Anyone had a chance to look at this yet?  Any ideas?  Thanks.

Please help.  If this is the wrong forum, please advise.  Thanks.

Hi dwhollar,

This is not the wrong place; however we work from "Unanswered" threads and yours is showing 2 replies.  When you reply to yourself we are under the impression that someone is helping you. In addition, the log is showing no resident anti-virus, and you did not give any details of the "many viruses and malware" that you cleaned -- all reasons this topic might have been skipped. Usually "many" would indicate that a reformat/reinstall of Windows is in order, but I'll see if any residual issues show up, other than your update problem.

I am reviewing your log. In the meantime, you can help me by addressing the following:

* Have you posted this issue on another forum? If so, please provide a link to the topic.

* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.

* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.  The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE.    

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.

* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.

* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. *Please note also that not all of our tools work on 64-bit systems, so we may be limited in our procedures.

* The presence of windows error codes may indicate hardware problems and could limit the success of infection removal.

• Download ERUNT

• Install ERUNT by following the prompts

• Start ERUNT

• Choose a location for the backup

• Make sure that at least the first two check boxes are ticked
• Press OK
• Press YES to create the folder.

If there is a problem after making changes to the system,  to restore your registry, go to the folder and start ERUNT.exe

Let me know after you have installed ERUNT. Also include the log from MBAM showing what it found and removed.

No Reply within 3 days will result in this topic being closed, and I will remove it from my subscriptions. If you require more time, please let me know.

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.

Thank you for the information. Please copy and paste all logs from now on. Do not attach them.

Are you aware that there was a Backdoor on there allowing remote access?  I hope your daughter did not do any online banking or credit card transactions on there. We usually suggest a reformat/reinstall if we find Backdoor malware,

I am going to paste your MBAM  logs here so  they are easier to review.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5493

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/10/2011 6:57:48 AM
mbam-log-2011-01-10 (06-57-48).txt

Scan type: Quick scan
Objects scanned: 238791
Time elapsed: 38 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\pofile (Rogue.FixTool) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

----------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5446

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/2/2011 11:37:18 PM
mbam-log-2011-01-02 (23-37-18).txt

Scan type: Full scan (C:\|)
Objects scanned: 373387
Time elapsed: 2 hour(s), 37 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.pox (Rogue.FixTool) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\pofile (Rogue.FixTool) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\perfect optimizer (PUP.PerfectOptimizer) -> Not selected for removal.
c:\program files\perfect optimizer\Backup (PUP.PerfectOptimizer) -> Not selected for removal.
c:\program files\perfect optimizer\Backup\application (PUP.PerfectOptimizer) -> Not selected for removal.
c:\program files\perfect optimizer\Backup\Registry (PUP.PerfectOptimizer) -> Not selected for removal.
c:\program files\perfect optimizer\Backup\Registry\firstbackup (PUP.PerfectOptimizer) -> Not selected for removal.
c:\program files\perfect optimizer\Backup\Registry\fullbackup (PUP.PerfectOptimizer) -> Not selected for removal.
c:\program files\perfect optimizer\Backup\Service (PUP.PerfectOptimizer) -> Not selected for removal.
c:\program files\perfect optimizer\Temp (PUP.PerfectOptimizer) -> Not selected for removal.

Files Infected:
c:\documents and settings\Becky\my documents\downloads\unconfirmed 35252.crdownload (Adware.HotBar) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-1004336348-1214440339-725345543-1004\Dc2.exe (PUP.PerfectOptimizer) -> Not selected for removal.
c:\RECYCLER\s-1-5-21-1004336348-1214440339-725345543-1004\Dc7.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-1004336348-1214440339-725345543-1004\Dc8.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-1004336348-1214440339-725345543-1004\Dc9.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2a0a444d-3199-40a7-bbb3-429883b5c6bc}\RP65\A0010733.dll (PUP.PerfectOptimizer) -> Not selected for removal.
c:\system volume information\_restore{2a0a444d-3199-40a7-bbb3-429883b5c6bc}\RP65\A0010734.dll (PUP.PerfectOptimizer) -> Not selected for removal.
c:\system volume information\_restore{2a0a444d-3199-40a7-bbb3-429883b5c6bc}\RP65\A0010735.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2a0a444d-3199-40a7-bbb3-429883b5c6bc}\RP65\A0010737.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2a0a444d-3199-40a7-bbb3-429883b5c6bc}\RP65\A0010738.DLL (PUP.PerfectOptimizer) -> Not selected for removal.
c:\system volume information\_restore{2a0a444d-3199-40a7-bbb3-429883b5c6bc}\RP65\A0010739.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2a0a444d-3199-40a7-bbb3-429883b5c6bc}\RP65\A0010740.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\program files\perfect optimizer\perfectoptimizer.ini (PUP.PerfectOptimizer) -> Not selected for removal.

-------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5178

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/26/2010 1:53:25 PM
mbam-log-2010-11-26 (13-53-25).txt

Scan type: Full scan (C:\|)
Objects scanned: 353337
Time elapsed: 3 hour(s), 0 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\EBW0WSDL\dm4[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5178

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

11/24/2010 7:49:21 AM
mbam-log-2010-11-24 (07-49-21).txt

Scan type: Full scan (C:\|)
Objects scanned: 104819
Time elapsed: 11 hour(s), 56 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\WSTB\localeX86.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becca\Desktop\i don't want this on my desktop\install_flash_player.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\uyhebg.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\msroweanxc.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\qvh01g9qnbd72j.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\s2spez.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\Fcj.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\Fck.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\Fcl.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\iiwfmjwd.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\lnba.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\A080Y5ET\dm4[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-458785589-1801309197-427153334-1006\Dc88\things\install_flash_player.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

-----------------------------------------------------Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5175

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

11/23/2010 6:38:36 PM
mbam-log-2010-11-23 (18-38-36).txt

Scan type: Quick scan
Objects scanned: 15348
Time elapsed: 10 hour(s), 27 minute(s), 53 second(s)

