# Having some issues..very confused.



## M199

I just recently got over a virus (used malware bytes to get it off) with my PC. It was the virus where the fake antivirus scanner makes its lovely little way onto your PC and tries to tell you your computer is going to blow up with virus unless you buy their product. 

Anyway. I had 'misiexec.exe' pop up a few times and it wouldn't go away with just hitting cancel. 
I downloaded malware bytes again and it go rid of it after a scan.
I then tried to get on my net later on and its saying it can't find the server? 
My internet connection says I'm connected like normal.
My msn also said it couldn't log me in and to make sure I was hooked to the internet. I tried un-installing and re-installing. Also tried to install yahoo messenger on my pc and neither could do it. 
It's not on 'work offline' mode. 
I don't know what option I should have my proxy on. When I looked it was on Manual Proxy.. when I had it on that it came up with 'cant find sever' error messages. I hit no proxy and now pages are coming up.. but the messengers still cant open or install.

Any ideas on what I should do? I'm confused and..scared. lol
Thanks


----------



## gamblingman

*Read Carefully!*

Since you're having problems with the system, lets begin at square-one. Please, don't do anything else on the computer while working with these programs. Proceed through these instructions and perform all the below steps in the order listed, and do all in normal boot mode *NOT* safe mode. If you cannot boot normally and all you can boot into is safe mode, tell us.

Also, Do not restart your computer unless someone from here or the program Malwarebytes informs you that its necessary to restart. If you cannot get any files to download from the links we have provided, then stop what you are doing and tell us.

---------------------
*To check your PROXY setting* open Internet Explorer, under TOOLS open Internet Options, then go to the Connections tab then:


...if you use Dial Up select your ISP in the list then click the Settings button and UNCHECK Use a Proxy Server, then click ok till you are out of all options. Close Internet Explorer.

...if you use Broadband under Local Area Network (LAN) click the LAN settings button, then where it says Proxy Server and UNCHECK the Use a Proxy Server for Your LAN then click OK till you are out of all options. Close Internet Explorer.
----------------------

*NOTE:* If you cannot get any of these files to download on the computer which is having problems, then download them on another computer. Then put the download file(s) on a USB flash drive and transfer the the file(s) to the problem computer.


Since I dont know what site you used for the download of malwarebytes please uninstall the version you have and then follow the steps below.

*Please* download Malwarebytes' Anti-Malware *HERE* or *HERE* and save it to your desktop.


Double-click *mbam-setup.ex*e and follow the prompts to install the program.
    At the end, be sure a checkmark is placed next to
o *Update Malwarebytes' Anti-Malware*
        o and *Launch Malwarebytes' Anti-Malware*​
    Then click *Finish*.
    If an update is found, it will download and install the latest version. *Please keep updating until it says you have the latest version.*
    Once the program has loaded, select *Perform quick scan*, then click *Scan*.
    When the scan is complete, click *OK*, then *Show Results* to view the results.
    Be sure that everything is checked, and click *Remove Selected*.
    A log will be saved automatically which you can access by clicking on the *Logs *tab within Malwarebytes' Anti-Malware
- - - - - - - - - - - - - - 
*NOTE!*
If for some reason Malwarebytes will not install or run please download these files: *Rkill.scr*, *Rkill.exe*, or *Rkill.com*. 

First, run the .SCR file by clicking it. If a black window opens then closes (or you get a message from the infection that RKill is infected) run the file again, do this until it generates a log of processes stopped. If .SCR will not run at all, try the .EXE, if the .EXE wont work then use the .COM until one of them gives you a log. If none will run and produce a log then stop and tell us immediately. Then work to install or run Malwarebytes. 

*DO NOT* reboot immediately after running RKill because doing so will deactivate RKill and you will have to run it again. Just run RKill then malwarebytes, then HijackThis.  
- - - - - - - - - - - - - -

Now, generate a HijackThis log.

Download the HijackThis installer from *HERE*.

Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*
_
Most of what HijackThis lists will be harmless or even essential, *don't fix anything yet*._

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log.


----------



## M199

I can't believe I processed that..[=
Anywho.
Got the correct proxy option my computer needs to be on from my other pcs.
Switched, got the server not found pages. But, at least I know which option to go back on once my computer gets over this.

Malwarebytes did download from the link you put on here, so I assume I didn't need to download the triple R kill ones? (Just by it saying .if. it doesn't install.) Just post the Malwarebytes and Hijacksthis (which is a lovely name by the way. Very comfy with that one.)

Scanning now..will post when done. Thanks in advance!


----------



## M199

Hm.. tried to run hijackthis and it said something denied access to it being able to save where it wanted or something? (In my trend micro folder?)
I saved it as a normal file in my normal user folder..

Malware bytes, then hijack log here;

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7033

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

7/6/2011 11:06:01 AM
mbam-log-2011-07-06 (11-06-01).txt

Scan type: Quick scan
Objects scanned: 196058
Time elapsed: 7 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{014D2F73-E2A5-44F6-BD45-F0A791DE42A7} (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{014D2F73-E2A5-44F6-BD45-F0A791DE42A7} (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{014D2F73-E2A5-44F6-BD45-F0A791DE42A7} (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014D2F73-E2A5-44F6-BD45-F0A791DE42A7} (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\SysWOW64\atiumdva32.dll (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.
c:\Windows\System32\atiumdva32.dll (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:14:00 AM, on 7/6/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Yahoo!\Search Protection\YspService.exe
C:\Windows\CNYHKey.exe
C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\ModLedKey.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0609&m=dx4300
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ${URL_SEARCHPAGE}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=ZUGO&form=ZGAPHP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0609&m=dx4300
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = ${URL_SEARCHPAGE}
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:59778
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: YTNavAssist.YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\YTNavAssist.dll
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {010DBB78-2FED-4AED-A7E8-DC083989F51f} - C:\Windows\SysWow64\atiumdva32.dll (file missing)
O2 - BHO: (no name) - {015113EC-A4E0-4FB1-9CE1-2140252DABE2} - C:\Windows\SysWow64\atiumdva32.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg32.dll
O2 - BHO: YSPManager - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files (x86)\Yahoo!\Search Protection\ysp.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (file missing)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: TmBpIeBHO - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Gateway Photo Frame] "C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe" -A
O4 - HKLM\..\Run: [LchDrvKey] LchDrvKey.exe
O4 - HKLM\..\Run: [LedKey] CNYHKey.exe
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [e466e1645b951d29a0bcbe4576d3713d] C:\Users\Amanda\DOWNLO~1\RI1FB0~1.EXE /r
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files (x86)\Yahoo!\Search Protection\YspService.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg32.dll
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (file missing)
O20 - AppInit_DLLs: C:\ProgramData\KBDCZ132.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: HopalustRdp - {705FB965-7459-4644-BF5E-12152519A1D8} - (no file)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Trend Micro Solution Platform (Amsp) - Trend Micro Inc. - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: FABS - Helping agent for MAGIX media database (Fabs) - MAGIX AG - C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe
O23 - Service: Function Discovery Resource Publication  (FDResPub32) - Unknown owner - c:\windows\system32\mfc7132.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe
O23 - Service: GameConsoleService - Unknown owner - C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files (x86)\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files (x86)\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
O23 - Service: Zune Wireless Configuration Service (ZuneWlanCfgSvc) - Unknown owner - c:\Windows\system32\ZuneWlanCfgSvc.exe (file missing)

--
End of file - 13174 bytes


----------



## johnb35

Please disable your trendmicro's real time scanning so you can perform the following procedure.  

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

http://www.bleepingcomputer.com/download/anti-virus/combofix

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## M199

Disable my trend micros what? Just turn it off for right now?


----------



## M199

Uh...... My computer just went blue screen and shut off? (During that scan)


----------



## johnb35

Reboot the machine into safe mode and try again.


----------



## M199

Downloaded in safe mode- but it's saying my trend micro is still running.
Don't know how to turn it off..?


----------



## gamblingman

Is it showing the the system try, at the far right of your task bar at the bottom? If so you can right click it and exit. It will give you a warning about protection, just click so it will turn off.


----------



## M199

I exited out the little icon, then ran the program. That's when it said it. It said it would continue to run, but I would be doing it at my own risk? Risk of what is what I was wondering..and if I should run it anyway.


----------



## johnb35

Follow this to disable trend micro temporarily.  If it don't work then let me know.

http://esupport.trendmicro.com/solution/en-us/1037114.aspx


----------



## gamblingman

M199 said:


> I exited out the little icon, then ran the program. That's when *it *said *it*. *It *said *it *would continue to run, but I would be doing it at my own risk? Risk of what is what I was wondering..and if I should run it anyway.



Can you be a little more specific what was giving the warning? And were you able to run Combofix?

If you exit from Trend Micro it will warn you that if you exit your computer will not be protected by your anti-virus program and etc.... Just exit the T. M. and move on with Combofix.


----------



## M199

Sorry. One of the pets just died.. so my heads not straight.
When I exited out trend micro it gave the little 'not protected' message. I ran the combo program and it popped up with the list of 'trendmicro real scan' still running. It then said 'to exit these click ok', then it popped up saying it again and told me combo could continue to run, but it'd be at my own risk. I hit ok and it brought up the little blue box and started to scan..then gave me an error message.

I'll run it again and grab exactly what it says if I can't get trend micro off.


----------



## johnb35

What error message?  which version of trend micro do you have?  Real time scanners interfere with the running combofix and should be disabled before running.


----------



## M199

Trend Micro Titanium? 

Heres a screen shot of the two messages that pop up.
I hit the 'x' in the corner and the 2nd pops up. There's no getting away from it unless I hit ok..which I dont want to do if it could hurt my machine. 

Should I go off safe mode, go on normal, turn trendmicro off from there, then go back to safe mode? Would that work?


----------



## johnb35

When you right click on the trend micro  icon in your task bar, is there an option for "Activate real time protection"  If there is just click on it to remove the checkmark next to it.

Can you temporarily uninstall it or not?


----------



## M199

The trend micro icon isn't on the right side of my bottom bar anymore.
I can't uninstall trend micro.


----------



## johnb35

Reboot the pc and see if it reappears


----------



## M199

Done.. still not on the bar. 
I'm still on safe mode. Should I go on normal and see if it is there?


----------



## johnb35

Yes, boot into normal mode.


----------



## M199

Done.
Icon is in the right hand corner of my screen again.
Should I just try turning it off and running combo again?
Afraid if I turn it off then restart for safe mode I'll just get the error messages again.


----------



## johnb35

right click on the icon and see if there is an option to deselect "activate realtime protection"?  If not, you can try running combofix like it is but not sure if it will run properly.


----------



## M199

Right clicked and it says 'protection against viruses & spyware' and it has a check next to it. Is this what I need to uncheck?


----------



## johnb35

yes


----------



## M199

Done. Said it had to update combo..did it.
Then I got blue screen again.

Dont know what to do at this point.


----------



## johnb35

Are you talking about blue screen of death or just a blue screen, cause combofix is a blue screen when it runs?  Was there any info on this blue screen?


----------



## M199

If blue screen of death means it pops up full screen with error messages and then your computer crashes and restarts..then yes. The blue screen of death.


----------



## johnb35

Ok, lets try something first.  Get back into regular bootup mode and do the following.

Download *BlueScreenView*
No installation required.
Unzip downloaded file and double click on *BlueScreenView.exe* file to run the program.
When scanning is done, go *Edit>Select All*.
Go *File>Save Selected Items*, and save the report as *BSOD.txt*.
Open *BSOD.txt* in Notepad, copy all content, and paste it into your next reply.


