Random Playing Of Unknown Audio Files Virus While Using the Internet + HiJackThis Not Working Properly + System Restore Error!

Apparently, my friends and family members who have owned a Dell Inspiron E1505 have all had problems with the hard drive failing. My computer is 3 years old and I thought I took pretty good care of it, but who knows.

I am surfing the internet as of now and all seems quiet, but I did do a system restore today. It only removed HiJackThis though, so I doubt it resolved the problem.

Hi S.C. :emotion-1:

Your symptoms in your first post don't sound good. To be honest, you may have a Master Boot Record rootkit on there. Have you had any other symptoms of malware such as redirects? My advice is to keep an eye on things. If you get any other symptoms, post a note on the Malware Removal Forum.

Hey, BugBatter!

I haven't spoken to you in ages! I doubt you remember me! I used to visit this forum ALL the time. I think you even referred me to a site called CastleCops, if I'm correct? How are you doing?Maybe I should try to relearn that HiJackThis, eh?

No, I haven't had any redirects, as far as I know. It's making me nervous. I was planning on buying a new computer soon, but I'm out of a job right now until school starts again, so this isn't the best time. What kind of symptoms should I be looking for?

Of course I remember you. :emotion-1:  You won't see all the components of that rootkit in HijackThis. You would be experiencing advertisements with sound, maybe redirects, and a few others that show up in specialized scans.  If that's it, it can be fixed. Three years isn't an extremely old computer.

Whatever happened to CasleCops? I googled it and it said it was closed.

No redirects as of yet, but I have experienced another odd audio recording thing. It is incredibly annoying.

CastleCops closed in December 2008 when its owner took a position at Microsoft. Many of the former staff at CastleCops are now at SpywareHammer, a site that opened in September 2008.

http://www.geek.com/articles/microsoft/castlecops-paul-laudanski-accepts-job-at-microsoft-20080613/

I'm still getting the random audio files. I just got 2. About 1 minute apart. I wish I knew what to do about it.

So, Is Spywarehammer the same kind of site?? I might join it then.

It wouldn't let hiJackthis run, remember? That's part of my problem. It couldn't access the host files and when it finished, the notepad log that popped p was empty. 

So, I thought maybe it was a bug in firefox, so I re-downloaded  it. And still, the audio files play. But when I'm using Safari, it has been quiet. 

So, I tried HiJackThis one more time and it still said it couldn't access  the host files and once it finished, it told me it couldn't find the HiJackThis log file. 

We can't see prior posts (except the last one) when we reply here, so I was not able to go back to your first post with symptoms without flipping pages. See if you can run DDS instead of HJT.

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool.
• Click Yes at the prompt for Optional Scan.
• When done, DDS will open two (2) logs

1. DDS.txt
2. Attach.txt

• Save both reports to your desktop.
• Copy/paste both logs to your post on the forum. Do not attach them.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE.

Just a thought....

Are you by any chance using Vista? The User Account Control protects the HOSTS file on Vista.  Also make sure you are not having Spybot or another security program lock your HOSTS file so that it cannot be accessed/changed.

And the second one. Sorry, it wouldn't post both of them at once.