Memory Processes Infected: 6
Memory Modules Infected: 3
Registry Keys Infected: 3
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
C:\Documents and Settings\Becky\Local Settings\Temp\Fcm.exe (Trojan.FraudPack) -> Unloaded process successfully.
C:\Documents and Settings\Becky\Application Data\hotfix.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\o1afhf.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\iexplorer.exe (Trojan.Clicker) -> Unloaded process successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\o1afhf.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\iexplorer.exe (Trojan.Clicker) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\t05vppgvft.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\wprmsexp.dll (Trojan.Hiloti) -> Delete on reboot.
C:\WINDOWS\system32\b2l7d9.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b1ba20c1-a503-59bd-f413-03b53a2c8953} (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b1ba20c1-a503-59bd-f413-03b53a2c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b1ba20c1-a503-59bd-f413-03b53a2c8953} (Trojan.Agent) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b1ba20c1-a503-59bd-f413-03b53a2c8953} (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntwqivlzewzu (Trojan.FraudPack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hperedakok (Trojan.Hiloti) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upc+mv0nxaaxms (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upc+mv0nxaaxms (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnudcixnzy (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnudcixnzy (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\t05vppgvft.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Becky\Local Settings\Temp\Fcm.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Application Data\hotfix.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\wprmsexp.dll (Trojan.Hiloti) -> Delete on reboot.
C:\WINDOWS\system32\b2l7d9.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\o1afhf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\iexplorer.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

--------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180

11/23/2010 6:46:58 AM
mbam-log-2010-11-23 (06-46-58).txt

Scan type: Full scan (C:\|)
Objects scanned: 293365
Time elapsed: 1 hour(s), 5 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 30
Registry Data Items Infected: 4
Folders Infected: 6
Files Infected: 39

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Chifrax) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnudcixnwe (Trojan.Chifrax) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnudcixnwe (Trojan.Chifrax) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkwpuf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkwpuf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkwpsd (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnudcixngp (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnudcixngp (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkwpgp (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkwpgp (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnudcixnusc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnudcixnusc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkayc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkayc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkcuc (Trojan.PWS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkcuc (Trojan.PWS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkeg (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkeg (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkese (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkese (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkerb (Worm.Saphira) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkerb (Worm.Saphira) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkfa (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkfa (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkfpc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkfpc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkfsc (Backdoor.Wonknuwi) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkfsc (Backdoor.Wonknuwi) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AutocompletePro (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\support@predictad.com (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\support@predictad.com\chrome (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\support@predictad.com\chrome\content (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\support@predictad.com\defaults (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\support@predictad.com\defaults\preferences (Adware.PredictAd) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Becky\Local Settings\Temp\iexplorer.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\AutocompletePro.dll (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\iexplorer.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\AcRemoteUpdate.exe (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\InstTracker.exe (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\TaskScheduler.dll (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\unins000.dat (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\unins000.exe (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\support@predictad.com\chrome.manifest (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\support@predictad.com\install.rdf (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\support@predictad.com\chrome\content\browserOverlay.xul (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\support@predictad.com\chrome\content\options.js (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\support@predictad.com\chrome\content\options.xul (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\support@predictad.com\chrome\content\utils.js (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Program Files\AutocompletePro\support@predictad.com\defaults\preferences\predictad.js (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\setup.exe (Trojan.Chifrax) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\sshnas21.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\services.exe (Password.Stealer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\win32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\avp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\csrss.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\lsass.exe (Trojan.PWS) -> Quarantined and deleted successfully.
C:\WINDOWS\smss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system.exe (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\taskmgr.exe (Worm.Saphira) -> Quarantined and deleted successfully.
C:\WINDOWS\win.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\win32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\winlogon.exe (Backdoor.Wonknuwi) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\iexplarer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Becky\Local Settings\Temp\win16.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

===============================================================================


We need to see some additional information about what is happening in your machine.

• Please download DDS by sUBs from one of the following links. Save it to your desktop.
  
  • 
    
  • DDS.scr
  
  
• DDS.pif

• Double click on the DDS icon, allow it to run.

• A small box will open, with an explanation about the tool.

• Click Yes at the prompt for Optional Scan.

• When done, DDS will open two (2) logs

1. DDS.txt
2. Attach.txt

• Save both reports to your desktop.

• Copy/paste both logs to your reply on the forum. Do not attach them.

• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan
fails to run. After downloading the tool, disconnect from the internet
and disable all antivirus protection. Run the scan, enable your A/V and
reconnect to the internet. Information on A/V control HERE.

Following that please download Security Check by screen317 and save it to your Desktop: here or here

• Run Security Check
• Follow the onscreen instructions inside of the command window.
• A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

To summarize:
You will be posting:
1. DDS.txt
2. Attach.txt
3. checkup.txt

0) Microsoft Forefront anti-virus is installed but temporarily turned off because it pegs the system and it uses Windows Update to get the latest virus definitions so it is out-of-date.  Once the Windows Update problem is solved I'll re-enable it.

1) This is not posted anywhere else.

2) System Restore is still enabled.

3) No cracked software.

4) I don't believe there are any P2P programs installed.  It's my daughter's laptop.  I checked and had her look at the 'partial' list.

5) ERUNT installed and ran.

6) MBAM logs attached.  Since only one file can be attached at a time, I copied previous logs into the most recent one.  They are separated in the file.