----------



## M199

==================================================
Dump File         : Mini070611-02.dmp
Crash Time        : 7/6/2011 4:45:14 PM
Bug Check String  : KMODE_EXCEPTION_NOT_HANDLED
Bug Check Code    : 0x0000001e
Parameter 1       : ffffffff`c0000005
Parameter 2       : fffff800`0313be8e
Parameter 3       : 00000000`00000000
Parameter 4       : ffffffff`ffffffff
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+5a490
File Description  : 
Product Name      : 
Company           : 
File Version      : 
Processor         : x64
Crash Address     : ntoskrnl.exe+5a490
Stack Address 1   : 
Stack Address 2   : 
Stack Address 3   : 
Computer Name     : 
Full Path         : C:\Windows\Minidump\Mini070611-02.dmp
Processors Count  : 2
Major Version     : 15
Minor Version     : 6002
Dump File Size    : 274,408
==================================================

==================================================
Dump File         : Mini070611-01.dmp
Crash Time        : 7/6/2011 1:57:55 PM
Bug Check String  : KMODE_EXCEPTION_NOT_HANDLED
Bug Check Code    : 0x0000001e
Parameter 1       : ffffffff`c0000005
Parameter 2       : fffff800`030fae8e
Parameter 3       : 00000000`00000000
Parameter 4       : 00000000`00d12000
Caused By Driver  : ndistapi.sys
Caused By Address : ndistapi.sys+8eb5688
File Description  : 
Product Name      : 
Company           : 
File Version      : 
Processor         : x64
Crash Address     : ntoskrnl.exe+5a490
Stack Address 1   : 
Stack Address 2   : 
Stack Address 3   : 
Computer Name     : 
Full Path         : C:\Windows\Minidump\Mini070611-01.dmp
Processors Count  : 2
Major Version     : 15
Minor Version     : 6002
Dump File Size    : 274,408
==================================================

==================================================
Dump File         : Mini061411-01.dmp
Crash Time        : 6/14/2011 10:30:54 PM
Bug Check String  : SYSTEM_EXIT_OWNED_MUTEX
Bug Check Code    : 0x00000039
Parameter 1       : fffffa80`071583cc
Parameter 2       : 00000000`00000000
Parameter 3       : fffffa60`017d9c80
Parameter 4       : 00000000`00000000
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+5a490
File Description  : 
Product Name      : 
Company           : 
File Version      : 
Processor         : x64
Crash Address     : ntoskrnl.exe+5a490
Stack Address 1   : 
Stack Address 2   : 
Stack Address 3   : 
Computer Name     : 
Full Path         : C:\Windows\Minidump\Mini061411-01.dmp
Processors Count  : 2
Major Version     : 15
Minor Version     : 6002
Dump File Size    : 278,720
==================================================

==================================================
Dump File         : Mini060911-01.dmp
Crash Time        : 6/9/2011 3:01:55 AM
Bug Check String  : KMODE_EXCEPTION_NOT_HANDLED
Bug Check Code    : 0x0000001e
Parameter 1       : ffffffff`c0000005
Parameter 2       : fffff800`02e4715a
Parameter 3       : 00000000`00000000
Parameter 4       : 000007ff`fffa0000
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+5a490
File Description  : 
Product Name      : 
Company           : 
File Version      : 
Processor         : x64
Crash Address     : ntoskrnl.exe+5a490
Stack Address 1   : 
Stack Address 2   : 
Stack Address 3   : 
Computer Name     : 
Full Path         : C:\Windows\Minidump\Mini060911-01.dmp
Processors Count  : 2
Major Version     : 15
Minor Version     : 6002
Dump File Size    : 278,720
==================================================

==================================================
Dump File         : Mini052811-01.dmp
Crash Time        : 5/28/2011 10:30:44 AM
Bug Check String  : WORKER_INVALID
Bug Check Code    : 0x000000e4
Parameter 1       : 00000000`00000001
Parameter 2       : fffffa60`017d9c80
Parameter 3       : 00000000`00000000
Parameter 4       : 00000000`00000000
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+5a490
File Description  : 
Product Name      : 
Company           : 
File Version      : 
Processor         : x64
Crash Address     : ntoskrnl.exe+5a490
Stack Address 1   : 
Stack Address 2   : 
Stack Address 3   : 
Computer Name     : 
Full Path         : C:\Windows\Minidump\Mini052811-01.dmp
Processors Count  : 2
Major Version     : 15
Minor Version     : 6002
Dump File Size    : 274,408
==================================================


----------



## johnb35

Lets try this now.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.







To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.

When it has finished cleaning the infection you will see a report stating whether or not it was successful as shown below.






If the log says will be cured after reboot, please reboot the system by pressing the reboot now button.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it.  Please open the log and copy and paste it back here.


----------



## M199

It did find something.. here's the log after reboot;