DDS (Ver_10-03-17.01) - NTFSx86 
Run by Steph at 15:58:05.56 on Thu 07/29/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.1.1033.18.1526.651 [GMT -4:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\StikyNot.exe
F:\Program Files\ObjectDock\ObjectDock.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Steph\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: LogiPTC Toolbar: {2e07b018-9dae-4adc-83d2-c2543b1998eb} - c:\program files\logiptc\tbLogi.dll
mURLSearchHooks: LogiPTC Toolbar: {2e07b018-9dae-4adc-83d2-c2543b1998eb} - c:\program files\logiptc\tbLogi.dll
BHO: My.Freeze.com Toolbar: {0bd6f992-62ad-47f7-aca6-299729be4e2b} - c:\program files\myfreezetoolbar\myfreezedx.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: LogiPTC Toolbar: {2e07b018-9dae-4adc-83d2-c2543b1998eb} - c:\program files\logiptc\tbLogi.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Updater For My.Freeze.com Toolbar: {c26cd490-5f01-41e3-b150-eb29f19da056} - c:\program files\myfreezetoolbar\auxi\myfreezetoolbAu.dll
BHO: {CC3C8D60-29D6-4880-B9D8-443C4CBA2BEC} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: LogiPTC Toolbar: {2e07b018-9dae-4adc-83d2-c2543b1998eb} - c:\program files\logiptc\tbLogi.dll
TB: HopSurf toolbar: {e9fab13d-4600-49e1-90d1-ee961c859d39} - c:\program files\comodo\hopsurftoolbar\HopSurfToolbar_IE.dll
TB: My.Freeze.com Toolbar: {0bd6f992-62ad-47f7-aca6-299729be4e2b} - c:\program files\myfreezetoolbar\myfreezedx.dll
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
uRun: [Yahoo! Widgets] f:\program files\yahoo!\widgets\YahooWidgets.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\users\steph\appdata\roaming\micros~1\windows\startm~1\programs\startup\stardo~1.lnk - f:\program files\objectdock\ObjectDock.exe
StartupFolder: c:\users\steph\appdata\roaming\micros~1\windows\startm~1\programs\startup\yahoo!~1.lnk - e:\program files\yahoo!\widgets\YahooWidgets.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - {6BBCFF8E-D837-4DA4-9141-1F645B34A179} - c:\program files\comodo\hopsurftoolbar\HopSurfToolbar_IE.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
AppInit_DLLs:  c:\windows\system32\guard32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\steph\appdata\roaming\mozilla\firefox\profiles\kw7hq2ty.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2532785&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - LogiPTC Customized Web Search
FF - component: c:\users\steph\appdata\roaming\mozilla\firefox\profiles\kw7hq2ty.default\extensions\{2e07b018-9dae-4adc-83d2-c2543b1998eb}\components\FFExternalAlert.dll
FF - component: c:\users\steph\appdata\roaming\mozilla\firefox\profiles\kw7hq2ty.default\extensions\{2e07b018-9dae-4adc-83d2-c2543b1998eb}\components\RadioWMPCore.dll
FF - component: c:\users\steph\appdata\roaming\mozilla\firefox\profiles\kw7hq2ty.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\users\steph\appdata\roaming\mozilla\firefox\profiles\kw7hq2ty.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size",  4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-4-9 224240]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-4-9 30112]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-30 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-30 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-30 60936]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo livepcsupport\CLPSLS.exe [2010-2-19 148744]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-3-18 172328]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-7 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-18 1343400]

=============== Created Last 30 ================

2010-07-28 01:33:27    65536    --sha-w-    c:\users\steph\ntuser.dat{6fcbd2f5-99e7-11df-9c56-0019b96d560c}.TM.blf
2010-07-28 01:33:27    524288    --sha-w-    c:\users\steph\ntuser.dat{6fcbd2f5-99e7-11df-9c56-0019b96d560c}.TMContainer00000000000000000002.regtrans-ms
2010-07-28 01:33:27    524288    --sha-w-    c:\users\steph\ntuser.dat{6fcbd2f5-99e7-11df-9c56-0019b96d560c}.TMContainer00000000000000000001.regtrans-ms
2010-07-28 01:14:24    0    d-----w-    c:\program files\Trend Micro
2010-07-28 01:10:22    524288    --sha-w-    c:\users\steph\ntuser.dat{adcabb4e-99e1-11df-ae61-0019b96d560c}.TMContainer00000000000000000002.regtrans-ms
2010-07-28 01:10:22    524288    --sha-w-    c:\users\steph\ntuser.dat{adcabb4e-99e1-11df-ae61-0019b96d560c}.TMContainer00000000000000000001.regtrans-ms
2010-07-28 01:10:21    65536    --sha-w-    c:\users\steph\ntuser.dat{adcabb4e-99e1-11df-ae61-0019b96d560c}.TM.blf
2010-07-27 23:17:30    0    d-----w-    c:\users\steph\appdata\roaming\Malwarebytes
2010-07-27 23:17:09    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-27 23:17:03    0    d-----w-    c:\programdata\Malwarebytes
2010-07-27 23:17:02    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-07-27 23:17:02    0    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-07-13 23:53:09    0    d-----w-    c:\program files\Microsoft
2010-07-13 23:52:47    0    d-----w-    c:\program files\Windows Live SkyDrive
2010-07-13 23:51:19    3426072    ----a-w-    c:\windows\system32\d3dx9_32.dll
2010-07-13 23:50:27    0    d-----w-    c:\program files\Microsoft SQL Server Compact Edition
2010-07-13 23:38:37    0    d-----w-    c:\program files\common files\Windows Live
2010-07-13 11:19:52    292864    ----a-w-    c:\windows\system32\apphelp.dll
2010-07-07 00:40:10    0    d-----w-    c:\program files\Yahoo!
2010-07-06 02:14:04    0    d-----w-    c:\users\steph\appdata\roaming\Icons and Cursors
2010-07-06 02:03:07    0    d-----w-    c:\users\steph\appdata\roaming\GetRightToGo