Dave

DDS (Ver_10-12-12.02) - NTFSx86 
Run by Becky at 21:47:44.73 on Fri 01/14/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1790.1015 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Save\Process Explorer\procexp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Becky\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\becky\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\proces~1.lnk - c:\save\process explorer\procexp.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\shortc~1.lnk - c:\windows\system32\taskmgr.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoRealMode = 0 (0x0)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1287117972390
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\becky\applic~1\mozilla\firefox\profiles\wgzhaipu.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - prefs.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=
FF - component: c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\all users.windows\application data\realarcade\npraclient.dll
FF - plugin: c:\documents and settings\becky\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\becky\application data\move networks\plugins\npqmp071502000008.dll
FF - plugin: c:\documents and settings\becky\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\extensions\npmozax@real.com\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - Ext: RealArcade V3 Plugin: npmozax@real.com - c:\program files\mozilla firefox\extensions\npmozax@real.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: XULRunner: {8A4B2485-8CA7-40DB-A27E-56B799E7DED6} - c:\documents and settings\becky\local settings\application data\{8A4B2485-8CA7-40DB-A27E-56B799E7DED6}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\becky\application data\Move Networks

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Search
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=
============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 BNPagent;Bradford Persistent Agent Service;c:\program files\bradford networks\persistent agent\bndaemon.exe [2010-2-23 3026656]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-8-21 724664]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-8-21 724664]
R2 Print Spooler;Print Spooler;c:\windows\system32\spoolsv.exe [2010-11-26 58880]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
S0 qepcgc;qepcgc;
S0 uvjjui;uvjjui;c:\windows\system32\drivers\schhtmg.sys --> c:\windows\system32\drivers\schhtmg.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-31 136176]
S3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\mpfilter.sys --> c:\windows\system32\drivers\MpFilter.sys [?]

=============== File Associations ===============

JSEFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2011-01-12 03:20:33    4952064    ----a-w-    c:\windows\system32\stacgui.cpl
2011-01-12 03:20:33    405504    ----a-w-    c:\windows\stsystra.exe
2011-01-12 03:20:33    1601536    ----a-w-    c:\windows\system32\stlang.dll
2011-01-12 03:20:06    270336    ----a-w-    c:\windows\system32\stacapi.dll
2011-01-12 03:16:20    --------    d-----w-    c:\docume~1\becky\locals~1\applic~1\Deployment
2011-01-10 05:57:54    --------    d-----w-    c:\windows\system32\CatRoot2
2011-01-10 03:16:29    --------    d-----w-    C:\TDSSKiller_Quarantine
2011-01-09 13:22:10    102400    ----a-w-    c:\windows\RegBootClean.exe
2011-01-04 04:51:15    37366216    ----a-w-    C:\mrt_scan.exe
2011-01-04 04:10:00    --------    d-----w-    C:\de011edd248b325c53e33b7bd45074
2011-01-04 04:07:16    --------    d-----w-    C:\4b22676bd265362ceac79530
2010-12-19 19:25:38    11776    ----a-w-    c:\program files\mozilla firefox\plugins\nprjplug.dll
2010-12-19 19:25:04    151776    ----a-w-    c:\program files\mozilla firefox\plugins\nppl3260.dll
2010-12-19 19:24:34    100352    ----a-w-    c:\program files\mozilla firefox\plugins\nprpjplug.dll
2010-12-16 23:46:32    --------    d-----w-    c:\program files\SandScript

==================== Find3M  ====================

2011-01-09 06:36:55    0    ----a-w-    c:\windows\Aduyiyaparohijep.bin
2010-12-02 20:21:04    87688    ----a-w-    c:\windows\system32\IncContxMenu.dll
2010-12-02 20:20:18    11776    ----a-w-    c:\windows\system32\smrgdf.exe
2010-12-02 20:20:10    29696    ----a-w-    c:\windows\system32\iolobtdfg.exe
2010-12-02 20:18:28    2234040    ----a-w-    c:\windows\system32\Incinerator.dll
2010-11-27 01:22:07    132    ----a-w-    C:\print-spooler.cmd
2010-11-24 17:48:03    710    ----a-w-    C:\regedit.reg
2010-11-24 15:53:02    470    ----a-w-    C:\regedit_only.reg
2010-11-24 13:31:28    1339    ----a-w-    C:\regtools.vbs
2010-11-21 01:30:58    3425676    ----a-w-    C:\registry.reg
2010-11-14 19:19:28    0    ----a-w-    C:\qepcgc.sys
2010-11-12 23:53:06    472808    ----a-w-    c:\windows\system32\deployJava1.dll
2010-11-12 21:34:10    73728    ----a-w-    c:\windows\system32\javacpl.cpl
2010-10-19 15:41:44    222080    ------w-    c:\windows\system32\MpSigStub.exe
2008-03-20 02:06:27    774144    ----a-w-    c:\program files\RngInterstitial.dll
2008-03-15 00:34:37    35325    ----a-w-    c:\program files\dm48.tmp.exe

=================== ROOTKIT  ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHY2080BH rev.0085000B -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A5D6446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5dc504]; MOV EAX, [0x8a5dc580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX;  }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A622AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A63BF18]
\Driver\atapi[0x8A5E4E20] -> IRP_MJ_CREATE -> 0x8A5D6446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP;  }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskFUJITSU_MHY2080BH_______________________0085000B#5&24cbc6ab&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5D6292
user != kernel MBR !!!
sectors 156301486 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 21:50:18.59 ===============

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 11/22/2010 11:10:13 PM
System Uptime: 1/14/2011 6:18:28 PM (3 hours ago)

Motherboard: Dell Inc. |  | 0UW744
Processor: Mobile AMD Sempron(tm) Processor 3500+ | Socket M2/S1G1 | 1795/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 9.166 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP50: 11/25/2010 10:11:27 PM - Installed Windows XP KB2158563.
RP51: 11/25/2010 10:12:46 PM - Installed Windows XP KB2345886.
RP52: 11/25/2010 10:14:33 PM - Installed Windows XP KB2360131.
RP53: 11/25/2010 10:16:07 PM - Installed Windows XP KB982132.
RP54: 11/25/2010 10:17:19 PM - Installed Windows XP KB2279986.
RP55: 11/25/2010 10:17:36 PM - Installed Windows Media Player KB2378111.
RP56: 11/25/2010 10:19:16 PM - Installed Windows XP KB981957.
RP57: 11/25/2010 10:20:51 PM - Installed Windows XP KB2387149.
RP58: 11/25/2010 10:22:15 PM - Installed Windows XP KB2296011.
RP59: 11/25/2010 10:23:47 PM - Installed Windows XP KB2360937.
RP60: 11/25/2010 10:25:25 PM - Installed Windows XP KB979687.
RP61: 11/25/2010 10:27:12 PM - Installed Windows XP KB2447568.
RP62: 11/25/2010 10:54:03 PM - Installed Windows XP KB958655-v2.
RP63: 11/25/2010 11:48:56 PM - Software Distribution Service 3.0
RP64: 11/26/2010 12:10:43 AM - Software Distribution Service 3.0
RP65: 11/26/2010 4:58:28 PM - Installed Windows Resource Kit Tools
RP66: 11/26/2010 9:16:44 PM - Installed Windows XP KB959765.
RP67: 11/28/2010 5:30:16 PM - Removed Microsoft Forefront Client Security State Assessment Service
RP68: 11/28/2010 5:30:59 PM - Removed Microsoft Forefront Client Security Antimalware Service
RP69: 1/3/2011 9:47:10 AM - Pre-Perfect Optimizer Install
RP70: 1/3/2011 11:24:46 AM - Removed Microsoft Forefront Client Security Antimalware Service
RP71: 1/3/2011 11:25:31 AM - Removed Microsoft Forefront Client Security State Assessment Service
RP72: 1/8/2011 8:16:24 PM - Installed Microsoft Fix it 50195
RP73: 1/9/2011 1:04:01 AM - Cleaned registry with Windows Live OneCare safety scanner
RP74: 1/9/2011 9:56:18 PM - pre erase catroot2
RP75: 1/10/2011 8:58:55 AM - Installed Java(TM) 6 Update 23
RP76: 1/11/2011 10:21:20 PM - Configured SigmaTel Audio
RP77: 1/11/2011 11:08:34 PM - Installed QuickSet
RP78: 1/14/2011 7:41:01 PM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.4
Adobe Shockwave Player 11
AMD Processor Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Big Fish Games: Game Manager
Bonjour
Bradford Persistent Agent
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
CameraHelperMsi
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Dell Digital Jukebox Driver
Dell Driver Download Manager
Dell ResourceCD
Dell Wireless WLAN Card
erLT
ERUNT 1.1j
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Graboid Video 1.73
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB944043-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB958655-v2)
Hotfix for Windows XP (KB959765)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB969084)
iolo technologies' System Mechanic
iTunes
Jasc Paint Shop Photo Album
Java Auto Updater
Java(TM) 6 Update 23
KODAK Share Button App
Logitech Webcam Software
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Video Mask Maker
LWS VideoEffects
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft Software Update for Web Folders  (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
Microsoft WSE 3.0 Runtime
Microsoft XML Parser
MobileMe Control Panel
Move Media Player
Mozilla Firefox (3.0.19)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser (KB973685)
MSXML 6 Service Pack 2 (KB973686)
MyTomTom 3.0.1.163
NOOK for PC
Pdf995
QuickSet
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Safari
SandScript
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2124261)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2290570)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB955417)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975254)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
SigmaTel Audio
Skype Toolbars
Skype™ 5.0
Spelling Dictionaries Support For Adobe Reader 9
SUPERAntiSpyware
Synaptics Pointing Device Driver
TeamViewer 6
TextTwist 2
TomTom HOME 2.7.6.2056
TomTom HOME Visual Studio Merge Modules
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB898461)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB958752)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Virtual Families
Virtual Villagers: The Lost Children
Visual Studio C++ 9.0 Runtime
VLC media player 1.0.1
WD Diagnostics
WebFldrs XP
Windows Driver Package - Ricoh Company (rimsptsk) hdc  (11/14/2006 6.00.01.04)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Hotfix - KB895181
Windows Media Player 11
Windows Resource Kit Tools
Windows Search 4.0
Windows XP Service Pack 3
Xvid 1.2.1 final uninstall

==== Event Viewer Messages From Past Week ========

1/9/2011 5:47:06 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/9/2011 5:46:57 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AmdK8 APPDRV Fips OMCI SASDIFSV SASKUTIL
1/9/2011 5:45:58 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/9/2011 3:18:38 AM, error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:  An instance of the service is already running.
1/9/2011 12:49:54 PM, error: Service Control Manager [7023]  - The Net Driver HPZ12 service terminated with the following error:  The specified module could not be found.
1/9/2011 1:39:31 AM, error: SideBySide [59]  - Resolve Partial Assembly failed for Microsoft.VC90.DebugCRT. Reference error message: The referenced assembly is not installed on your system. .
1/9/2011 1:39:31 AM, error: SideBySide [59]  - Generate Activation Context failed for c:\program files\real\realplayer\plugins\rmxrend.dll. Reference error message: The operation completed successfully. .
1/9/2011 1:39:31 AM, error: SideBySide [32]  - Dependent Assembly Microsoft.VC90.DebugCRT could not be found and Last Error was The referenced assembly is not installed on your system.
1/8/2011 7:42:36 PM, error: AmdK8 [2]  - The Acpi 2.0 _PCT object returned an invalid value of 3
1/12/2011 12:32:21 AM, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the ioloSystemService service.
1/11/2011 10:20:46 PM, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

==== End Of File ===========================

-----------------------------------------------------------------------------------------------------------------------------------------------------------

 Results of screen317's Security Check version 0.99.8 
 Windows XP Service Pack 3 
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Security Center service is not running! This report may not be accurate!
 iolo technologies' System Mechanic  
```````````````````````````````
Anti-malware/Other Utilities Check:
 MVPS Hosts File 
 Malwarebytes' Anti-Malware   
 Java(TM) 6 Update 23 
 Adobe Flash Player 10.1.102.64 
Adobe Reader 9.3.4
Out of date Adobe Reader installed!
 Mozilla Firefox (3.0.19) Firefox Out of Date! 
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Windows Defender MSMpEng.exe
 Windows Defender MSASCui.exe
 Microsoft Forefront Client Security Client Antimalware\MsMpEng.exe
 Microsoft Forefront Client Security Client Antimalware\MSASCui.exe
 iolo Common Lib ioloServiceManager.exe
``````````End of Log````````````

Please visit this webpage for download links, and instructions for running ComboFix (If you have a prior copy of Combofix, delete it now!) :

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please login as Administrator.