2011/07/06 17:09:19.0116 4180	TDSS rootkit removing tool 2.5.9.0 Jul  1 2011 18:45:21
2011/07/06 17:09:21.0121 4180	================================================================================
2011/07/06 17:09:21.0121 4180	SystemInfo:
2011/07/06 17:09:21.0121 4180	
2011/07/06 17:09:21.0121 4180	OS Version: 6.0.6002 ServicePack: 2.0
2011/07/06 17:09:21.0121 4180	Product type: Workstation
2011/07/06 17:09:21.0121 4180	ComputerName: AMANDA-PC
2011/07/06 17:09:21.0122 4180	UserName: Amanda
2011/07/06 17:09:21.0122 4180	Windows directory: C:\Windows
2011/07/06 17:09:21.0122 4180	System windows directory: C:\Windows
2011/07/06 17:09:21.0122 4180	Running under WOW64
2011/07/06 17:09:21.0122 4180	Processor architecture: Intel x64
2011/07/06 17:09:21.0122 4180	Number of processors: 2
2011/07/06 17:09:21.0122 4180	Page size: 0x1000
2011/07/06 17:09:21.0122 4180	Boot type: Normal boot
2011/07/06 17:09:21.0122 4180	================================================================================
2011/07/06 17:09:22.0038 4180	Initialize success
2011/07/06 17:09:35.0515 3052	================================================================================
2011/07/06 17:09:35.0515 3052	Scan started
2011/07/06 17:09:35.0515 3052	Mode: Manual; 
2011/07/06 17:09:35.0515 3052	================================================================================
2011/07/06 17:09:36.0157 3052	ACPI            (1965aaffab07e3fb03c77f81beba3547) C:\Windows\system32\drivers\acpi.sys
2011/07/06 17:09:36.0232 3052	adp94xx         (f14215e37cf124104575073f782111d2) C:\Windows\system32\drivers\adp94xx.sys
2011/07/06 17:09:36.0281 3052	adpahci         (7d05a75e3066861a6610f7ee04ff085c) C:\Windows\system32\drivers\adpahci.sys
2011/07/06 17:09:36.0330 3052	adpu160m        (820a201fe08a0c345b3bedbc30e1a77c) C:\Windows\system32\drivers\adpu160m.sys
2011/07/06 17:09:36.0371 3052	adpu320         (9b4ab6854559dc168fbb4c24fc52e794) C:\Windows\system32\drivers\adpu320.sys
2011/07/06 17:09:36.0447 3052	AFD             (0cc146c4addea45791b18b1e2659f4a9) C:\Windows\system32\drivers\afd.sys
2011/07/06 17:09:36.0498 3052	agp440          (f6f6793b7f17b550ecfdbd3b229173f7) C:\Windows\system32\drivers\agp440.sys
2011/07/06 17:09:36.0563 3052	ahcix64s        (97dd49ccdb89a22cfcea78b29d393d87) C:\Windows\system32\drivers\ahcix64s.sys
2011/07/06 17:09:36.0594 3052	aic78xx         (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys
2011/07/06 17:09:36.0652 3052	aliide          (157d0898d4b73f075ce9fa26b482df98) C:\Windows\system32\drivers\aliide.sys
2011/07/06 17:09:36.0676 3052	amdide          (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys
2011/07/06 17:09:36.0697 3052	AmdK8           (cdc3632a3a5ea4dbb83e46076a3165a1) C:\Windows\system32\drivers\amdk8.sys
2011/07/06 17:09:36.0808 3052	arc             (ba8417d4765f3988ff921f30f630e303) C:\Windows\system32\drivers\arc.sys
2011/07/06 17:09:36.0832 3052	arcsas          (9d41c435619733b34cc16a511e644b11) C:\Windows\system32\drivers\arcsas.sys
2011/07/06 17:09:36.0860 3052	AsyncMac        (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/07/06 17:09:36.0904 3052	atapi           (e68d9b3a3905619732f7fe039466a623) C:\Windows\system32\drivers\atapi.sys
2011/07/06 17:09:37.0052 3052	atikmdag        (a4379447148ee55330768cc491ee999e) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/07/06 17:09:37.0139 3052	AtiPcie         (db0d3de15edc96e7529fc0d3f7760894) C:\Windows\system32\DRIVERS\AtiPcie.sys
2011/07/06 17:09:37.0208 3052	atksgt          (54494b93bb5ad74c807100144ec30d64) C:\Windows\system32\DRIVERS\atksgt.sys
2011/07/06 17:09:37.0295 3052	b57nd60a        (1777e5ac9fc74f7991b2aba25ea34759) C:\Windows\system32\DRIVERS\b57nd60a.sys
2011/07/06 17:09:37.0364 3052	blbdrive        (79feeb40056683f8f61398d81dda65d2) C:\Windows\system32\drivers\blbdrive.sys
2011/07/06 17:09:37.0443 3052	bowser          (2348447a80920b2493a9b582a23e81e1) C:\Windows\system32\DRIVERS\bowser.sys
2011/07/06 17:09:37.0490 3052	BrFiltLo        (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys
2011/07/06 17:09:37.0517 3052	BrFiltUp        (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys
2011/07/06 17:09:37.0550 3052	Brserid         (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\drivers\brserid.sys
2011/07/06 17:09:37.0575 3052	BrSerWdm        (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys
2011/07/06 17:09:37.0602 3052	BrUsbMdm        (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys
2011/07/06 17:09:37.0623 3052	BrUsbSer        (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\drivers\brusbser.sys
2011/07/06 17:09:37.0646 3052	BTHMODEM        (e0777b34e05f8a82a21856efc900c29f) C:\Windows\system32\drivers\bthmodem.sys
2011/07/06 17:09:37.0687 3052	cdfs            (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys
2011/07/06 17:09:37.0731 3052	cdrom           (c025aa69be3d0d25c7a2e746ef6f94fc) C:\Windows\system32\DRIVERS\cdrom.sys
2011/07/06 17:09:37.0779 3052	circlass        (02ea568d498bbdd4ba55bf3fce34d456) C:\Windows\system32\drivers\circlass.sys
2011/07/06 17:09:37.0835 3052	CLFS            (3dca9a18b204939cfb24bea53e31eb48) C:\Windows\system32\CLFS.sys
2011/07/06 17:09:37.0915 3052	cmdide          (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys
2011/07/06 17:09:37.0939 3052	Compbatt        (7fb8ad01db0eabe60c8a861531a8f431) C:\Windows\system32\drivers\compbatt.sys
2011/07/06 17:09:37.0965 3052	crcdisk         (a8585b6412253803ce8efcbd6d6dc15c) C:\Windows\system32\drivers\crcdisk.sys
2011/07/06 17:09:38.0039 3052	DfsC            (8b722ba35205c71e7951cdc4cdbade19) C:\Windows\system32\Drivers\dfsc.sys
2011/07/06 17:09:38.0093 3052	disk            (b0107e40ecdb5fa692ebf832f295d905) C:\Windows\system32\drivers\disk.sys
2011/07/06 17:09:38.0169 3052	drmkaud         (f1a78a98cfc2ee02144c6bec945447e6) C:\Windows\system32\drivers\drmkaud.sys
2011/07/06 17:09:38.0234 3052	DXGKrnl         (b8e554e502d5123bc111f99d6a2181b4) C:\Windows\System32\drivers\dxgkrnl.sys
2011/07/06 17:09:38.0260 3052	E1G60           (264cee7b031a9d6c827f3d0cb031f2fe) C:\Windows\system32\DRIVERS\E1G6032E.sys
2011/07/06 17:09:38.0306 3052	Ecache          (5f94962be5a62db6e447ff6470c4f48a) C:\Windows\system32\drivers\ecache.sys
2011/07/06 17:09:38.0345 3052	elxstor         (c4636d6e10469404ab5308d9fd45ed07) C:\Windows\system32\drivers\elxstor.sys
2011/07/06 17:09:38.0378 3052	ErrDev          (bc3a58e938bb277e46bf4b3003b01abd) C:\Windows\system32\drivers\errdev.sys
2011/07/06 17:09:38.0443 3052	exfat           (486844f47b6636044a42454614ed4523) C:\Windows\system32\drivers\exfat.sys
2011/07/06 17:09:38.0492 3052	fastfat         (1a4bee34277784619ddaf0422c0c6e23) C:\Windows\system32\drivers\fastfat.sys
2011/07/06 17:09:38.0521 3052	fdc             (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys
2011/07/06 17:09:38.0578 3052	FileInfo        (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys
2011/07/06 17:09:38.0633 3052	Filetrace       (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys
2011/07/06 17:09:38.0703 3052	flpydisk        (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/07/06 17:09:38.0770 3052	FltMgr          (e3041bc26d6930d61f42aedb79c91720) C:\Windows\system32\drivers\fltmgr.sys
2011/07/06 17:09:38.0825 3052	Fs_Rec          (29d99e860a1ca0a03c6a733fdd0da703) C:\Windows\system32\drivers\Fs_Rec.sys
2011/07/06 17:09:38.0849 3052	gagp30kx        (c8e416668d3dc2be3d4fe4c79224997f) C:\Windows\system32\drivers\gagp30kx.sys
2011/07/06 17:09:38.0902 3052	GEARAspiWDM     (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/07/06 17:09:38.0979 3052	HdAudAddService (df45f8142dc6df9d18c39b3effbd0409) C:\Windows\system32\drivers\HdAudio.sys
2011/07/06 17:09:39.0043 3052	HDAudBus        (f942c5820205f2fb453243edfec82a3d) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/07/06 17:09:39.0079 3052	HidBth          (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys
2011/07/06 17:09:39.0104 3052	HidIr           (4e77a77e2c986e8f88f996bb3e1ad829) C:\Windows\system32\drivers\hidir.sys
2011/07/06 17:09:39.0162 3052	HidUsb          (443bdd2d30bb4f00795c797e2cf99edf) C:\Windows\system32\DRIVERS\hidusb.sys
2011/07/06 17:09:39.0222 3052	HpCISSs         (d7109a1e6bd2dfdbcba72a6bc626a13b) C:\Windows\system32\drivers\hpcisss.sys
2011/07/06 17:09:39.0283 3052	HTTP            (098f1e4e5c9cb5b0063a959063631610) C:\Windows\system32\drivers\HTTP.sys
2011/07/06 17:09:39.0309 3052	i2omp           (da94c854cea5fac549d4e1f6e88349e8) C:\Windows\system32\drivers\i2omp.sys
2011/07/06 17:09:39.0384 3052	i8042prt        (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/07/06 17:09:39.0412 3052	iaStorV         (3e3bf3627d886736d0b4e90054f929f6) C:\Windows\system32\drivers\iastorv.sys
2011/07/06 17:09:39.0447 3052	iirsp           (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys
2011/07/06 17:09:39.0548 3052	IntcAzAudAddService (627c6b352718e59df08f02c536e2e0ed) C:\Windows\system32\drivers\RTKVHD64.sys
2011/07/06 17:09:39.0603 3052	intelide        (df797a12176f11b2d301c5b234bb200e) C:\Windows\system32\drivers\intelide.sys
2011/07/06 17:09:39.0621 3052	intelppm        (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys
2011/07/06 17:09:39.0680 3052	IpFilterDriver  (d8aabc341311e4780d6fce8c73c0ad81) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/07/06 17:09:39.0720 3052	IPMIDRV         (9c2ee2e6e5a7203bfae15c299475ec67) C:\Windows\system32\drivers\ipmidrv.sys
2011/07/06 17:09:39.0749 3052	IPNAT           (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys
2011/07/06 17:09:39.0798 3052	IRENUM          (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys
2011/07/06 17:09:39.0847 3052	isapnp          (0672bfcedc6fc468a2b0500d81437f4f) C:\Windows\system32\drivers\isapnp.sys
2011/07/06 17:09:39.0893 3052	iScsiPrt        (e4fdf99599f27ec25d2cf6d754243520) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/07/06 17:09:39.0920 3052	iteatapi        (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys
2011/07/06 17:09:39.0970 3052	iteraid         (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys
2011/07/06 17:09:39.0998 3052	kbdclass        (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/07/06 17:09:40.0012 3052	kbdhid          (bf8783a5066cfecf45095459e8010fa7) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/07/06 17:09:40.0065 3052	KSecDD          (476e2c1dcea45895994bef11c2a98715) C:\Windows\system32\Drivers\ksecdd.sys
2011/07/06 17:09:40.0091 3052	ksthunk         (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys
2011/07/06 17:09:40.0136 3052	lirsgt          (8e4ca9afd55ef6b509c80a8715abf8c6) C:\Windows\system32\DRIVERS\lirsgt.sys
2011/07/06 17:09:40.0173 3052	lltdio          (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys
2011/07/06 17:09:40.0210 3052	LSI_FC          (acbe1af32d3123e330a07bfbc5ec4a9b) C:\Windows\system32\drivers\lsi_fc.sys
2011/07/06 17:09:40.0230 3052	LSI_SAS         (799ffb2fc4729fa46d2157c0065b3525) C:\Windows\system32\drivers\lsi_sas.sys
2011/07/06 17:09:40.0254 3052	LSI_SCSI        (f445ff1daad8a226366bfaf42551226b) C:\Windows\system32\drivers\lsi_scsi.sys
2011/07/06 17:09:40.0282 3052	luafv           (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys
2011/07/06 17:09:40.0321 3052	megasas         (5c5cd6aaced32fb26c3fb34b3dcf972f) C:\Windows\system32\drivers\megasas.sys
2011/07/06 17:09:40.0366 3052	MegaSR          (859bc2436b076c77c159ed694acfe8f8) C:\Windows\system32\drivers\megasr.sys
2011/07/06 17:09:40.0398 3052	Modem           (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys
2011/07/06 17:09:40.0417 3052	monitor         (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys
2011/07/06 17:09:40.0431 3052	mouclass        (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys
2011/07/06 17:09:40.0464 3052	mouhid          (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys
2011/07/06 17:09:40.0497 3052	MountMgr        (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys
2011/07/06 17:09:40.0538 3052	mpio            (f8276eb8698142884498a528dfea8478) C:\Windows\system32\drivers\mpio.sys
2011/07/06 17:09:40.0563 3052	mpsdrv          (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys
2011/07/06 17:09:40.0595 3052	Mraid35x        (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys
2011/07/06 17:09:40.0622 3052	MRxDAV          (7c1de4aa96dc0c071611f9e7de02a68d) C:\Windows\system32\drivers\mrxdav.sys
2011/07/06 17:09:40.0665 3052	mrxsmb          (1485811b320ff8c7edad1caebb1c6c2b) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/07/06 17:09:40.0739 3052	mrxsmb10        (6dc9461915a551c2a625986f5fb3b851) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/07/06 17:09:40.0787 3052	mrxsmb20        (c64ab3e1f53b4f5b5bb6d796b2d7bec3) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/07/06 17:09:40.0816 3052	msahci          (1ac860612b85d8e85ee257d372e39f4d) C:\Windows\system32\drivers\msahci.sys
2011/07/06 17:09:40.0839 3052	msdsm           (264bbb4aaf312a485f0e44b65a6b7202) C:\Windows\system32\drivers\msdsm.sys
2011/07/06 17:09:40.0885 3052	Msfs            (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys
2011/07/06 17:09:40.0905 3052	msisadrv        (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys
2011/07/06 17:09:40.0966 3052	MSKSSRV         (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys
2011/07/06 17:09:41.0003 3052	MSPCLOCK        (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/07/06 17:09:41.0022 3052	MSPQM           (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys
2011/07/06 17:09:41.0076 3052	MsRPC           (dc6ccf440cdede4293db41c37a5060a5) C:\Windows\system32\drivers\MsRPC.sys
2011/07/06 17:09:41.0109 3052	mssmbios        (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/07/06 17:09:41.0173 3052	MSTEE           (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys
2011/07/06 17:09:41.0197 3052	Mup             (0cc49f78d8aca0877d885f149084e543) C:\Windows\system32\Drivers\mup.sys