==================== Find3M  ====================

2010-07-04 13:20:26    91836    ----a-w-    c:\windows\fonts\Movie Filmstrip_1.ttf
2010-07-04 13:20:26    91836    ----a-w-    c:\windows\fonts\Movie Filmstrip_0.ttf
2010-07-04 13:20:26    91836    ----a-w-    c:\windows\fonts\Movie Filmstrip.ttf
2010-06-18 03:46:58    499712    ----a-w-    c:\windows\system32\msvcp71.dll
2010-06-18 03:46:58    348160    ----a-w-    c:\windows\system32\msvcr71.dll
2010-06-09 17:06:00    224240    ----a-w-    c:\windows\system32\drivers\cmdGuard.sys
2010-06-03 14:32:20    278288    ----a-w-    c:\windows\system32\guard32.dll
2010-06-03 14:32:14    30112    ----a-w-    c:\windows\system32\drivers\cmdhlp.sys
2010-06-03 14:32:13    16744    ----a-w-    c:\windows\system32\drivers\cmderd.sys
2010-05-27 07:24:13    34304    ----a-w-    c:\windows\system32\atmlib.dll
2010-05-27 03:49:37    293888    ----a-w-    c:\windows\system32\atmfd.dll
2010-05-21 05:18:06    977920    ----a-w-    c:\windows\system32\wininet.dll
2010-05-18 20:35:16    91424    ----a-w-    c:\windows\system32\dnssd.dll
2010-05-18 20:35:16    107808    ----a-w-    c:\windows\system32\dns-sd.exe
2010-05-15 21:45:34    78456    ----a-w-    c:\windows\fonts\Vtks black.ttf
2010-05-12 15:21:16    221568    ------w-    c:\windows\system32\MpSigStub.exe
2010-05-12 11:37:04    774736    ----a-w-    c:\windows\fonts\Bandung Hardcore GP.otf
2010-05-09 09:14:55    641536    ----a-w-    c:\windows\system32\CPFilters.dll
2010-05-09 09:14:50    417792    ----a-w-    c:\windows\system32\msdri.dll
2010-05-01 14:49:25    2326528    ----a-w-    c:\windows\system32\win32k.sys
2009-07-14 04:56:42    31548    ----a-w-    c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42    31548    ----a-w-    c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42    291294    ----a-w-    c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42    291294    ----a-w-    c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57    174    --sha-w-    c:\program files\desktop.ini
2009-07-14 00:34:40    291294    ----a-w-    c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40    291294    ----a-w-    c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38    31548    ----a-w-    c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38    31548    ----a-w-    c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35    9633792    --sha-r-    c:\windows\fonts\StaticCache.dat
2010-04-20 14:11:33    245760    --sha-w-    c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45    396800    --sha-w-    c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 15:59:29.80 ===============

Please post both logs on the Malware Removal forum. Describe your symptoms, and please wait for a helper to reply. thanks. :emotion-1: