not on desktop, or C:/, or any of the combofix folders in C:/, nowhere that I see).

Another note: can't open the task manager using ctrl+alt+del after the "your system is infected" wallpaper comes up (which is fairly quick).

[CatByte]

Please run the following:

Please download exeHelper to your desktop.

• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

[silentfox618]

Here is the text from the two logs:

exeHelper by Raktor - 09
Build 20090925
Run at 21:25:14 on 10/02/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Killed process winupdate.exe
Checking for bad files...
Deleting file C:\WINDOWS\system32\AVR09.exe
Deleting file C:\WINDOWS\temp\b.exe
Deleting file C:\WINDOWS\temp\a.exe
Deleting file C:\WINDOWS\system32\winupdate.exe
Deleting file C:\WINDOWS\system32\41.exe
Deleting file C:\WINDOWS\system32\winhelper.dll
Error deleting C:\WINDOWS\system32\winhelper.dll
Deleting file C:\WINDOWS\system32\critical_warning.html
Deleting file C:\WINDOWS\system32\logon.exe
Checking for bad registry entries...
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor - 09
Build 20090925
Run at 21:26:16 on 10/02/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\winhelper.dll
Error deleting C:\WINDOWS\system32\winhelper.dll
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

[CatByte]

Please delete the copy of ComboFix that you have on your desktop and download a fresh copy from one of the previous links provided, making sure you rename it before you save it.

Make sure your security programs are disabled before you run it or they will interfere with it.

Post the resulting log.

[silentfox618]

Man I've been having trouble with this for some reason. Took a while just to get it running. So Far:
Got the recover console to install
After that I hit 'yes' to continue scanning for malware and got errors about ROUTE.cfxxe and ROUTE.exe. It kept running
Then the Autoscan window said:

Scanning for infected files . . .
This typically doesn't take more than ten minutes
However, scan times for badly infected machines may easily double

A few seconds later got this error:
PEV.cfxxe
PEV.cfxxe has encountered a problem and needs to close. We are sorry for the inconvinience... (there's more, but it's basically the error report message). So I just clicked don't send.

Then the Autoscan window adds this line:
The system cannot find the file temp04.

command prompt window title switches to a "."
Windows desktop goes away and I got this error.

Rootkit !!
ComboFix has detected the presence of rootkit activity and needs to reboot the machine.
Kindly note down on paper the name of each file. We may need it later

C:\WINDOWS\system32\sdra64.exe

Then I hit OK

(The following part has been looping SEVERAL times now, with no progress as far I can tell)

Computer restarts
I log in...
user's wallpaper pops up
console window comes up with text about 'Update-CF.cmd' or something, but it goes away pretty quick so it's hard to copy

There's also some kind of small window that flashes for less than a second (looks like an installer bar or something, way too fast read)

then the console text switches to:

Scanning for infected files . . .
This typically doesn't take more than ten minutes
However, scan times for badly infected machines may easily double

Then I get the PEV.cfxxe error report pop-up...

then "cannot find temp04" is added to the console text
laptop beeps twice
computer automatically restarts (don't even need to hit ok or anything)


Any ideas? (log in as different user? use recovery console? open task manager?)

[CatByte]

Tap into safe mode and try running ComboFix from safemode

[silentfox618]

restarted, tapped f8, selected "safe mode", then it gave two choices for operating system: 1) Microsoft Windows Recovery Console, and 2) Microsoft Windows XP Home Edition

Selected XP Home Edition each time, EVERY time I tried safe mode I got the blue screen error and had to turn the power off and restart.

[CatByte]

Ok,

Please run the following program

Please save this file to your desktop.

• Click on Start > Run, and copy-paste the following command (the bolded text) into the open run box, then click OK.

  "%userprofile%\desktop\win32kdiag.exe" -f -r

• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
• Please open it with notepad and post the contents here.