• As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.Note: If you have SP3, use the SP2 package. If Vista or Windows 7, skip the Recovery Console instructions. It is already installed on Vista and Winows 7 versions of Windows.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you.
Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

* Additional information on A/V control HERE. * ComboFix is not intended for use with servers.

ComboFix 11-01-14.01 - Becky 01/15/2011   0:21.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1790.1381 [GMT -5:00]
Running from: c:\documents and settings\Becky\Desktop\ComboFix.exe
AV: Microsoft Forefront Client Security *Disabled/Updated* {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Becca\GoToAssistDownloadHelper.exe
c:\documents and settings\Becky\Application Data\completescan
c:\documents and settings\Becky\Application Data\install
c:\documents and settings\Becky\Local Settings\Application Data\{8A4B2485-8CA7-40DB-A27E-56B799E7DED6}
c:\documents and settings\Becky\Local Settings\Application Data\{8A4B2485-8CA7-40DB-A27E-56B799E7DED6}\chrome.manifest
c:\documents and settings\Becky\Local Settings\Application Data\{8A4B2485-8CA7-40DB-A27E-56B799E7DED6}\chrome\content\_cfg.js
c:\documents and settings\Becky\Local Settings\Application Data\{8A4B2485-8CA7-40DB-A27E-56B799E7DED6}\chrome\content\overlay.xul
c:\documents and settings\Becky\Local Settings\Application Data\{8A4B2485-8CA7-40DB-A27E-56B799E7DED6}\install.rdf
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PRINT_SPOOLER
-------\Service_Print Spooler


(((((((((((((((((((((((((   Files Created from 2010-12-15 to 2011-01-15  )))))))))))))))))))))))))))))))
.

2011-01-15 05:40 . 2011-01-15 05:40    --------    d-----w-    c:\windows\LastGood
2011-01-15 03:16 . 2010-11-16 17:01    6273872    ----a-w-    c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{BB971E17-165A-485B-A80E-9BB98F25BDA7}\mpengine.dll
2011-01-15 03:13 . 2010-11-16 17:01    6273872    ----a-w-    c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Backup\mpengine.dll
2011-01-15 03:11 . 2009-05-15 18:35    69616    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2011-01-15 00:07 . 2011-01-15 00:11    --------    d-----w-    c:\program files\ERUNT
2011-01-12 03:20 . 2007-05-10 15:23    4952064    ----a-w-    c:\windows\system32\stacgui.cpl
2011-01-12 03:20 . 2007-05-10 15:22    405504    ----a-w-    c:\windows\stsystra.exe
2011-01-12 03:20 . 2007-04-10 22:02    1601536    ----a-w-    c:\windows\system32\stlang.dll
2011-01-12 03:20 . 2007-05-10 15:23    270336    ----a-w-    c:\windows\system32\stacapi.dll
2011-01-12 03:16 . 2011-01-12 04:36    --------    d-----w-    c:\documents and settings\Becky\Local Settings\Application Data\Deployment
2011-01-10 05:57 . 2011-01-15 05:40    --------    d-----w-    c:\windows\system32\CatRoot2
2011-01-10 03:16 . 2011-01-10 03:16    --------    d-----w-    C:\TDSSKiller_Quarantine
2011-01-09 18:05 . 2011-01-09 20:41    --------    d-----w-    c:\windows\BDOSCAN8
2011-01-09 13:22 . 2011-01-09 13:22    102400    ----a-w-    c:\windows\RegBootClean.exe
2011-01-04 04:51 . 2010-12-09 02:34    37366216    ----a-w-    C:\mrt_scan.exe
2011-01-04 04:10 . 2011-01-04 04:10    --------    d-----w-    C:\de011edd248b325c53e33b7bd45074
2011-01-04 04:07 . 2011-01-04 04:07    --------    d-----w-    C:\4b22676bd265362ceac79530
2010-12-19 19:25 . 2010-12-19 19:25    11776    ----a-w-    c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2010-12-19 19:25 . 2010-12-19 19:25    151776    ----a-w-    c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2010-12-19 19:24 . 2010-12-19 19:24    100352    ----a-w-    c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2010-12-16 23:46 . 2010-12-16 23:46    --------    d-----w-    c:\documents and settings\Becky\Application Data\PlayFirst
2010-12-16 23:46 . 2010-12-16 23:46    --------    d-----w-    c:\documents and settings\All Users.WINDOWS\Application Data\PlayFirst
2010-12-16 23:46 . 2010-12-16 23:52    --------    d-----w-    c:\program files\SandScript

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2010-11-23 06:26    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-11-23 06:26    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-12-02 20:21 . 2010-08-21 18:42    87688    ----a-w-    c:\windows\system32\IncContxMenu.dll
2010-12-02 20:20 . 2010-08-21 18:42    11776    ----a-w-    c:\windows\system32\smrgdf.exe
2010-12-02 20:20 . 2010-08-21 18:42    29696    ----a-w-    c:\windows\system32\iolobtdfg.exe
2010-12-02 20:18 . 2010-08-21 18:42    2234040    ----a-w-    c:\windows\system32\Incinerator.dll
2010-11-27 01:22 . 2010-11-27 01:01    132    ----a-w-    C:\print-spooler.cmd
2010-11-24 17:48 . 2010-11-24 17:48    710    ----a-w-    C:\regedit.reg
2010-11-24 15:53 . 2010-11-24 15:53    470    ----a-w-    C:\regedit_only.reg
2010-11-24 13:31 . 2010-11-24 13:30    1339    ----a-w-    C:\regtools.vbs
2010-11-21 01:30 . 2010-11-21 01:30    3425676    ----a-w-    C:\registry.reg
2010-11-12 23:53 . 2010-09-06 00:20    472808    ----a-w-    c:\windows\system32\deployJava1.dll
2010-11-12 21:34 . 2009-01-19 06:05    73728    ----a-w-    c:\windows\system32\javacpl.cpl
2010-10-19 15:41 . 2010-09-03 18:34    222080    ------w-    c:\windows\system32\MpSigStub.exe
2008-03-20 02:06 . 2008-03-20 02:06    774144    ----a-w-    c:\program files\RngInterstitial.dll
2008-03-15 00:34 . 2008-03-15 00:34    35325    ----a-w-    c:\program files\dm48.tmp.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-01 39408]
"Google Update"="c:\documents and settings\Becky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-13 135664]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-02 2424560]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-10-11 14940040]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2009-09-03 1033584]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Process Explorer.lnk - c:\save\Process Explorer\procexp.exe [2010-12-9 4177272]
Shortcut to taskmgr.lnk - c:\windows\system32\taskmgr.exe [2004-8-4 135680]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRealMode"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bradford Networks\\Persistent Agent\\bndaemon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 BNPagent;Bradford Persistent Agent Service;c:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [2/23/2010 4:03 PM 3026656]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 4:12 AM 73120]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [8/21/2010 1:42 PM 724664]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [8/21/2010 1:42 PM 724664]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 4:38 AM 92008]
S0 qepcgc;qepcgc;
S0 uvjjui;uvjjui;c:\windows\system32\drivers\schhtmg.sys --> c:\windows\system32\drivers\schhtmg.sys [?]
S2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [9/3/2009 3:06 PM 16880]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/31/2010 7:56 PM 136176]

--- Other Services/Drivers In Memory ---

*Deregistered* - PROCEXP141

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2011-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 00:56]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 00:56]

2011-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1214440339-725345543-1004Core.job
- c:\documents and settings\Becky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-13 05:29]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1214440339-725345543-1004UA.job
- c:\documents and settings\Becky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-13 05:29]

2011-01-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1004336348-1214440339-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

2011-01-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1004336348-1214440339-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\wgzhaipu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - prefs.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=
FF - Ext: RealArcade V3 Plugin: npmozax@real.com - c:\program files\Mozilla Firefox\extensions\npmozax@real.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Becky\Application Data\Move Networks
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-bncsaui.exe - %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
HKLM-Run-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-15 00:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5964)
c:\windows\system32\WININET.dll
c:\windows\system32\logishrd\LVPrcInj01.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\msi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchProtocolHost.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2011-01-15  00:53:35 - machine was rebooted
ComboFix-quarantined-files.txt  2011-01-15 05:53

Pre-Run: 7,582,568,448 bytes free
Post-Run: 9,462,673,408 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Home" /noexecute=optin /fastdetect

- - End Of File - - A139F8684E42E10A9D845BB8CD71F7C9

I decided to try Windows Update to see if I could get there.  I can!!!  Awesome.  I'd be interested to know which of the things ComboFix 'fixed' was the likely culprit if you have any ideas.  I have not run Windows Update yet.  Waiting to see if there are other items I should fix first.  But thanks for help so far.

Please do not run Windows Update yet. We have more to do.It's hard to say exactly what was suppressing the ability to access WU. It may have been the latest rootkit found, or it may have been a remnant left by one of the infections removed  earlier. You had quite a mess on that computer to begin with. We usually see those with people who have been using cracked software and/or P2P (file sharing).

Disconnect from the internet....pull the plug!
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray.
Otherwise, they may interfere with running ComboFix.

Open Notepad and copy/paste the following text between the lines below. Do not copy the dotted lines.
 ** Make sure you copy/paste ALL the text at once. Do not try to edit extra spaces. It will copy correctly to Notepad if you highlight and copy as is.

-----------------------------------------------------------------------------------

File::
c:\windows\system32\drivers\schhtmg.sys


Driver::
uvjjui
qepcgc

----------------------------------------------------------------------------

Save this as CFScript.txt

Referring to the picture above, drag CFScript into ComboFix.exe You will be prompted to run Combofix again.

Follow the same instructions you did before for running ComboFix. CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall. When finished, a log is produced here: C:\ComboFix.txt

Download and scan each user profile with CCleaner (a good utility to keep and use regularly.):

http://www.piriform.com/ccleaner/builds

** Select to download the SLIM version.

** Because CCleaner removes everything in temp folders, if you have anything saved in a temp folder, back it up or move it to a permanent folder prior to running CCleaner.

** We will be cleaning cookies as well. Make a note of any passwords, etc. that you want to save. If you do not want to delete cookies, simply uncheck that option.

1. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

2. Then select the items you wish to clean up. In the Windows Tab:

• Clean all entries in the "Internet Explorer" section.
• Clean all the entries in the "Windows Explorer" section
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose. In the Applications Tab:
• Clean all in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

3. Click the "Analyze" button. When the list of files comes up, click the "Run Cleaner" button.

4. A pop up box will appear advising this process will permanently delete files from your system.

5. Click "OK" and it will scan and clean your system.

6. Click "exit" when done. REBOOT.

In your next reply please include the ComboFix log from this most recent run.

Let me know how things are running at that point. Thanks.

Below is most recent run of ComboFix.   I can still get to Windows Update which was the main problem.  And it seems that things are running ok.  My daughter will have to use the computer to see if anything else is broken.  But it looks good right now.  Thanks.  Anything else we need to run?

--------------------------------------------------

ComboFix 11-01-14.01 - Becky 01/15/2011   8:19.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1790.1255 [GMT -5:00]
Running from: c:\documents and settings\Becky\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Becky\Desktop\CFScript.txt
AV: Microsoft Forefront Client Security *Disabled/Updated* {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

FILE ::
"c:\windows\system32\drivers\schhtmg.sys"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_QEPCGC
-------\Service_qepcgc
-------\Service_uvjjui


(((((((((((((((((((((((((   Files Created from 2010-12-15 to 2011-01-15  )))))))))))))))))))))))))))))))
.