2011/07/06 17:09:41.0267 3052	NativeWifiP     (2007b826c4acd94ae32232b41f0842b9) C:\Windows\system32\DRIVERS\nwifi.sys
2011/07/06 17:09:41.0342 3052	NDIS            (65950e07329fcee8e6516b17c8d0abb6) C:\Windows\system32\drivers\ndis.sys
2011/07/06 17:09:41.0395 3052	NdisTapi        (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/07/06 17:09:41.0434 3052	Ndisuio         (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/07/06 17:09:41.0490 3052	NdisWan         (f8158771905260982ce724076419ef19) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/07/06 17:09:41.0507 3052	NDProxy         (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys
2011/07/06 17:09:41.0547 3052	NetBIOS         (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys
2011/07/06 17:09:41.0589 3052	netbt           (fc2c792ebddc8e28df939d6a92c83d61) C:\Windows\system32\DRIVERS\netbt.sys
2011/07/06 17:09:41.0658 3052	netr28ux        (01a8a17c17e548db1b6c2e597c0c66e6) C:\Windows\system32\DRIVERS\netr28ux.sys
2011/07/06 17:09:41.0683 3052	nfrd960         (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys
2011/07/06 17:09:41.0711 3052	Npfs            (b298874f8e0ea93f06ec40aa8d146478) C:\Windows\system32\drivers\Npfs.sys
2011/07/06 17:09:41.0738 3052	nsiproxy        (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys
2011/07/06 17:09:41.0805 3052	Ntfs            (bac869dfb98e499ba4d9bb1fb43270e1) C:\Windows\system32\drivers\Ntfs.sys
2011/07/06 17:09:41.0840 3052	Null            (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys
2011/07/06 17:09:41.0871 3052	nvraid          (2c040b7ada5b06f6facadac8514aa034) C:\Windows\system32\drivers\nvraid.sys
2011/07/06 17:09:41.0899 3052	nvstor          (f7ea0fe82842d05eda3efdd376dbfdba) C:\Windows\system32\drivers\nvstor.sys
2011/07/06 17:09:41.0933 3052	nv_agp          (19067ca93075ef4823e3938a686f532f) C:\Windows\system32\drivers\nv_agp.sys
2011/07/06 17:09:42.0043 3052	ohci1394        (b5b1ce65ac15bbd11c0619e3ef7cfc28) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/07/06 17:09:42.0092 3052	Parport         (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys
2011/07/06 17:09:42.0130 3052	partmgr         (f9b5eda4c17a2be7663f064dbf0fe254) C:\Windows\system32\drivers\partmgr.sys
2011/07/06 17:09:42.0241 3052	pci             (47ab1e0fc9d0e12bb53ba246e3a0906d) C:\Windows\system32\drivers\pci.sys
2011/07/06 17:09:42.0299 3052	pciide          (2657f6c0b78c36d95034be109336e382) C:\Windows\system32\drivers\pciide.sys
2011/07/06 17:09:42.0349 3052	pcmcia          (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys
2011/07/06 17:09:42.0411 3052	PEAUTH          (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys
2011/07/06 17:09:42.0514 3052	PptpMiniport    (23386e9952025f5f21c368971e2e7301) C:\Windows\system32\DRIVERS\raspptp.sys
2011/07/06 17:09:42.0536 3052	Processor       (5080e59ecee0bc923f14018803aa7a01) C:\Windows\system32\DRIVERS\processr.sys
2011/07/06 17:09:42.0607 3052	PSched          (c5ab7f0809392d0da027f4a2a81bfa31) C:\Windows\system32\DRIVERS\pacer.sys
2011/07/06 17:09:42.0666 3052	ql2300          (0b83f4e681062f3839be2ec1d98fd94a) C:\Windows\system32\drivers\ql2300.sys
2011/07/06 17:09:42.0715 3052	ql40xx          (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys
2011/07/06 17:09:42.0774 3052	QWAVEdrv        (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys
2011/07/06 17:09:42.0811 3052	RasAcd          (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys
2011/07/06 17:09:42.0870 3052	Rasl2tp         (ac7bc4d42a7e558718dfdec599bbfc2c) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/07/06 17:09:42.0926 3052	RasPppoe        (4517fbf8b42524afe4ede1de102aae3e) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/07/06 17:09:42.0955 3052	RasSstp         (c6a593b51f34c33e5474539544072527) C:\Windows\system32\DRIVERS\rassstp.sys
2011/07/06 17:09:43.0001 3052	rdbss           (322db5c6b55e8d8ee8d6f358b2aaabb1) C:\Windows\system32\DRIVERS\rdbss.sys
2011/07/06 17:09:43.0029 3052	RDPCDD          (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/07/06 17:09:43.0085 3052	rdpdr           (c045d1fb111c28df0d1be8d4bda22c06) C:\Windows\system32\drivers\rdpdr.sys
2011/07/06 17:09:43.0101 3052	RDPENCDD        (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys
2011/07/06 17:09:43.0134 3052	RDPWD           (b1d741c87cea8d7282146366cc9c3f81) C:\Windows\system32\drivers\RDPWD.sys
2011/07/06 17:09:43.0182 3052	rspndr          (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys
2011/07/06 17:09:43.0250 3052	RTHDMIAzAudService (67c7695d3b18682addf8419eda4bbfb8) C:\Windows\system32\drivers\RtHDMIVX.sys
2011/07/06 17:09:43.0279 3052	sbp2port        (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys
2011/07/06 17:09:43.0314 3052	secdrv          (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
2011/07/06 17:09:43.0343 3052	Serenum         (f71bfe7ac6c52273b7c82cbf1bb2a222) C:\Windows\system32\drivers\serenum.sys
2011/07/06 17:09:43.0371 3052	Serial          (e62fac91ee288db29a9696a9d279929c) C:\Windows\system32\drivers\serial.sys
2011/07/06 17:09:43.0411 3052	sermouse        (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys
2011/07/06 17:09:43.0448 3052	sffdisk         (14d4b4465193a87c127933978e8c4106) C:\Windows\system32\drivers\sffdisk.sys
2011/07/06 17:09:43.0463 3052	sffp_mmc        (7073aee3f82f3d598e3825962aa98ab2) C:\Windows\system32\drivers\sffp_mmc.sys
2011/07/06 17:09:43.0479 3052	sffp_sd         (35e59ebe4a01a0532ed67975161c7b82) C:\Windows\system32\drivers\sffp_sd.sys
2011/07/06 17:09:43.0494 3052	sfloppy         (6b7838c94135768bd455cbdc23e39e5f) C:\Windows\system32\drivers\sfloppy.sys
2011/07/06 17:09:43.0526 3052	SiSRaid2        (7a5de502aeb719d4594c6471060a78b3) C:\Windows\system32\drivers\sisraid2.sys
2011/07/06 17:09:43.0549 3052	SiSRaid4        (3a2f769fab9582bc720e11ea1dfb184d) C:\Windows\system32\drivers\sisraid4.sys
2011/07/06 17:09:43.0595 3052	Smb             (290b6f6a0ec4fcdfc90f5cb6d7020473) C:\Windows\system32\DRIVERS\smb.sys
2011/07/06 17:09:43.0649 3052	spldr           (386c3c63f00a7040c7ec5e384217e89d) C:\Windows\system32\drivers\spldr.sys
2011/07/06 17:09:43.0708 3052	srv             (880a57fccb571ebd063d4dd50e93e46d) C:\Windows\system32\DRIVERS\srv.sys
2011/07/06 17:09:43.0756 3052	srv2            (a1ad14a6d7a37891fffeca35ebbb0730) C:\Windows\system32\DRIVERS\srv2.sys
2011/07/06 17:09:43.0804 3052	srvnet          (4bed62f4fa4d8300973f1151f4c4d8a7) C:\Windows\system32\DRIVERS\srvnet.sys
2011/07/06 17:09:43.0869 3052	swenum          (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys
2011/07/06 17:09:43.0937 3052	swmsflt         (179de6936fbb0702f89535b27e311b1f) C:\Windows\System32\drivers\swmsflt.sys
2011/07/06 17:09:43.0999 3052	SWNC8U80        (93426e420efe938774d0c2d17f7ad4d2) C:\Windows\system32\DRIVERS\swnc8u80.sys
2011/07/06 17:09:44.0054 3052	SWUMX80         (8eb20f97ccbd8363f5564f01ba7b34cc) C:\Windows\system32\DRIVERS\swumx80.sys
2011/07/06 17:09:44.0081 3052	Symc8xx         (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys
2011/07/06 17:09:44.0108 3052	Sym_hi          (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys
2011/07/06 17:09:44.0152 3052	Sym_u3          (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys
2011/07/06 17:09:44.0252 3052	Tcpip           (973658a2ea9c06b2976884b9046dfc6c) C:\Windows\system32\drivers\tcpip.sys
2011/07/06 17:09:44.0305 3052	Tcpip6          (973658a2ea9c06b2976884b9046dfc6c) C:\Windows\system32\DRIVERS\tcpip.sys
2011/07/06 17:09:44.0345 3052	tcpipreg        (c7e72a4071ee0200e3c075dacfb2b334) C:\Windows\system32\drivers\tcpipreg.sys
2011/07/06 17:09:44.0374 3052	TDPIPE          (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys
2011/07/06 17:09:44.0403 3052	TDTCP           (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys
2011/07/06 17:09:44.0438 3052	tdx             (458919c8c42e398dc4802178d5ffee27) C:\Windows\system32\DRIVERS\tdx.sys
2011/07/06 17:09:44.0482 3052	TermDD          (8c19678d22649ec002ef2282eae92f98) C:\Windows\system32\DRIVERS\termdd.sys
2011/07/06 17:09:44.0564 3052	tmactmon        (73aaffdd2ac3c8814b26c440e5dd9dd4) C:\Windows\system32\DRIVERS\tmactmon.sys
2011/07/06 17:09:44.0608 3052	tmcomm          (360e61217d4e1e333583d0c721057f70) C:\Windows\system32\DRIVERS\tmcomm.sys
2011/07/06 17:09:44.0664 3052	tmevtmgr        (699d34eb7c670139ca23a65372bd5743) C:\Windows\system32\DRIVERS\tmevtmgr.sys
2011/07/06 17:09:44.0716 3052	tmtdi           (262198efb734012bfcd17e7479ae4a09) C:\Windows\system32\DRIVERS\tmtdi.sys
2011/07/06 17:09:44.0761 3052	tssecsrv        (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/07/06 17:09:44.0785 3052	tunmp           (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys
2011/07/06 17:09:44.0833 3052	tunnel          (30a9b3f45ad081bffc3bcaa9c812b609) C:\Windows\system32\DRIVERS\tunnel.sys
2011/07/06 17:09:44.0862 3052	uagp35          (fec266ef401966311744bd0f359f7f56) C:\Windows\system32\drivers\uagp35.sys
2011/07/06 17:09:44.0905 3052	udfs            (faf2640a2a76ed03d449e443194c4c34) C:\Windows\system32\DRIVERS\udfs.sys
2011/07/06 17:09:44.0962 3052	uliagpkx        (4ec9447ac3ab462647f60e547208ca00) C:\Windows\system32\drivers\uliagpkx.sys
2011/07/06 17:09:44.0998 3052	uliahci         (697f0446134cdc8f99e69306184fbbb4) C:\Windows\system32\drivers\uliahci.sys
2011/07/06 17:09:45.0033 3052	UlSata          (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys
2011/07/06 17:09:45.0068 3052	ulsata2         (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys
2011/07/06 17:09:45.0107 3052	umbus           (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys
2011/07/06 17:09:45.0172 3052	USBAAPL64       (aa33fc47ed58c34e6e9261e4f850b7eb) C:\Windows\system32\Drivers\usbaapl64.sys
2011/07/06 17:09:45.0199 3052	usbccgp         (07e3498fc60834219d2356293da0fecc) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/07/06 17:09:45.0229 3052	usbcir          (9247f7e0b65852c1f6631480984d6ed2) C:\Windows\system32\drivers\usbcir.sys
2011/07/06 17:09:45.0288 3052	usbehci         (827e44de934a736ea31e91d353eb126f) C:\Windows\system32\DRIVERS\usbehci.sys
2011/07/06 17:09:45.0317 3052	usbhub          (bb35cd80a2ececfadc73569b3d70c7d1) C:\Windows\system32\DRIVERS\usbhub.sys
2011/07/06 17:09:45.0339 3052	usbohci         (e406b003a354776d317762694956b0fc) C:\Windows\system32\DRIVERS\usbohci.sys
2011/07/06 17:09:45.0370 3052	usbprint        (acfee697af477021bb3ec78c5431fed2) C:\Windows\system32\drivers\usbprint.sys
2011/07/06 17:09:45.0391 3052	USBSTOR         (b854c1558fca0c269a38663e8b59b581) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/07/06 17:09:45.0422 3052	usbuhci         (b2872cbf9f47316abd0e0c74a1aba507) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/07/06 17:09:45.0461 3052	vga             (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/07/06 17:09:45.0488 3052	VgaSave         (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys
2011/07/06 17:09:45.0520 3052	viaide          (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys
2011/07/06 17:09:45.0553 3052	volmgr          (2b7e885ed951519a12c450d24535dfca) C:\Windows\system32\drivers\volmgr.sys
2011/07/06 17:09:45.0609 3052	volmgrx         (cec5ac15277d75d9e5dec2e1c6eaf877) C:\Windows\system32\drivers\volmgrx.sys
2011/07/06 17:09:45.0659 3052	volsnap         (5280aada24ab36b01a84a6424c475c8d) C:\Windows\system32\drivers\volsnap.sys
2011/07/06 17:09:45.0689 3052	vsmraid         (a68f455ed2673835209318dd61bfbb0e) C:\Windows\system32\drivers\vsmraid.sys
2011/07/06 17:09:45.0727 3052	WacomPen        (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys
2011/07/06 17:09:45.0789 3052	Wanarp          (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/06 17:09:45.0802 3052	Wanarpv6        (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/06 17:09:45.0836 3052	Wd              (0c17a0816f65b89e362e682ad5e7266e) C:\Windows\system32\drivers\wd.sys
2011/07/06 17:09:45.0897 3052	Wdf01000        (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
2011/07/06 17:09:46.0027 3052	WinUSB          (7f2f9e48566b2087f2aaad258cb2a8d4) C:\Windows\system32\DRIVERS\WinUSB.sys
2011/07/06 17:09:46.0081 3052	WmiAcpi         (e18aebaaa5a773fe11aa2c70f65320f5) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/07/06 17:09:46.0179 3052	WpdUsb          (5e2401b3fc1089c90e081291357371a9) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/07/06 17:09:46.0220 3052	ws2ifsl         (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys
2011/07/06 17:09:46.0287 3052	WudfPf          (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
2011/07/06 17:09:46.0313 3052	WUDFRd          (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/07/06 17:09:46.0399 3052	yukonx64        (d34faa40d8af3db716e67de203ef62ca) C:\Windows\system32\DRIVERS\yk60x64.sys
2011/07/06 17:09:46.0487 3052	MBR (0x1B8)     (c3cb91169c3379597e17079feecbfd03) \Device\Harddisk0\DR0
2011/07/06 17:09:46.0492 3052	\Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/07/06 17:09:46.0502 3052	MBR (0x1B8)     (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR1
2011/07/06 17:09:46.0517 3052	Boot (0x1200)   (8407ec0dee3ecf52634483f2473b48fd) \Device\Harddisk0\DR0\Partition0
2011/07/06 17:09:46.0526 3052	Boot (0x1200)   (9d1238386c04610f52c6fe1cae494519) \Device\Harddisk1\DR1\Partition0
2011/07/06 17:09:46.0532 3052	================================================================================
2011/07/06 17:09:46.0532 3052	Scan finished
2011/07/06 17:09:46.0532 3052	================================================================================
2011/07/06 17:09:46.0543 1428	Detected object count: 1
2011/07/06 17:09:46.0543 1428	Actual detected object count: 1
2011/07/06 17:10:06.0844 1428	\Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/07/06 17:10:06.0845 1428	\Device\Harddisk0\DR0 - ok
2011/07/06 17:10:06.0846 1428	Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure 
2011/07/06 17:10:36.0285 3876	Deinitialize success


----------



## johnb35

You had an mbr infection.  Now try running combofix, it should run without issues now.  Hopefully.  Make sure you reboot the pc first before running combofix.  Make sure trend micro is disabled again.


----------



## M199

Oh I see.. Thank you.
So once combo has finished and I get the log.. You will need it and an updated hijackthis log, correct?


----------



## johnb35

You are correct.


----------



## M199

May I ask if these logs I'm posting hold any..information I should/ someone should remove once/if were able to kick my pc back to order? I don't know what I'm really looking at with them, so I'm not very sure.


----------



## johnb35

They don't hold any pertinent, personal information.  Basically files that were created in the last 30 days, services/drivers runnning on the system and what runs at bootup and other info.  So no worries.


----------



## M199

Phew. Ok, cool then.


----------



## M199

Ok combo is rebooting my computer now.. Logs shortly.

Er.. Trend micro is starting up but combo says not to start any programs.
Wait to see what happens or cntrl alt del to see if I can stop it?

Also I now have a icon on my computer saying 'the internet' with an explorer icon. Did combo put that on?


----------



## M199

Nvm. 
Combo then Hijack.


ComboFix 11-07-06.03 - Amanda 07/06/2011  17:23:35.1.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.5886.4237 [GMT -4:00]
Running from: c:\users\Amanda\Downloads\ComboFix.exe
AV: Trend Micro Titanium *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\atiumdva32.exe
c:\programdata\KBDCZ132.dll
c:\users\Amanda\11f5fe2a4b5bf2222732d4907dd8efeb.jpg
c:\users\Amanda\6a00d8341bfcfe53ef00e54f8f12648834-800wi.jpg
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{155ca05c-939f-4003-ad1f-993591e624bd}
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{155ca05c-939f-4003-ad1f-993591e624bd}\chrome.manifest
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{155ca05c-939f-4003-ad1f-993591e624bd}\chrome\xulcache.jar
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{155ca05c-939f-4003-ad1f-993591e624bd}\defaults\preferences\xulcache.js
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{155ca05c-939f-4003-ad1f-993591e624bd}\install.rdf
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{910a7df3-474a-45ec-b9d1-95dba03b39fd}
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{910a7df3-474a-45ec-b9d1-95dba03b39fd}\chrome.manifest
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{910a7df3-474a-45ec-b9d1-95dba03b39fd}\chrome\xulcache.jar
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{910a7df3-474a-45ec-b9d1-95dba03b39fd}\defaults\preferences\xulcache.js
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{910a7df3-474a-45ec-b9d1-95dba03b39fd}\install.rdf
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{9cfbdb48-7ddf-4789-bec1-1e50ccb17b26}
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{9cfbdb48-7ddf-4789-bec1-1e50ccb17b26}\chrome.manifest
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{9cfbdb48-7ddf-4789-bec1-1e50ccb17b26}\chrome\xulcache.jar
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{9cfbdb48-7ddf-4789-bec1-1e50ccb17b26}\defaults\preferences\xulcache.js
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{9cfbdb48-7ddf-4789-bec1-1e50ccb17b26}\install.rdf
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{f14115e8-1aab-4400-a2c1-21d1536d6fd9}
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{f14115e8-1aab-4400-a2c1-21d1536d6fd9}\chrome.manifest
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{f14115e8-1aab-4400-a2c1-21d1536d6fd9}\chrome\xulcache.jar
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{f14115e8-1aab-4400-a2c1-21d1536d6fd9}\defaults\preferences\xulcache.js
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{f14115e8-1aab-4400-a2c1-21d1536d6fd9}\install.rdf
c:\windows\security\Database\tmp.edb
c:\windows\system32\service
c:\windows\SysWow64\atiumdva32.dll
.
.
(((((((((((((((((((((((((   Files Created from 2011-06-06 to 2011-07-06  )))))))))))))))))))))))))))))))
.
.
2011-07-06 21:41 . 2011-07-06 21:44	--------	d-----w-	c:\users\Amanda\AppData\Local\temp
2011-07-06 21:41 . 2011-07-06 21:41	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-07-06 21:41 . 2011-07-06 21:41	--------	d-----w-	c:\users\Conrad\AppData\Local\temp
2011-07-06 15:11 . 2011-07-06 15:11	388096	----a-r-	c:\users\Amanda\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-06 15:11 . 2011-07-06 15:11	--------	d-----w-	c:\program files (x86)\Trend Micro
2011-07-06 14:56 . 2011-05-29 13:11	39984	----a-w-	c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 14:56 . 2011-07-06 14:56	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2011-07-06 00:17 . 2011-07-06 00:17	--------	d-----w-	c:\users\Amanda\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-07-05 23:25 . 2011-07-05 23:25	--------	d-----w-	c:\users\Amanda\AppData\Local\{E1F1B8AB-513A-42EA-B43A-94676FF227C5}
2011-07-05 23:11 . 2011-07-05 23:11	--------	d-----w-	c:\users\Amanda\AppData\Local\{708EC9E2-0F25-4C8D-B544-C53A5F31C548}
2011-07-05 18:03 . 2011-07-05 18:03	--------	d-----w-	c:\users\Amanda\AppData\Local\{8EEA8D3F-FDE1-427A-92F6-4F625ACCE3C2}
2011-07-04 15:51 . 2011-07-04 15:52	--------	d-----w-	c:\users\Amanda\AppData\Local\{5F8B7C86-D474-42B7-92F2-6AA0752EA20F}
2011-07-04 03:33 . 2011-07-04 03:33	--------	d-----w-	c:\users\Amanda\AppData\Local\{EFF2BFFA-F6EB-44C9-8737-4F83D89ADAFB}
2011-07-03 15:32 . 2011-07-03 15:32	--------	d-----w-	c:\users\Amanda\AppData\Local\{051A39BC-DD8F-4B7D-BB40-9580344EB4A3}
2011-07-03 15:32 . 2011-07-03 15:32	--------	d-----w-	c:\users\Amanda\AppData\Local\{0DDABC47-9933-4B8F-9674-4B45C386B5D2}
2011-07-03 01:08 . 2011-07-03 01:09	--------	d-----w-	c:\users\Amanda\AppData\Local\{A40C2CBC-628F-4051-BA29-DD5D5ED839A8}
2011-07-02 05:12 . 2011-07-02 05:12	--------	d-----w-	c:\users\Amanda\AppData\Local\{F4498E2A-B7D8-483F-B6FB-15C23D892972}
2011-07-01 17:11 . 2011-07-01 17:12	--------	d-----w-	c:\users\Amanda\AppData\Local\{A7791A70-18CE-445F-8D20-C71B3E0BF311}
2011-07-01 05:11 . 2011-07-01 05:11	--------	d-----w-	c:\users\Amanda\AppData\Local\{914FAE73-9EE1-426E-B61E-0F624F85B5D6}
2011-07-01 02:29 . 2011-06-24 03:18	565248	----a-w-	c:\windows\SysWow64\MFC7132.exe
2011-06-30 17:11 . 2011-06-30 17:11	--------	d-----w-	c:\users\Amanda\AppData\Local\{B791BDEA-9467-4223-BAB7-610814CF88EA}
2011-06-30 02:48 . 2011-06-30 02:49	--------	d-----w-	c:\users\Amanda\AppData\Local\{DA34D2A1-88A9-44E3-91A5-FFCDCD4AF749}
2011-06-29 15:00 . 2011-04-29 16:15	344576	----a-w-	c:\windows\system32\schannel.dll
2011-06-29 15:00 . 2011-04-29 15:59	276992	----a-w-	c:\windows\SysWow64\schannel.dll
2011-06-29 14:48 . 2011-06-29 14:48	--------	d-----w-	c:\users\Amanda\AppData\Local\{D4C97552-AC88-40F7-A737-779335878ECD}
2011-06-28 20:10 . 2011-06-28 20:10	--------	d-----w-	c:\users\Amanda\AppData\Local\{E12DB36D-90BF-49C7-821A-06D891DD8B04}
2011-06-28 15:22 . 2011-06-28 15:22	--------	d-----w-	c:\users\Amanda\AppData\Local\{DEF4FA9B-4320-4395-9272-3FAD4112D6DE}
2011-06-28 02:38 . 2011-06-28 02:39	--------	d-----w-	c:\users\Amanda\AppData\Local\{702E43A5-6481-4DBA-B256-56631C65DAA6}
2011-06-27 14:38 . 2011-06-27 14:38	2106216	----a-w-	c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-06-27 14:38 . 2011-06-27 14:38	1998168	----a-w-	c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-06-27 14:38 . 2011-06-27 14:38	--------	d-----w-	c:\users\Amanda\AppData\Local\{4862B418-97EB-44E6-B9D6-EE0C914208AF}
2011-06-26 22:51 . 2011-06-26 22:51	--------	d-----w-	c:\users\Amanda\AppData\Local\{C97556C9-F2DE-47F5-B944-D4D31B0E2749}
2011-06-25 14:40 . 2011-06-25 14:40	--------	d-----w-	c:\users\Amanda\AppData\Local\{896A5C8D-22F9-486C-8922-19567548F373}
2011-06-25 02:40 . 2011-06-25 02:40	--------	d-----w-	c:\users\Amanda\AppData\Local\{7BD80AE4-C1A4-4470-B306-E5B2FCE555EE}
2011-06-24 04:14 . 2011-06-24 04:15	--------	d-----w-	c:\users\Amanda\AppData\Local\{3D3A9B2E-9356-4158-BD96-7FF57325A1F0}
2011-06-23 16:14 . 2011-06-23 16:14	--------	d-----w-	c:\users\Amanda\AppData\Local\{387C1C23-49D8-497B-8A7C-EDD96485E0A5}
2011-06-22 16:47 . 2011-06-22 16:47	--------	d-----w-	c:\users\Amanda\AppData\Local\{BAF196F3-24D3-4914-8009-E81B704816EE}
2011-06-22 02:31 . 2011-06-22 02:31	--------	d-----w-	c:\users\Amanda\AppData\Local\{964DB97D-5339-4E6D-847E-A82C5972F672}
2011-06-21 14:31 . 2011-06-21 14:31	--------	d-----w-	c:\users\Amanda\AppData\Local\{3C444365-2D9E-4C9D-BBEF-64B4402B191A}
2011-06-21 02:30 . 2011-06-21 02:30	--------	d-----w-	c:\users\Amanda\AppData\Local\{989BED54-CB62-4FFB-AD59-67060E408F96}
2011-06-20 14:30 . 2011-06-20 14:30	--------	d-----w-	c:\users\Amanda\AppData\Local\{930971A1-C894-45C6-98CD-2E52EDB7258E}
2011-06-20 02:29 . 2011-06-20 02:29	--------	d-----w-	c:\users\Amanda\AppData\Local\{B5ED8CC9-8D53-4F47-8410-87C4B7923543}
2011-06-19 14:29 . 2011-06-19 14:29	--------	d-----w-	c:\users\Amanda\AppData\Local\{B980E578-E4CD-4721-9F5B-58679FA0AAB0}
2011-06-18 19:51 . 2011-06-18 19:51	--------	d-----w-	c:\users\Amanda\AppData\Local\{6BAC88CF-9BFD-4DF5-93D8-3EBC9E1FE2F3}
2011-06-18 07:00 . 2011-06-18 07:00	--------	d-----w-	c:\users\Amanda\AppData\Local\{F575B316-42FB-4DFF-A1B5-E1CB284B93D1}
2011-06-17 18:21 . 2011-06-17 18:21	--------	d-----w-	c:\users\Amanda\AppData\Local\{96BAC7EC-237C-4CE9-A9C2-2B123AAF39FE}
2011-06-17 03:47 . 2011-06-17 03:47	--------	d-----w-	c:\users\Amanda\AppData\Local\{7856E2DD-3445-4AE5-A28A-EBE3711481A5}
2011-06-16 15:46 . 2011-06-16 15:46	--------	d-----w-	c:\users\Amanda\AppData\Local\{6661605C-CD9C-4B9B-9E92-239EFB619CF5}
2011-06-15 17:05 . 2011-06-15 17:06	--------	d-----w-	c:\users\Amanda\AppData\Local\{E480E33E-BF23-45C5-A5FF-D3236330088E}
2011-06-15 17:05 . 2011-07-01 03:35	404640	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-06-14 16:04 . 2011-06-14 16:04	--------	d-----w-	c:\users\Amanda\AppData\Local\{E6967010-9F29-4EA8-8BAB-5BDE0CB78E7F}
2011-06-14 04:03 . 2011-06-14 04:04	--------	d-----w-	c:\users\Amanda\AppData\Local\{5B81C99C-5405-4287-AB56-84FE27372F27}
2011-06-14 00:03 . 2011-06-14 00:03	--------	d-----w-	c:\program files (x86)\MAGIX
2011-06-14 00:03 . 2011-06-14 00:03	--------	d-----w-	c:\program files (x86)\Common Files\MAGIX Services
2011-06-13 16:03 . 2011-06-13 16:03	--------	d-----w-	c:\users\Amanda\AppData\Local\{30AE5C27-4137-4D93-8C5C-6BCF90350067}
2011-06-13 14:54 . 2011-06-13 14:54	--------	d-----w-	c:\program files (x86)\Safari
2011-06-13 14:42 . 2011-06-13 14:42	--------	d-----w-	c:\program files\iPod
2011-06-13 14:42 . 2011-06-13 14:43	--------	d-----w-	c:\program files\iTunes
2011-06-13 14:42 . 2011-06-13 14:43	--------	d-----w-	c:\program files (x86)\iTunes
2011-06-13 14:38 . 2011-06-13 14:38	--------	d-----w-	c:\program files\Bonjour
2011-06-13 14:38 . 2011-06-13 14:38	--------	d-----w-	c:\program files (x86)\Bonjour
2011-06-13 04:03 . 2011-06-13 04:03	--------	d-----w-	c:\users\Amanda\AppData\Local\{64ECE93A-C153-4C03-81A2-143DEC656BEF}
2011-06-13 01:09 . 2011-06-13 01:09	--------	d-----w-	c:\users\Amanda\AppData\Roaming\Malwarebytes
2011-06-13 01:09 . 2011-06-13 01:09	--------	d-----w-	c:\programdata\Malwarebytes
2011-06-13 01:09 . 2011-05-29 13:11	25912	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-06-13 00:10 . 2011-06-27 14:38	142296	----a-w-	c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-06-13 00:10 . 2011-06-27 14:38	89048	----a-w-	c:\program files (x86)\Mozilla Firefox\libEGL.dll
2011-06-13 00:10 . 2011-06-27 14:38	465880	----a-w-	c:\program files (x86)\Mozilla Firefox\libGLESv2.dll
2011-06-13 00:10 . 2011-06-27 14:38	15832	----a-w-	c:\program files (x86)\Mozilla Firefox\mozalloc.dll
2011-06-13 00:10 . 2011-06-27 14:38	781272	----a-w-	c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-06-13 00:10 . 2011-06-27 14:38	1850328	----a-w-	c:\program files (x86)\Mozilla Firefox\mozjs.dll
2011-06-12 16:02 . 2011-06-12 16:02	--------	d-----w-	c:\users\Amanda\AppData\Local\{2A365877-4EBB-45A7-B3F9-D5AD505FFE96}
2011-06-11 16:38 . 2011-06-11 16:38	--------	d-----w-	c:\users\Amanda\AppData\Local\{574707A2-08B5-4F47-B05F-40776CC58D13}
2011-06-11 04:37 . 2011-06-11 04:38	--------	d-----w-	c:\users\Amanda\AppData\Local\{9F923E77-452C-4B68-8571-FB0D384BDD7D}
2011-06-10 16:37 . 2011-06-10 16:37	--------	d-----w-	c:\users\Amanda\AppData\Local\{24AEE9CE-FB43-47F0-AA11-9CB58BA1E431}
2011-06-10 04:17 . 2011-06-10 04:18	--------	d-----w-	c:\users\Amanda\AppData\Local\{BD454A98-10F5-477D-81A9-B5807C41416A}
2011-06-09 16:17 . 2011-06-09 16:17	--------	d-----w-	c:\users\Amanda\AppData\Local\{46540E4E-F89C-4C40-9A49-E030CBB76EB1}
2011-06-09 02:41 . 2011-06-09 02:41	--------	d-----w-	c:\users\Amanda\AppData\Local\{07ACFEBB-1BF7-44D7-9B33-E7C0F7D95432}
2011-06-08 14:41 . 2011-06-08 14:41	--------	d-----w-	c:\users\Amanda\AppData\Local\{DE60CE78-130B-4965-8E5F-43F2E6E26133}
2011-06-08 02:36 . 2011-06-08 02:36	--------	d-----w-	c:\users\Amanda\AppData\Local\{2CB2C257-D560-400E-AA25-08A8D8150D3A}
2011-06-07 16:35 . 2011-06-07 16:35	103864	----a-w-	c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2011-06-07 16:35 . 2011-06-07 16:35	103864	----a-w-	c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
2011-06-07 14:16 . 2011-06-07 14:17	--------	d-----w-	c:\users\Amanda\AppData\Local\{D3CADEE5-44DE-4EE2-8B7B-170645592A62}
2011-06-07 02:16 . 2011-06-07 02:16	--------	d-----w-	c:\users\Amanda\AppData\Local\{0D238451-BFFB-46AE-BA46-EFC4449A0C45}
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 12:06 . 2011-05-10 12:06	51712	----a-w-	c:\windows\system32\drivers\usbaapl64.sys
2011-05-10 12:06 . 2011-05-10 12:06	4517664	----a-w-	c:\windows\system32\usbaaplrc.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn4\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-09 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"YSearchProtection"="c:\program files (x86)\Yahoo!\Search Protection\YspService.exe" [2010-06-14 296248]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"CLMLServer"="c:\program files (x86)\Cyberlink\Power2Go\CLMLSvc.exe" [2008-12-24 103720]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60a.sys [x]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys [x]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [x]
R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 306416]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R4 ahcix64s;ahcix64s;c:\windows\system32\drivers\ahcix64s.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 27648]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [x]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe [2008-01-21 27648]
S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ   	getPlusHelper
Akamai	REG_MULTI_SZ   	Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
2011-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-30 7574048]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-30 1833504]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 163568]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-02-17 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 197152]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:59778
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1 74.128.17.114 74.128.19.102
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/\r
FF - prefs.js: network.proxy.http_port - 59778
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
.
------- File Associations -------
.
exefile="c:\windows\SysWOW64\config\systemprofile\AppData\Local\hcq.exe" -a "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{009A6416-669F-4147-8F1B-176A85CCE46a} - c:\windows\SysWow64\atiumdva32.dll
BHO-{010DBB78-2FED-4AED-A7E8-DC083989F51f} - c:\windows\SysWow64\atiumdva32.dll
BHO-{015113EC-A4E0-4FB1-9CE1-2140252DABE2} - c:\windows\SysWow64\atiumdva32.dll
Wow6432Node-HKCU-Run-DW6 - c:\program files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe
Wow6432Node-HKCU-Run-msnmsgr - c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe
Wow6432Node-HKCU-Run-e466e1645b951d29a0bcbe4576d3713d - c:\users\Amanda\DOWNLO~1\RI1FB0~1.EXE
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Wow6432Node-HKLM-Run-Gateway Photo Frame - c:\program files (x86)\Gateway Photo Frame\ButtonMonitor.exe
SharedTaskScheduler-{705FB965-7459-4644-BF5E-12152519A1D8} - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Gateway Game Console - c:\program files (x86)\Gateway Games\Gateway Game Console\Uninstall.exe
AddRemove-MAGIX Speed 2 UK - c:\program files (x86)\MAGIX\Speed2_burnR_mxcdr\unwise.exe
AddRemove-The Weather Channel Desktop 6 - c:\program files (x86)\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe
AddRemove-WT046831 - c:\program files (x86)\Gateway Games\Bejeweled 2 Deluxe\Uninstall.exe
AddRemove-WT046838 - c:\program files (x86)\Gateway Games\Build-a-lot 2\Uninstall.exe
AddRemove-WT046859 - c:\program files (x86)\Gateway Games\Chuzzle Deluxe\Uninstall.exe
AddRemove-WT046882 - c:\program files (x86)\Gateway Games\Dream Chronicles 2\Uninstall.exe
AddRemove-WT046884 - c:\program files (x86)\Gateway Games\FATE\Uninstall.exe
AddRemove-WT046904 - c:\program files (x86)\Gateway Games\Polar Bowler\Uninstall.exe
AddRemove-WT046906 - c:\program files (x86)\Gateway Games\Polar Golfer\Uninstall.exe
AddRemove-WT046908 - c:\program files (x86)\Gateway Games\Polar Pool\Uninstall.exe
AddRemove-WT046910 - c:\program files (x86)\Gateway Games\The Price is Right\Uninstall.exe
AddRemove-WT046928 - c:\program files (x86)\Gateway Games\Virtual Villagers - A New Home\Uninstall.exe
AddRemove-WT070562 - c:\program files (x86)\Gateway Games\Success Story\Uninstall.exe
AddRemove-WT071801 - c:\program files (x86)\Gateway Games\Zoo Vet\Uninstall.exe
AddRemove-WT072374 - c:\program files (x86)\Gateway Games\Burger Island\Uninstall.exe
AddRemove-WT072473 - c:\program files (x86)\Gateway Games\Chocolatier - Decadence by Design\Uninstall.exe
AddRemove-WT072477 - c:\program files (x86)\Gateway Games\Ciao Bella\Uninstall.exe
AddRemove-WT072769 - c:\program files (x86)\Gateway Games\Dress Shop Hop\Uninstall.exe
AddRemove-WT072823 - c:\program files (x86)\Gateway Games\Family Feud Hollywood Edition\Uninstall.exe
AddRemove-WT072848 - c:\program files (x86)\Gateway Games\Feeding Frenzy 2\Uninstall.exe
AddRemove-WT072867 - c:\program files (x86)\Gateway Games\FishCo\Uninstall.exe
AddRemove-WT072885 - c:\program files (x86)\Gateway Games\Fish Tycoon\Uninstall.exe
AddRemove-WT073317 - c:\program files (x86)\Gateway Games\Lemonade Tycoon 2\Uninstall.exe
AddRemove-WT074007 - c:\program files (x86)\Gateway Games\Stand O' Food\Uninstall.exe
AddRemove-WT074201 - c:\program files (x86)\Gateway Games\Virtual Villagers - Chapter 2 - The Lost Children\Uninstall.exe
AddRemove-WT074261 - c:\program files (x86)\Gateway Games\Westward\Uninstall.exe
AddRemove-WT074344 - c:\program files (x86)\Gateway Games\Winemaker Extraordinaire\Uninstall.exe
AddRemove-WT075246 - c:\program files (x86)\Gateway Games\Jane's Zoo\Uninstall.exe
AddRemove-WT076382 - c:\program files (x86)\Gateway Games\3 Days - Zoo Mystery\Uninstall.exe
AddRemove-WT078827 - c:\program files (x86)\Gateway Games\Nanny 911\Uninstall.exe
AddRemove-WT079516 - c:\program files (x86)\Gateway Games\Deer Drive\Uninstall.exe
AddRemove-WT079573 - c:\program files (x86)\Gateway Games\MONOPOLY Build-a-lot Edition\Uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{015113EC-A4E0-4FB1-9CE1-2140252DABE2}"=hex:51,66,7a,6c,4c,1d,38,12,82,10,42,
   05,d2,ea,df,0a,e3,f7,62,00,20,73,ef,f6
"{014D2F73-E2A5-44F6-BD45-F0A791DE42A7}"=hex:51,66,7a,6c,4c,1d,38,12,1d,2c,5e,
   05,97,ac,98,01,c2,53,b3,e7,94,80,06,b3
"{010DBB78-2FED-4AED-A7E8-DC083989F51F}"=hex:51,66,7a,6c,4c,1d,38,12,16,b8,1e,
   05,df,61,83,0f,d8,fe,9f,48,3c,d7,b1,0b
"{009A6416-669F-4147-8F1B-176A85CCE46A}"=hex:51,66,7a,6c,4c,1d,38,12,78,67,89,
   04,ad,28,29,04,f0,0d,54,2a,80,92,a0,7e
.
[HKEY_USERS\S-1-5-21-2819834726-533737158-1913216436-1000\Software\SecuROM\License information*]
"datasecu"=hex:71,1d,81,de,fe,f4,50,82,c4,5b,8b,93,a1,93,1a,f8,e9,47,58,e8,a3,
   0f,6b,38,5c,d0,bf,13,43,71,55,72,c3,27,da,64,dd,d6,91,51,db,17,59,57,a7,a1,\
"rkeysecu"=hex:6d,fd,d5,a6,54,58,d5,b1,55,2c,10,1a,0b,7c,0c,a1
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\windows\SysWOW64\mfc7132.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\programdata\atiumdva32.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\MHotKey.exe
c:\windows\ChiFuncExt.exe
c:\windows\CNYHKey.exe
c:\windows\ModLedKey.exe
.
**************************************************************************
.
Completion time: 2011-07-06  17:50:47 - machine was rebooted
ComboFix-quarantined-files.txt  2011-07-06 21:50
.
Pre-Run: 397,411,774,464 bytes free
Post-Run: 400,064,819,200 bytes free
.
- - End Of File - - D882E408958C4C8116865FFB322E91B6


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:53:05 PM, on 7/6/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Yahoo!\Search Protection\YspService.exe
C:\Windows\CNYHKey.exe
C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\ModLedKey.exe
C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=ZUGO&form=ZGAPHP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0609&m=dx4300
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:59778
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: YTNavAssist.YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\YTNavAssist.dll
O2 - BHO: (no name) - {009A6416-669F-4147-8F1B-176A85CCE46a} - C:\Windows\SysWow64\atiumdva32.dll (file missing)
O2 - BHO: (no name) - {010DBB78-2FED-4AED-A7E8-DC083989F51f} - C:\Windows\SysWow64\atiumdva32.dll (file missing)
O2 - BHO: (no name) - {015113EC-A4E0-4FB1-9CE1-2140252DABE2} - C:\Windows\SysWow64\atiumdva32.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg32.dll
O2 - BHO: YSPManager - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files (x86)\Yahoo!\Search Protection\ysp.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (file missing)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: TmBpIeBHO - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [LchDrvKey] LchDrvKey.exe
O4 - HKLM\..\Run: [LedKey] CNYHKey.exe
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files (x86)\Yahoo!\Search Protection\YspService.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg32.dll
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: HopalustRdp - {705FB965-7459-4644-BF5E-12152519A1D8} - (no file)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Trend Micro Solution Platform (Amsp) - Trend Micro Inc. - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: FABS - Helping agent for MAGIX media database (Fabs) - MAGIX AG - C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe
O23 - Service: Function Discovery Resource Publication  (FDResPub32) - Unknown owner - c:\windows\system32\mfc7132.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe
O23 - Service: GameConsoleService - Unknown owner - C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files (x86)\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files (x86)\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
O23 - Service: Zune Wireless Configuration Service (ZuneWlanCfgSvc) - Unknown owner - c:\Windows\system32\ZuneWlanCfgSvc.exe (file missing)

--
End of file - 12258 bytes


----------



## M199

Nvm. 
Combo then Hijack.