[silentfox618]

Here's the log (except I replaced the name with an "x" for the path names at the begining):



Running from: C:\Documents and Settings\x\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\x\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ERDNT\ERDNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ERDNT\ERDNT

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\update.exe

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\10\policy\policy

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\51\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\51\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\52\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\backup\asms\70\70

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\VKD7HDXZ\cdn.visiblemeasures.com\swf\as2\AS2SOHandler.swf\AS2SOHandler.swf

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\VKD7HDXZ\cdn.visiblemeasures.com\swf\as2\AS2SOHandler.swf\AS2SOHandler.swf

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\VKD7HDXZ\media1.break.com\media1.break.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\VKD7HDXZ\media1.break.com\media1.break.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\VKD7HDXZ\secure-us.imrworldwide.com\secure-us.imrworldwide.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\VKD7HDXZ\secure-us.imrworldwide.com\secure-us.imrworldwide.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#cdn.visiblemeasures.com\#cdn.visiblemeasures.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#cdn.visiblemeasures.com\#cdn.visiblemeasures.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#media1.break.com\#media1.break.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#media1.break.com\#media1.break.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#secure-us.imrworldwide.com\#secure-us.imrworldwide.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#secure-us.imrworldwide.com\#secure-us.imrworldwide.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\AddIns\AddIns

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\AddIns\AddIns

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1722185852-4209975339-1500625635-1003\S-1-5-21-1722185852-4209975339-1500625635-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1722185852-4209975339-1500625635-1003\S-1-5-21-1722185852-4209975339-1500625635-1003

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Templates\Templates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Word\STARTUP\STARTUP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Word\STARTUP\STARTUP

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Games\images\default\default

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Games\images\default\default

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Movies\images\default\default

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Movies\images\default\default

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\ScreensaversMarketingSitePager\images\default\default

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\ScreensaversMarketingSitePager\images\default\default

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\80d140b46d6e\80d140b46d6e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\80d140b46d6e\80d140b46d6e

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1722185852-4209975339-1500625635-1003\S-1-5-21-1722185852-4209975339-1500625635-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1722185852-4209975339-1500625635-1003\S-1-5-21-1722185852-4209975339-1500625635-1003

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Office\Office

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Office\Office

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.MSO\Content.MSO

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.MSO\Content.MSO

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\CCWin\Address Book\Address Book

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\CCWin\Address Book\Address Book

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\drivers\hfpe81e.sys

Attempting to restore permissions of : C:\WINDOWS\system32\drivers\hfpe81e.sys

[1] 2009-09-02 17:24:45 45344 C:\WINDOWS\system32\drivers\hfpe81e.sys ()



Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Macromed\update\update

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\0\Private\Runtime\AllUsersData\SkinEngine\features\photoview2\graphics\graphics

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\0\Private\Runtime\AllUsersData\SkinEngine\features\photoview2\graphics\graphics

Found mount point : C:\WINDOWS\Temp\0\Private\Vendor\AllUsersData\ThemesV3\Windows\assets\graphics\Includes\Includes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\0\Private\Vendor\AllUsersData\ThemesV3\Windows\assets\graphics\Includes\Includes

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Found mount point : C:\WINDOWS\Temp\MCA103.tmp\tempinst\cntrlbin_cab\cntrlbin_cab

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCA103.tmp\tempinst\cntrlbin_cab\cntrlbin_cab

Found mount point : C:\WINDOWS\Temp\MCA103.tmp\tempinst\cntrlres_cab\cntrlres_cab

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCA103.tmp\tempinst\cntrlres_cab\cntrlres_cab

Found mount point : C:\WINDOWS\Temp\MCA103.tmp\tempinst\shredbin_cab\shredbin_cab

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCA103.tmp\tempinst\shredbin_cab\shredbin_cab

Found mount point : C:\WINDOWS\Temp\MCA1A.tmp\MCA1A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCA1A.tmp\MCA1A.tmp

Found mount point : C:\WINDOWS\Temp\MCA33.tmp\MCA33.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCA33.tmp\MCA33.tmp

Found mount point : C:\WINDOWS\Temp\MCQTFILE00000\MCQTFILE00000

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCQTFILE00000\MCQTFILE00000

Found mount point : C:\WINDOWS\Temp\MCQTFILE00001\MCQTFILE00001

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCQTFILE00001\MCQTFILE00001

Found mount point : C:\WINDOWS\Temp\VBE\VBE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VBE\VBE

Found mount point : C:\WINDOWS\Temp\viewmgr\viewmgr

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\viewmgr\viewmgr

Found mount point : C:\WINDOWS\Temp\vmgr\4294947265\4294947265

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vmgr\4294947265\4294947265

Found mount point : C:\WINDOWS\Temp\vmgr\4294954644\4294954644

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vmgr\4294954644\4294954644

Found mount point : C:\WINDOWS\Temp\WER14b9.dir00\WER14b9.dir00

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WER14b9.dir00\WER14b9.dir00

Found mount point : C:\WINDOWS\Temp\WERb77d.dir00\WERb77d.dir00

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WERb77d.dir00\WERb77d.dir00

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!

[CatByte]

Please delete your copy of combofix from your desktop and download a fresh copy and rerun it - post the resulting log

[silentfox618]

I tried, console window came up,

"Please wait.
Combofix is preparing to run."

but then I got a blue screen error after about 20-30 seconds. Restart and try again?

[CatByte]

Hi,

Please try running DDS and GMER

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txt's will open.
• Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT



Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[silentfox618]

Here are the first two logs (attached)

[silentfox618]

and here is the third log

[CatByte]

Hi,

Please run the following program




Please download Malwarebytes' Anti-Malware

• Double Click mbam-setup.exe to install the application.
• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

[silentfox618]

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/3/2009 5:54:26 PM
mbam-log-2009-10-03 (17-54-26).txt

Scan type: Quick Scan
Objects scanned: 134643
Time elapsed: 20 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 8
Folders Infected: 97
Files Infected: 205

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{d49e9d35-254c-4c6a-9d17-95018d228ff5} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\{79007602-0cdb-4405-9dbf-1257bb3226ee} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\starware337 (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\starware337 (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.138 85.255.112.115 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.138 85.255.112.115 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.138 85.255.112.115 -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Starware337 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\contexts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\BrowserSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Configurator (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\ErrorSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Games (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Games\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Games\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Games\images\default (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Layouts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Manager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Movies (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Movies\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Movies\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Movies\images\default (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Recipes (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\RecipeSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Reference (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\RelatedSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\ScreensaversMarketingSitePager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\ScreensaversMarketingSitePager\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\ScreensaversMarketingSitePager\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\ScreensaversMarketingSitePager\images\default (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Toolbar (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\ToolbarLogo (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\ToolbarSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\TravelSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Weather (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\BrowserSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Configurator (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\ErrorSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Games (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Games\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Games\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Games\images\default (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Layouts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Manager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Movies (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Movies\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Movies\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Movies\images\default (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Recipes (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\RecipeSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Reference (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\RelatedSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\ScreensaversMarketingSitePager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\ScreensaversMarketingSitePager\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\ScreensaversMarketingSitePager\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\ScreensaversMarketingSitePager\images\default (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Toolbar (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\ToolbarLogo (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\ToolbarSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\TravelSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Weather (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\BrowserSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Configurator (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\ErrorSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Games (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Games\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Games\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Games\images\default (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Layouts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Manager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Movies (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Movies\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Movies\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Movies\images\default (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Recipes (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\RecipeSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Reference (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\RelatedSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\ScreensaversMarketingSitePager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\ScreensaversMarketingSitePager\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\ScreensaversMarketingSitePager\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\ScreensaversMarketingSitePager\images\default (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Toolbar (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\ToolbarLogo (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\ToolbarSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\TravelSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Weather (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\BrowserSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\Configurator (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\ErrorSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\Manager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\RelatedSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\TravelSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware337 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware337\bin (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware337\icons (Adware.Starware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\tapi.nfo (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\1FA7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\9E.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\9F.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl1FA5.tmp.exe (Trojan.Otlard) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl1FA6.tmp.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl70.tmp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\SBW7ORU1\SetupAdvancedVirusRemover[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WTI9412F\firewall[1].dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\46.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\67.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\winivsetup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\Tem234F.tmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\TemBC.tmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\epiRSS.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\epiRSS.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\epiSearch.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\epiSearch.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\FindIt.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\FindItHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\findithotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\finditxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\Highlight.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\HighlightHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\highlighthotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\highlightxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\Reference.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\ReferenceHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\referencehotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\referencexp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\starware_toolbar_icon.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\Weather.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\weatherhotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\weatherxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\contexts\error.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\contexts\Related.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\contexts\Travel.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\images\clear.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\images\cloudy.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\images\mcloud.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\images\nclear.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\images\ncloudy.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\images\nmcloud.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\images\nnoicon.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\images\npcloud.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\images\nrain.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\images\pcloud.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\images\rain.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\images\walertXP.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\ProductMessagingConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\ProductMessagingConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\SimpleUpdateConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\SimpleUpdateConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\TimerManagerConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\TimerManagerConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Tem2C.tmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\BrowserSearch\BrowserSearch.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\BrowserSearch\BrowserSearch.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Configurator\Configurator.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Configurator\Configurator.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Games\GamesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Games\GamesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Games\images\active\Games0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Layouts\ToolbarLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Layouts\ToolbarLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Movies\MoviesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Movies\MoviesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Movies\images\active\Movies0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Recipes\RecipesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Recipes\RecipesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\RecipeSearch\RecipeSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\RecipeSearch\RecipeSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Reference\ReferenceOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Reference\ReferenceOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Toolbar\TBProductsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Toolbar\TBProductsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\ToolbarLogo\ToolbarLogoOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\ToolbarLogo\ToolbarLogoOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\ToolbarSearch\ToolbarSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\ToolbarSearch\ToolbarSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Weather\AlertArchive.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Weather\WeatherOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Stocking\Application Data\Starware337\Weather\WeatherOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\BrowserSearch\BrowserSearch.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\BrowserSearch\BrowserSearch.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Configurator\Configurator.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Configurator\Configurator.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Games\GamesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Games\GamesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Games\images\active\Games0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Layouts\ToolbarLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Layouts\ToolbarLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Movies\MoviesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Movies\MoviesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Movies\images\active\Movies0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Recipes\RecipesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Recipes\RecipesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\RecipeSearch\RecipeSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\RecipeSearch\RecipeSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Reference\ReferenceOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Reference\ReferenceOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Toolbar\TBProductsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Toolbar\TBProductsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\ToolbarLogo\ToolbarLogoOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\ToolbarLogo\ToolbarLogoOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\ToolbarSearch\ToolbarSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\ToolbarSearch\ToolbarSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Weather\AlertArchive.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Weather\WeatherOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Starware337\Weather\WeatherOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\BrowserSearch\BrowserSearch.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\BrowserSearch\BrowserSearch.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Configurator\Configurator.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Configurator\Configurator.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Games\GamesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Games\GamesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Games\images\active\Games0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Layouts\ToolbarLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Layouts\ToolbarLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Layouts\WeatherLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Layouts\WeatherLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Movies\MoviesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Movies\MoviesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Movies\images\active\Movies0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Recipes\RecipesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Recipes\RecipesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\RecipeSearch\RecipeSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\RecipeSearch\RecipeSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Reference\ReferenceOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Reference\ReferenceOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Toolbar\TBProductsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Toolbar\TBProductsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\ToolbarLogo\ToolbarLogoOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\ToolbarLogo\ToolbarLogoOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\ToolbarSearch\ToolbarSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\ToolbarSearch\ToolbarSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Weather\AlertArchive.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Weather\AlertArchive.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Weather\WeatherOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Starware337\Weather\WeatherOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\BrowserSearch\BrowserSearch.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\BrowserSearch\BrowserSearch.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\Configurator\Configurator.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\Configurator\Configurator.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware337\brand.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware337\Starware337Config.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware337\Starware337Uninstall.exe (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware337\bin\Starware337.dll (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware337\icons\star_16.ico (Adware.Starware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Start Menu\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl71.tmp.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rotscxftoiqmbd.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\rotscxlqaauvme.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\rotscxorjipuqx.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\rotscxrdpubamy.dat (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\rotscxtnylkvxf.dat (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\rotscxwfdivsth.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\rotscxwlnqfyds.sys (Rootkit.TDSS) -> Delete on reboot.