2011-01-15 05:46 . 2010-11-06 00:26    25600    -c----w-    c:\windows\system32\dllcache\jsproxy.dll
2011-01-15 05:46 . 2010-11-06 00:26    43520    -c----w-    c:\windows\system32\dllcache\licmgr10.dll
2011-01-15 05:46 . 2010-11-06 00:26    184320    -c----w-    c:\windows\system32\dllcache\iepeers.dll
2011-01-15 05:46 . 2010-11-06 00:26    206848    -c----w-    c:\windows\system32\dllcache\occache.dll
2011-01-15 05:46 . 2010-11-06 00:26    916480    -c----w-    c:\windows\system32\dllcache\wininet.dll
2011-01-15 05:46 . 2010-11-06 00:26    66560    -c----w-    c:\windows\system32\dllcache\mshtmled.dll
2011-01-15 05:46 . 2010-11-06 00:26    387584    -c----w-    c:\windows\system32\dllcache\iedkcs32.dll
2011-01-15 05:45 . 2010-11-06 00:26    611840    -c----w-    c:\windows\system32\dllcache\mstime.dll
2011-01-15 05:45 . 2010-11-03 12:26    173568    -c----w-    c:\windows\system32\dllcache\ie4uinit.exe
2011-01-15 05:45 . 2010-11-06 00:26    1210880    -c----w-    c:\windows\system32\dllcache\urlmon.dll
2011-01-15 05:45 . 2010-11-06 00:26    5959168    -c----w-    c:\windows\system32\dllcache\mshtml.dll
2011-01-15 05:45 . 2010-11-02 15:17    40960    -c----w-    c:\windows\system32\dllcache\ndproxy.sys
2011-01-15 05:43 . 2010-03-10 06:15    420352    -c----w-    c:\windows\system32\dllcache\vbscript.dll
2011-01-15 05:43 . 2009-09-11 14:13    136704    -c----w-    c:\windows\system32\dllcache\msv1_0.dll
2011-01-15 05:41 . 2010-10-11 14:59    45568    -c----w-    c:\windows\system32\dllcache\wab.exe
2011-01-15 03:16 . 2010-11-16 17:01    6273872    ----a-w-    c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{BB971E17-165A-485B-A80E-9BB98F25BDA7}\mpengine.dll
2011-01-15 03:13 . 2010-11-16 17:01    6273872    ----a-w-    c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Backup\mpengine.dll
2011-01-15 03:11 . 2009-05-15 18:35    69616    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2011-01-15 00:07 . 2011-01-15 00:11    --------    d-----w-    c:\program files\ERUNT
2011-01-12 03:20 . 2007-05-10 15:23    4952064    ----a-w-    c:\windows\system32\stacgui.cpl
2011-01-12 03:20 . 2007-05-10 15:22    405504    ----a-w-    c:\windows\stsystra.exe
2011-01-12 03:20 . 2007-04-10 22:02    1601536    ----a-w-    c:\windows\system32\stlang.dll
2011-01-12 03:20 . 2007-05-10 15:23    270336    ----a-w-    c:\windows\system32\stacapi.dll
2011-01-12 03:16 . 2011-01-12 04:36    --------    d-----w-    c:\documents and settings\Becky\Local Settings\Application Data\Deployment
2011-01-10 05:57 . 2011-01-15 13:18    --------    d-----w-    c:\windows\system32\CatRoot2
2011-01-10 03:16 . 2011-01-10 03:16    --------    d-----w-    C:\TDSSKiller_Quarantine
2011-01-09 18:05 . 2011-01-09 20:41    --------    d-----w-    c:\windows\BDOSCAN8
2011-01-09 13:22 . 2011-01-09 13:22    102400    ----a-w-    c:\windows\RegBootClean.exe
2011-01-04 04:51 . 2010-12-09 02:34    37366216    ----a-w-    C:\mrt_scan.exe
2011-01-04 04:10 . 2011-01-04 04:10    --------    d-----w-    C:\de011edd248b325c53e33b7bd45074
2011-01-04 04:07 . 2011-01-04 04:07    --------    d-----w-    C:\4b22676bd265362ceac79530
2010-12-19 19:25 . 2010-12-19 19:25    11776    ----a-w-    c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2010-12-19 19:25 . 2010-12-19 19:25    151776    ----a-w-    c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2010-12-19 19:24 . 2010-12-19 19:24    100352    ----a-w-    c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2010-12-16 23:46 . 2010-12-16 23:46    --------    d-----w-    c:\documents and settings\Becky\Application Data\PlayFirst
2010-12-16 23:46 . 2010-12-16 23:46    --------    d-----w-    c:\documents and settings\All Users.WINDOWS\Application Data\PlayFirst
2010-12-16 23:46 . 2010-12-16 23:52    --------    d-----w-    c:\program files\SandScript

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2010-11-23 06:26    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-11-23 06:26    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-12-02 20:21 . 2010-08-21 18:42    87688    ----a-w-    c:\windows\system32\IncContxMenu.dll
2010-12-02 20:20 . 2010-08-21 18:42    11776    ----a-w-    c:\windows\system32\smrgdf.exe
2010-12-02 20:20 . 2010-08-21 18:42    29696    ----a-w-    c:\windows\system32\iolobtdfg.exe
2010-12-02 20:18 . 2010-08-21 18:42    2234040    ----a-w-    c:\windows\system32\Incinerator.dll
2010-11-27 01:22 . 2010-11-27 01:01    132    ----a-w-    C:\print-spooler.cmd
2010-11-24 17:48 . 2010-11-24 17:48    710    ----a-w-    C:\regedit.reg
2010-11-24 15:53 . 2010-11-24 15:53    470    ----a-w-    C:\regedit_only.reg
2010-11-24 13:31 . 2010-11-24 13:30    1339    ----a-w-    C:\regtools.vbs
2010-11-21 01:30 . 2010-11-21 01:30    3425676    ----a-w-    C:\registry.reg
2010-11-18 18:12 . 2008-11-16 00:14    81920    ----a-w-    c:\windows\system32\isign32.dll
2010-11-12 23:53 . 2010-09-06 00:20    472808    ----a-w-    c:\windows\system32\deployJava1.dll
2010-11-12 21:34 . 2009-01-19 06:05    73728    ----a-w-    c:\windows\system32\javacpl.cpl
2010-11-09 14:52 . 2004-08-04 10:00    249856    ----a-w-    c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2006-03-04 03:33    916480    ----a-w-    c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 10:00    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 10:00    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 10:00    385024    ----a-w-    c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 10:00    40960    ----a-w-    c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 10:00    290048    ----a-w-    c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 10:00    1853312    ----a-w-    c:\windows\system32\win32k.sys
2010-10-19 15:41 . 2010-09-03 18:34    222080    ------w-    c:\windows\system32\MpSigStub.exe
2008-03-20 02:06 . 2008-03-20 02:06    774144    ----a-w-    c:\program files\RngInterstitial.dll
2008-03-15 00:34 . 2008-03-15 00:34    35325    ----a-w-    c:\program files\dm48.tmp.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-01 39408]
"Google Update"="c:\documents and settings\Becky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-13 135664]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-02 2424560]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-10-11 14940040]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2009-09-03 1033584]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Process Explorer.lnk - c:\save\Process Explorer\procexp.exe [2010-12-9 4177272]
Shortcut to taskmgr.lnk - c:\windows\system32\taskmgr.exe [2004-8-4 135680]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRealMode"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bradford Networks\\Persistent Agent\\bndaemon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 BNPagent;Bradford Persistent Agent Service;c:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [2/23/2010 4:03 PM 3026656]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 4:12 AM 73120]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [8/21/2010 1:42 PM 724664]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [8/21/2010 1:42 PM 724664]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 4:38 AM 92008]
S2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [9/3/2009 3:06 PM 16880]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/31/2010 7:56 PM 136176]

--- Other Services/Drivers In Memory ---

*Deregistered* - PROCEXP141

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2011-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 00:56]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 00:56]

2011-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1214440339-725345543-1004Core.job
- c:\documents and settings\Becky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-13 05:29]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1214440339-725345543-1004UA.job
- c:\documents and settings\Becky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-13 05:29]

2011-01-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1004336348-1214440339-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

2011-01-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1004336348-1214440339-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\wgzhaipu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - prefs.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=
FF - Ext: RealArcade V3 Plugin: npmozax@real.com - c:\program files\Mozilla Firefox\extensions\npmozax@real.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Becky\Application Data\Move Networks
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-15 08:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4840)
c:\windows\system32\WININET.dll
c:\windows\system32\logishrd\LVPrcInj01.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\msi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2011-01-15  08:39:15 - machine was rebooted
ComboFix-quarantined-files.txt  2011-01-15 13:39
ComboFix2.txt  2011-01-15 05:53

Pre-Run: 9,833,439,232 bytes free
Post-Run: 9,801,154,560 bytes free

- - End Of File - - 145CF8E2B9B4258FD313AE9E47DEFD06

Let's uninstall ComboFix and do some final cleanup. Following that, see if you can activate the anti-virus to update it, and download/install the Windows Updates. Considering that your daughter managed to acquire a huge amount of malware to begin with, I'm not sure she should be the one test driving it. Security is only as good as the person sitting behind the keyboard.

Don't forget to update Adobe Reader and Firefox!

It's time for some housekeeping. Because the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, along with the folders created by these tools.

You can delete DDS and its logs as well as Security Check and its log if they still are on the Desktop.

Following that:

* Click Start then Run
Copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and / Then hit enter.

This will remove ComboFix, run some cleanup procedures, and flush System Restore, thus creating a clean Restore Point.

Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.

If you have used Malwarebytes' Anti-Malware as part of your cleaning procedures, keep it updated and use it to scan every so often for malware, or upgrade to the paid version for realtime scanning and auto updating.

The following suggestions are general prevention and are not customized for your computer. You may have already taken some of these steps, and depending on your current security, you may not need to implement all of these:

1. Visit Microsoft Update: Make sure that you have all the Critical Updates recommended for your operating system, Office, and IE. The first defense against infection is a properly patched OS from Microsoft Update at update.microsoft.com. More info HERE.

2. Please use a firewall and realtime anti-virus. Keep the anti-virus software and firewall software up to date.. Run a complete system scan with your anti-virus at least once a week...preferably in Safe mode.
If your anti-virus program is a paid/licensed version that is about to expire, you can consider removing it and using a free one such as:
Microsoft Security Essentials
AntiVir Personal Edition Classic
Avast! Home Edition

If you prefer not to use the Windows Firewall, there are several of the freeware Firewalls available on the public domain.

Please see this list for anti-virus, firewalls, and other FREE SECURITY SOFTWARE.

3. Using an alternate browser can reduce your chance of certain infections installing themselves. If you are already using Mozilla / Firefox.
http://www.mozilla.com/en-US/  keep it updated!

4. Do not use file sharing. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

5. Keep your software updated...make it easier on yourself and install the free security tool Secunia PSI .

6. If you have not already done so, you might want to install CCleaner and run it in each user's profile: http://www.ccleaner.com/ ** UNcheck the option to install the Yahoo toolbar that is checked by default for the Standard version, or download the toolbar-free versions (Slim or Basic) when given the option for those.

7. Web Of Trust , uses colored alerts to warn about risky websites warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Red for Warning = STOP
• Yellow for Use Caution
• Green for Safe
• Grey for Unknown

There is a Web Of Trust version for Firefox as well.

8. If you still wish to use Internet Explorer, please make sure you install SpywareBlaster:  http://www.javacoolsoftware.com/spywareblaster.html
It will:
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.
Tutorial here:http://www.bleepingcomputer.com/forums/tutorial49.html
Periodically check for updates.

9. You might want to install Winpatrol. Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.  You can download a free copy of Winpatrol or use the Plus version for more features.
You can read Winpatrol's FAQ if you run into problems.

10. Many of us in the online security community have tried and tested programs to determine their abilities. Please remember that there is no guarantee regarding computer security. However, the available software, combined with the rest of these recommendations will contribute to helping your system running safely.

Here are some helpful articles:
How did I get infected?  HERE

  I'm not pulling your leg, honest?
by Sandi Hardmeier  HERE

11. If you use Social Media (Facebook, Twitter, etc.) you can stay informed at SpywareHammer's Forum for Social Media Security

12. Check to be sure that you are not one of those people who is using a dangerously easy-to-guess password at websites requiring passwords. There is a good how-to video HERE.


Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!