ComboFix 11-07-06.03 - Amanda 07/06/2011  17:23:35.1.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.5886.4237 [GMT -4:00]
Running from: c:\users\Amanda\Downloads\ComboFix.exe
AV: Trend Micro Titanium *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\atiumdva32.exe
c:\programdata\KBDCZ132.dll
c:\users\Amanda\11f5fe2a4b5bf2222732d4907dd8efeb.jpg
c:\users\Amanda\6a00d8341bfcfe53ef00e54f8f12648834-800wi.jpg
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{155ca05c-939f-4003-ad1f-993591e624bd}
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{155ca05c-939f-4003-ad1f-993591e624bd}\chrome.manifest
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{155ca05c-939f-4003-ad1f-993591e624bd}\chrome\xulcache.jar
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{155ca05c-939f-4003-ad1f-993591e624bd}\defaults\preferences\xulcache.js
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{155ca05c-939f-4003-ad1f-993591e624bd}\install.rdf
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{910a7df3-474a-45ec-b9d1-95dba03b39fd}
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{910a7df3-474a-45ec-b9d1-95dba03b39fd}\chrome.manifest
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{910a7df3-474a-45ec-b9d1-95dba03b39fd}\chrome\xulcache.jar
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{910a7df3-474a-45ec-b9d1-95dba03b39fd}\defaults\preferences\xulcache.js
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{910a7df3-474a-45ec-b9d1-95dba03b39fd}\install.rdf
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{9cfbdb48-7ddf-4789-bec1-1e50ccb17b26}
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{9cfbdb48-7ddf-4789-bec1-1e50ccb17b26}\chrome.manifest
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{9cfbdb48-7ddf-4789-bec1-1e50ccb17b26}\chrome\xulcache.jar
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{9cfbdb48-7ddf-4789-bec1-1e50ccb17b26}\defaults\preferences\xulcache.js
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{9cfbdb48-7ddf-4789-bec1-1e50ccb17b26}\install.rdf
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{f14115e8-1aab-4400-a2c1-21d1536d6fd9}
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{f14115e8-1aab-4400-a2c1-21d1536d6fd9}\chrome.manifest
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{f14115e8-1aab-4400-a2c1-21d1536d6fd9}\chrome\xulcache.jar
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{f14115e8-1aab-4400-a2c1-21d1536d6fd9}\defaults\preferences\xulcache.js
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{f14115e8-1aab-4400-a2c1-21d1536d6fd9}\install.rdf
c:\windows\security\Database\tmp.edb
c:\windows\system32\service
c:\windows\SysWow64\atiumdva32.dll
.
.
(((((((((((((((((((((((((   Files Created from 2011-06-06 to 2011-07-06  )))))))))))))))))))))))))))))))
.
.
2011-07-06 21:41 . 2011-07-06 21:44	--------	d-----w-	c:\users\Amanda\AppData\Local\temp
2011-07-06 21:41 . 2011-07-06 21:41	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-07-06 21:41 . 2011-07-06 21:41	--------	d-----w-	c:\users\Conrad\AppData\Local\temp
2011-07-06 15:11 . 2011-07-06 15:11	388096	----a-r-	c:\users\Amanda\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-06 15:11 . 2011-07-06 15:11	--------	d-----w-	c:\program files (x86)\Trend Micro
2011-07-06 14:56 . 2011-05-29 13:11	39984	----a-w-	c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 14:56 . 2011-07-06 14:56	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2011-07-06 00:17 . 2011-07-06 00:17	--------	d-----w-	c:\users\Amanda\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-07-05 23:25 . 2011-07-05 23:25	--------	d-----w-	c:\users\Amanda\AppData\Local\{E1F1B8AB-513A-42EA-B43A-94676FF227C5}
2011-07-05 23:11 . 2011-07-05 23:11	--------	d-----w-	c:\users\Amanda\AppData\Local\{708EC9E2-0F25-4C8D-B544-C53A5F31C548}
2011-07-05 18:03 . 2011-07-05 18:03	--------	d-----w-	c:\users\Amanda\AppData\Local\{8EEA8D3F-FDE1-427A-92F6-4F625ACCE3C2}
2011-07-04 15:51 . 2011-07-04 15:52	--------	d-----w-	c:\users\Amanda\AppData\Local\{5F8B7C86-D474-42B7-92F2-6AA0752EA20F}
2011-07-04 03:33 . 2011-07-04 03:33	--------	d-----w-	c:\users\Amanda\AppData\Local\{EFF2BFFA-F6EB-44C9-8737-4F83D89ADAFB}
2011-07-03 15:32 . 2011-07-03 15:32	--------	d-----w-	c:\users\Amanda\AppData\Local\{051A39BC-DD8F-4B7D-BB40-9580344EB4A3}
2011-07-03 15:32 . 2011-07-03 15:32	--------	d-----w-	c:\users\Amanda\AppData\Local\{0DDABC47-9933-4B8F-9674-4B45C386B5D2}
2011-07-03 01:08 . 2011-07-03 01:09	--------	d-----w-	c:\users\Amanda\AppData\Local\{A40C2CBC-628F-4051-BA29-DD5D5ED839A8}
2011-07-02 05:12 . 2011-07-02 05:12	--------	d-----w-	c:\users\Amanda\AppData\Local\{F4498E2A-B7D8-483F-B6FB-15C23D892972}
2011-07-01 17:11 . 2011-07-01 17:12	--------	d-----w-	c:\users\Amanda\AppData\Local\{A7791A70-18CE-445F-8D20-C71B3E0BF311}
2011-07-01 05:11 . 2011-07-01 05:11	--------	d-----w-	c:\users\Amanda\AppData\Local\{914FAE73-9EE1-426E-B61E-0F624F85B5D6}
2011-07-01 02:29 . 2011-06-24 03:18	565248	----a-w-	c:\windows\SysWow64\MFC7132.exe
2011-06-30 17:11 . 2011-06-30 17:11	--------	d-----w-	c:\users\Amanda\AppData\Local\{B791BDEA-9467-4223-BAB7-610814CF88EA}
2011-06-30 02:48 . 2011-06-30 02:49	--------	d-----w-	c:\users\Amanda\AppData\Local\{DA34D2A1-88A9-44E3-91A5-FFCDCD4AF749}
2011-06-29 15:00 . 2011-04-29 16:15	344576	----a-w-	c:\windows\system32\schannel.dll
2011-06-29 15:00 . 2011-04-29 15:59	276992	----a-w-	c:\windows\SysWow64\schannel.dll
2011-06-29 14:48 . 2011-06-29 14:48	--------	d-----w-	c:\users\Amanda\AppData\Local\{D4C97552-AC88-40F7-A737-779335878ECD}
2011-06-28 20:10 . 2011-06-28 20:10	--------	d-----w-	c:\users\Amanda\AppData\Local\{E12DB36D-90BF-49C7-821A-06D891DD8B04}
2011-06-28 15:22 . 2011-06-28 15:22	--------	d-----w-	c:\users\Amanda\AppData\Local\{DEF4FA9B-4320-4395-9272-3FAD4112D6DE}
2011-06-28 02:38 . 2011-06-28 02:39	--------	d-----w-	c:\users\Amanda\AppData\Local\{702E43A5-6481-4DBA-B256-56631C65DAA6}
2011-06-27 14:38 . 2011-06-27 14:38	2106216	----a-w-	c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-06-27 14:38 . 2011-06-27 14:38	1998168	----a-w-	c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-06-27 14:38 . 2011-06-27 14:38	--------	d-----w-	c:\users\Amanda\AppData\Local\{4862B418-97EB-44E6-B9D6-EE0C914208AF}
2011-06-26 22:51 . 2011-06-26 22:51	--------	d-----w-	c:\users\Amanda\AppData\Local\{C97556C9-F2DE-47F5-B944-D4D31B0E2749}
2011-06-25 14:40 . 2011-06-25 14:40	--------	d-----w-	c:\users\Amanda\AppData\Local\{896A5C8D-22F9-486C-8922-19567548F373}
2011-06-25 02:40 . 2011-06-25 02:40	--------	d-----w-	c:\users\Amanda\AppData\Local\{7BD80AE4-C1A4-4470-B306-E5B2FCE555EE}
2011-06-24 04:14 . 2011-06-24 04:15	--------	d-----w-	c:\users\Amanda\AppData\Local\{3D3A9B2E-9356-4158-BD96-7FF57325A1F0}
2011-06-23 16:14 . 2011-06-23 16:14	--------	d-----w-	c:\users\Amanda\AppData\Local\{387C1C23-49D8-497B-8A7C-EDD96485E0A5}
2011-06-22 16:47 . 2011-06-22 16:47	--------	d-----w-	c:\users\Amanda\AppData\Local\{BAF196F3-24D3-4914-8009-E81B704816EE}
2011-06-22 02:31 . 2011-06-22 02:31	--------	d-----w-	c:\users\Amanda\AppData\Local\{964DB97D-5339-4E6D-847E-A82C5972F672}
2011-06-21 14:31 . 2011-06-21 14:31	--------	d-----w-	c:\users\Amanda\AppData\Local\{3C444365-2D9E-4C9D-BBEF-64B4402B191A}
2011-06-21 02:30 . 2011-06-21 02:30	--------	d-----w-	c:\users\Amanda\AppData\Local\{989BED54-CB62-4FFB-AD59-67060E408F96}
2011-06-20 14:30 . 2011-06-20 14:30	--------	d-----w-	c:\users\Amanda\AppData\Local\{930971A1-C894-45C6-98CD-2E52EDB7258E}
2011-06-20 02:29 . 2011-06-20 02:29	--------	d-----w-	c:\users\Amanda\AppData\Local\{B5ED8CC9-8D53-4F47-8410-87C4B7923543}
2011-06-19 14:29 . 2011-06-19 14:29	--------	d-----w-	c:\users\Amanda\AppData\Local\{B980E578-E4CD-4721-9F5B-58679FA0AAB0}
2011-06-18 19:51 . 2011-06-18 19:51	--------	d-----w-	c:\users\Amanda\AppData\Local\{6BAC88CF-9BFD-4DF5-93D8-3EBC9E1FE2F3}
2011-06-18 07:00 . 2011-06-18 07:00	--------	d-----w-	c:\users\Amanda\AppData\Local\{F575B316-42FB-4DFF-A1B5-E1CB284B93D1}
2011-06-17 18:21 . 2011-06-17 18:21	--------	d-----w-	c:\users\Amanda\AppData\Local\{96BAC7EC-237C-4CE9-A9C2-2B123AAF39FE}
2011-06-17 03:47 . 2011-06-17 03:47	--------	d-----w-	c:\users\Amanda\AppData\Local\{7856E2DD-3445-4AE5-A28A-EBE3711481A5}
2011-06-16 15:46 . 2011-06-16 15:46	--------	d-----w-	c:\users\Amanda\AppData\Local\{6661605C-CD9C-4B9B-9E92-239EFB619CF5}
2011-06-15 17:05 . 2011-06-15 17:06	--------	d-----w-	c:\users\Amanda\AppData\Local\{E480E33E-BF23-45C5-A5FF-D3236330088E}
2011-06-15 17:05 . 2011-07-01 03:35	404640	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-06-14 16:04 . 2011-06-14 16:04	--------	d-----w-	c:\users\Amanda\AppData\Local\{E6967010-9F29-4EA8-8BAB-5BDE0CB78E7F}
2011-06-14 04:03 . 2011-06-14 04:04	--------	d-----w-	c:\users\Amanda\AppData\Local\{5B81C99C-5405-4287-AB56-84FE27372F27}
2011-06-14 00:03 . 2011-06-14 00:03	--------	d-----w-	c:\program files (x86)\MAGIX
2011-06-14 00:03 . 2011-06-14 00:03	--------	d-----w-	c:\program files (x86)\Common Files\MAGIX Services
2011-06-13 16:03 . 2011-06-13 16:03	--------	d-----w-	c:\users\Amanda\AppData\Local\{30AE5C27-4137-4D93-8C5C-6BCF90350067}
2011-06-13 14:54 . 2011-06-13 14:54	--------	d-----w-	c:\program files (x86)\Safari
2011-06-13 14:42 . 2011-06-13 14:42	--------	d-----w-	c:\program files\iPod
2011-06-13 14:42 . 2011-06-13 14:43	--------	d-----w-	c:\program files\iTunes
2011-06-13 14:42 . 2011-06-13 14:43	--------	d-----w-	c:\program files (x86)\iTunes
2011-06-13 14:38 . 2011-06-13 14:38	--------	d-----w-	c:\program files\Bonjour
2011-06-13 14:38 . 2011-06-13 14:38	--------	d-----w-	c:\program files (x86)\Bonjour
2011-06-13 04:03 . 2011-06-13 04:03	--------	d-----w-	c:\users\Amanda\AppData\Local\{64ECE93A-C153-4C03-81A2-143DEC656BEF}
2011-06-13 01:09 . 2011-06-13 01:09	--------	d-----w-	c:\users\Amanda\AppData\Roaming\Malwarebytes
2011-06-13 01:09 . 2011-06-13 01:09	--------	d-----w-	c:\programdata\Malwarebytes
2011-06-13 01:09 . 2011-05-29 13:11	25912	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-06-13 00:10 . 2011-06-27 14:38	142296	----a-w-	c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-06-13 00:10 . 2011-06-27 14:38	89048	----a-w-	c:\program files (x86)\Mozilla Firefox\libEGL.dll
2011-06-13 00:10 . 2011-06-27 14:38	465880	----a-w-	c:\program files (x86)\Mozilla Firefox\libGLESv2.dll
2011-06-13 00:10 . 2011-06-27 14:38	15832	----a-w-	c:\program files (x86)\Mozilla Firefox\mozalloc.dll
2011-06-13 00:10 . 2011-06-27 14:38	781272	----a-w-	c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-06-13 00:10 . 2011-06-27 14:38	1850328	----a-w-	c:\program files (x86)\Mozilla Firefox\mozjs.dll
2011-06-12 16:02 . 2011-06-12 16:02	--------	d-----w-	c:\users\Amanda\AppData\Local\{2A365877-4EBB-45A7-B3F9-D5AD505FFE96}
2011-06-11 16:38 . 2011-06-11 16:38	--------	d-----w-	c:\users\Amanda\AppData\Local\{574707A2-08B5-4F47-B05F-40776CC58D13}
2011-06-11 04:37 . 2011-06-11 04:38	--------	d-----w-	c:\users\Amanda\AppData\Local\{9F923E77-452C-4B68-8571-FB0D384BDD7D}
2011-06-10 16:37 . 2011-06-10 16:37	--------	d-----w-	c:\users\Amanda\AppData\Local\{24AEE9CE-FB43-47F0-AA11-9CB58BA1E431}
2011-06-10 04:17 . 2011-06-10 04:18	--------	d-----w-	c:\users\Amanda\AppData\Local\{BD454A98-10F5-477D-81A9-B5807C41416A}
2011-06-09 16:17 . 2011-06-09 16:17	--------	d-----w-	c:\users\Amanda\AppData\Local\{46540E4E-F89C-4C40-9A49-E030CBB76EB1}
2011-06-09 02:41 . 2011-06-09 02:41	--------	d-----w-	c:\users\Amanda\AppData\Local\{07ACFEBB-1BF7-44D7-9B33-E7C0F7D95432}
2011-06-08 14:41 . 2011-06-08 14:41	--------	d-----w-	c:\users\Amanda\AppData\Local\{DE60CE78-130B-4965-8E5F-43F2E6E26133}
2011-06-08 02:36 . 2011-06-08 02:36	--------	d-----w-	c:\users\Amanda\AppData\Local\{2CB2C257-D560-400E-AA25-08A8D8150D3A}
2011-06-07 16:35 . 2011-06-07 16:35	103864	----a-w-	c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2011-06-07 16:35 . 2011-06-07 16:35	103864	----a-w-	c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
2011-06-07 14:16 . 2011-06-07 14:17	--------	d-----w-	c:\users\Amanda\AppData\Local\{D3CADEE5-44DE-4EE2-8B7B-170645592A62}
2011-06-07 02:16 . 2011-06-07 02:16	--------	d-----w-	c:\users\Amanda\AppData\Local\{0D238451-BFFB-46AE-BA46-EFC4449A0C45}
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 12:06 . 2011-05-10 12:06	51712	----a-w-	c:\windows\system32\drivers\usbaapl64.sys
2011-05-10 12:06 . 2011-05-10 12:06	4517664	----a-w-	c:\windows\system32\usbaaplrc.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn4\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-09 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"YSearchProtection"="c:\program files (x86)\Yahoo!\Search Protection\YspService.exe" [2010-06-14 296248]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"CLMLServer"="c:\program files (x86)\Cyberlink\Power2Go\CLMLSvc.exe" [2008-12-24 103720]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60a.sys [x]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys [x]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [x]
R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 306416]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R4 ahcix64s;ahcix64s;c:\windows\system32\drivers\ahcix64s.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 27648]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [x]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe [2008-01-21 27648]
S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ   	getPlusHelper
Akamai	REG_MULTI_SZ   	Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
2011-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-30 7574048]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-30 1833504]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 163568]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-02-17 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 197152]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:59778
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1 74.128.17.114 74.128.19.102
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/\r
FF - prefs.js: network.proxy.http_port - 59778
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
.
------- File Associations -------
.
exefile="c:\windows\SysWOW64\config\systemprofile\AppData\Local\hcq.exe" -a "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{009A6416-669F-4147-8F1B-176A85CCE46a} - c:\windows\SysWow64\atiumdva32.dll
BHO-{010DBB78-2FED-4AED-A7E8-DC083989F51f} - c:\windows\SysWow64\atiumdva32.dll
BHO-{015113EC-A4E0-4FB1-9CE1-2140252DABE2} - c:\windows\SysWow64\atiumdva32.dll
Wow6432Node-HKCU-Run-DW6 - c:\program files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe
Wow6432Node-HKCU-Run-msnmsgr - c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe
Wow6432Node-HKCU-Run-e466e1645b951d29a0bcbe4576d3713d - c:\users\Amanda\DOWNLO~1\RI1FB0~1.EXE
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Wow6432Node-HKLM-Run-Gateway Photo Frame - c:\program files (x86)\Gateway Photo Frame\ButtonMonitor.exe
SharedTaskScheduler-{705FB965-7459-4644-BF5E-12152519A1D8} - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Gateway Game Console - c:\program files (x86)\Gateway Games\Gateway Game Console\Uninstall.exe
AddRemove-MAGIX Speed 2 UK - c:\program files (x86)\MAGIX\Speed2_burnR_mxcdr\unwise.exe
AddRemove-The Weather Channel Desktop 6 - c:\program files (x86)\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe
AddRemove-WT046831 - c:\program files (x86)\Gateway Games\Bejeweled 2 Deluxe\Uninstall.exe
AddRemove-WT046838 - c:\program files (x86)\Gateway Games\Build-a-lot 2\Uninstall.exe
AddRemove-WT046859 - c:\program files (x86)\Gateway Games\Chuzzle Deluxe\Uninstall.exe
AddRemove-WT046882 - c:\program files (x86)\Gateway Games\Dream Chronicles 2\Uninstall.exe
AddRemove-WT046884 - c:\program files (x86)\Gateway Games\FATE\Uninstall.exe
AddRemove-WT046904 - c:\program files (x86)\Gateway Games\Polar Bowler\Uninstall.exe
AddRemove-WT046906 - c:\program files (x86)\Gateway Games\Polar Golfer\Uninstall.exe
AddRemove-WT046908 - c:\program files (x86)\Gateway Games\Polar Pool\Uninstall.exe
AddRemove-WT046910 - c:\program files (x86)\Gateway Games\The Price is Right\Uninstall.exe
AddRemove-WT046928 - c:\program files (x86)\Gateway Games\Virtual Villagers - A New Home\Uninstall.exe
AddRemove-WT070562 - c:\program files (x86)\Gateway Games\Success Story\Uninstall.exe
AddRemove-WT071801 - c:\program files (x86)\Gateway Games\Zoo Vet\Uninstall.exe
AddRemove-WT072374 - c:\program files (x86)\Gateway Games\Burger Island\Uninstall.exe
AddRemove-WT072473 - c:\program files (x86)\Gateway Games\Chocolatier - Decadence by Design\Uninstall.exe
AddRemove-WT072477 - c:\program files (x86)\Gateway Games\Ciao Bella\Uninstall.exe
AddRemove-WT072769 - c:\program files (x86)\Gateway Games\Dress Shop Hop\Uninstall.exe
AddRemove-WT072823 - c:\program files (x86)\Gateway Games\Family Feud Hollywood Edition\Uninstall.exe
AddRemove-WT072848 - c:\program files (x86)\Gateway Games\Feeding Frenzy 2\Uninstall.exe
AddRemove-WT072867 - c:\program files (x86)\Gateway Games\FishCo\Uninstall.exe
AddRemove-WT072885 - c:\program files (x86)\Gateway Games\Fish Tycoon\Uninstall.exe
AddRemove-WT073317 - c:\program files (x86)\Gateway Games\Lemonade Tycoon 2\Uninstall.exe
AddRemove-WT074007 - c:\program files (x86)\Gateway Games\Stand O' Food\Uninstall.exe
AddRemove-WT074201 - c:\program files (x86)\Gateway Games\Virtual Villagers - Chapter 2 - The Lost Children\Uninstall.exe
AddRemove-WT074261 - c:\program files (x86)\Gateway Games\Westward\Uninstall.exe
AddRemove-WT074344 - c:\program files (x86)\Gateway Games\Winemaker Extraordinaire\Uninstall.exe
AddRemove-WT075246 - c:\program files (x86)\Gateway Games\Jane's Zoo\Uninstall.exe
AddRemove-WT076382 - c:\program files (x86)\Gateway Games\3 Days - Zoo Mystery\Uninstall.exe
AddRemove-WT078827 - c:\program files (x86)\Gateway Games\Nanny 911\Uninstall.exe
AddRemove-WT079516 - c:\program files (x86)\Gateway Games\Deer Drive\Uninstall.exe
AddRemove-WT079573 - c:\program files (x86)\Gateway Games\MONOPOLY Build-a-lot Edition\Uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{015113EC-A4E0-4FB1-9CE1-2140252DABE2}"=hex:51,66,7a,6c,4c,1d,38,12,82,10,42,
   05,d2,ea,df,0a,e3,f7,62,00,20,73,ef,f6
"{014D2F73-E2A5-44F6-BD45-F0A791DE42A7}"=hex:51,66,7a,6c,4c,1d,38,12,1d,2c,5e,
   05,97,ac,98,01,c2,53,b3,e7,94,80,06,b3
"{010DBB78-2FED-4AED-A7E8-DC083989F51F}"=hex:51,66,7a,6c,4c,1d,38,12,16,b8,1e,
   05,df,61,83,0f,d8,fe,9f,48,3c,d7,b1,0b
"{009A6416-669F-4147-8F1B-176A85CCE46A}"=hex:51,66,7a,6c,4c,1d,38,12,78,67,89,
   04,ad,28,29,04,f0,0d,54,2a,80,92,a0,7e
.
[HKEY_USERS\S-1-5-21-2819834726-533737158-1913216436-1000\Software\SecuROM\License information*]
"datasecu"=hex:71,1d,81,de,fe,f4,50,82,c4,5b,8b,93,a1,93,1a,f8,e9,47,58,e8,a3,
   0f,6b,38,5c,d0,bf,13,43,71,55,72,c3,27,da,64,dd,d6,91,51,db,17,59,57,a7,a1,\
"rkeysecu"=hex:6d,fd,d5,a6,54,58,d5,b1,55,2c,10,1a,0b,7c,0c,a1
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\windows\SysWOW64\mfc7132.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\programdata\atiumdva32.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\MHotKey.exe
c:\windows\ChiFuncExt.exe
c:\windows\CNYHKey.exe
c:\windows\ModLedKey.exe
.
**************************************************************************
.
Completion time: 2011-07-06  17:50:47 - machine was rebooted
ComboFix-quarantined-files.txt  2011-07-06 21:50
.
Pre-Run: 397,411,774,464 bytes free
Post-Run: 400,064,819,200 bytes free
.
- - End Of File - - D882E408958C4C8116865FFB322E91B6