[CatByte]

Hi,


Make sure you reboot your computer so MBAM can complete it's deletions.

Delete the copy of ComboFix from your desktop and also delete the ComboFix folder at C:\CoboFix.

Now download a fresh copy from the previous links provided and run it.

Post the resulting log

[silentfox618]

Just thought I should mention my desktop wallpaper/backgound seems fine now, looks like we're definitely getting things fixed! :) Here's the log:



ComboFix 09-10-01.05 - Chris Stocking 10/03/2009 20:07.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.144 [GMT -7:00]
Running from: c:\documents and settings\Chris Stocking\Desktop\CombaFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\CHRISS~1\LOCALS~1\Temp\catchme.dll
c:\documents and settings\Chris Stocking\Local Settings\Temp\catchme.dll
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\26500.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\6334.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\config\systemprofile\Application Data\Starware337
c:\windows\system32\config\systemprofile\Application Data\Starware337\BrowserSearch\BrowserSearch.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\BrowserSearch\BrowserSearch.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware337\Configurator\Configurator.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\Configurator\Configurator.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware337\Games\GamesOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\Games\GamesOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware337\Games\images\active\Games0.bmp
c:\windows\system32\config\systemprofile\Application Data\Starware337\Layouts\ToolbarLayout.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\Layouts\ToolbarLayout.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware337\Manager\ManagerOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\Manager\ManagerOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware337\Movies\images\active\Movies0.bmp
c:\windows\system32\config\systemprofile\Application Data\Starware337\Movies\MoviesOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\Movies\MoviesOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware337\Recipes\RecipesOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\Recipes\RecipesOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware337\RecipeSearch\RecipeSearchOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\RecipeSearch\RecipeSearchOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware337\Reference\ReferenceOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\Reference\ReferenceOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware337\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
c:\windows\system32\config\systemprofile\Application Data\Starware337\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware337\Toolbar\TBProductsOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\Toolbar\TBProductsOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware337\ToolbarLogo\ToolbarLogoOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\ToolbarLogo\ToolbarLogoOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware337\ToolbarSearch\ToolbarSearchOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\ToolbarSearch\ToolbarSearchOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware337\Weather\AlertArchive.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\Weather\WeatherOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware337\Weather\WeatherOptions.xml.backup
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\logs
c:\windows\system32\logs\Events.dat
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-10-04 00:28 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-04 00:28 . 2009-10-04 00:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-04 00:28 . 2009-10-04 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-04 00:28 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-03 18:38 . 2009-10-03 18:38 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\Mozilla
2009-10-03 03:35 . 2009-10-03 03:35 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\AIM Toolbar
2009-10-03 03:35 . 2009-10-03 03:35 -------- d--h--w- c:\documents and settings\Daniel\Application Data\GTek
2009-10-02 20:26 . 2009-10-03 21:10 -------- d--h--w- c:\windows\PIF
2009-09-07 16:12 . 2009-10-03 00:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-07 01:31 . 2009-09-07 01:31 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 02:57 . 2007-05-30 01:35 -------- d-----w- c:\program files\Kinetic Books
2009-10-03 01:02 . 2006-09-04 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-10-03 00:51 . 2006-10-17 18:16 -------- d-----w- c:\program files\Jasc Software Inc
2009-10-03 00:48 . 2006-08-15 17:14 -------- d-----w- c:\program files\Viewpoint
2009-10-03 00:47 . 2006-08-15 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-03 00:44 . 2006-08-15 17:15 -------- d-----w- c:\program files\Sonic
2009-10-03 00:41 . 2009-07-20 23:38 -------- d-----r- c:\program files\Skype
2009-10-03 00:40 . 2006-08-15 17:14 -------- d-----w- c:\program files\Common Files\Real
2009-10-03 00:38 . 2006-08-15 17:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-03 00:35 . 2009-07-20 23:25 -------- d-----w- c:\program files\Logitech
2009-10-03 00:34 . 2006-09-04 23:20 -------- d-----w- c:\program files\Kodak
2009-10-03 00:31 . 2006-08-15 17:06 -------- d-----w- c:\program files\Dell
2009-09-07 16:05 . 2009-09-03 00:33 -------- d-sh--w- c:\documents and settings\Guest\Application Data\lowsec
2009-09-07 05:59 . 2006-08-15 17:25 -------- d-----w- c:\program files\McAfee
2009-09-07 05:58 . 2007-02-22 09:52 -------- d-----w- c:\program files\Common Files\McAfee
2009-09-07 05:50 . 2007-02-22 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-09-07 03:56 . 2006-08-15 17:26 -------- d-----w- c:\program files\Google
2009-09-07 02:34 . 2006-09-27 02:43 -------- d-----w- c:\program files\gleim
2009-09-03 00:24 . 2009-09-03 00:20 45344 ----a-w- c:\windows\system32\drivers\hfpe81e.sys
2009-09-03 00:22 . 2009-08-27 08:59 -------- d-----w- c:\program files\NOS
2009-09-03 00:21 . 2009-08-27 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-27 23:14 . 2009-08-27 23:13 -------- d-----w- c:\program files\AIM Toolbar
2009-08-27 23:13 . 2009-08-27 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM Toolbar
2009-08-27 23:10 . 2006-08-29 03:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-08-15 07:07 . 2009-07-20 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-08-14 13:58 . 2009-09-07 16:15 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-20 23:44 . 2009-07-20 23:44 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2004-08-10 17:51 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 06:11 . 2007-11-16 03:34 87104 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-12 06:11 . 2006-09-04 02:29 2776 --sha-w- c:\windows\system32\KGyGaAvL.sys
2006-11-02 17:35 . 2006-10-05 18:03 56 --sh--r- c:\windows\system32\6E3706BFE4.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Valve\Steam\Steam.exe" [2009-06-16 1217784]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"Kinetic Books"="c:\program files\Kinetic Books\KineticBooksWebserver.exe" [2006-05-24 74218]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-30 155648]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-15 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-15 2407184]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-15 24576]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156822896\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156822896\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S0 hfpe81e;hfpe81e;\SystemRoot\\SystemRoot\System32\drivers\hfpe81e.sys --> \SystemRoot\\SystemRoot\System32\drivers\hfpe81e.sys [?]
S1 1a75205c.sys;1a75205c.sys;\??\c:\windows\System32\drivers\1a75205c.sys --> c:\windows\System32\drivers\1a75205c.sys [?]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/10/2004 10:51 AM 14336]
S3 Kinetic Books License Service;Kinetic Books License Service;c:\program files\Common Files\Kinetic Books Shared\Service\KineticBooksLicenseService.exe [5/29/2007 6:55 PM 72704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Chris Stocking\Application Data\Mozilla\Firefox\Profiles\lm60a5pa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.techsupportforum.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe
AddRemove-VideoAccess - c:\program files\VideoAccess\Uninstall.exe
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll



**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3172)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Java\jre1.6.0_03\bin\javaw.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\AIM Toolbar\aimtbServer.exe
c:\program files\Common Files\InstallShield\UpdateService\agent.exe
.
**************************************************************************
.
Completion time: 2009-10-04 20:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 03:26

Pre-Run: 19,883,429,888 bytes free
Post-Run: 20,223,172,608 bytes free

228 --- E O F --- 2009-09-30 23:27