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:53:05 PM, on 7/6/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Yahoo!\Search Protection\YspService.exe
C:\Windows\CNYHKey.exe
C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\ModLedKey.exe
C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=ZUGO&form=ZGAPHP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0609&m=dx4300
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:59778
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: YTNavAssist.YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\YTNavAssist.dll
O2 - BHO: (no name) - {009A6416-669F-4147-8F1B-176A85CCE46a} - C:\Windows\SysWow64\atiumdva32.dll (file missing)
O2 - BHO: (no name) - {010DBB78-2FED-4AED-A7E8-DC083989F51f} - C:\Windows\SysWow64\atiumdva32.dll (file missing)
O2 - BHO: (no name) - {015113EC-A4E0-4FB1-9CE1-2140252DABE2} - C:\Windows\SysWow64\atiumdva32.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg32.dll
O2 - BHO: YSPManager - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files (x86)\Yahoo!\Search Protection\ysp.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (file missing)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: TmBpIeBHO - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [LchDrvKey] LchDrvKey.exe
O4 - HKLM\..\Run: [LedKey] CNYHKey.exe
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files (x86)\Yahoo!\Search Protection\YspService.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg32.dll
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: HopalustRdp - {705FB965-7459-4644-BF5E-12152519A1D8} - (no file)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Trend Micro Solution Platform (Amsp) - Trend Micro Inc. - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: FABS - Helping agent for MAGIX media database (Fabs) - MAGIX AG - C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe
O23 - Service: Function Discovery Resource Publication  (FDResPub32) - Unknown owner - c:\windows\system32\mfc7132.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe
O23 - Service: GameConsoleService - Unknown owner - C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files (x86)\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files (x86)\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
O23 - Service: Zune Wireless Configuration Service (ZuneWlanCfgSvc) - Unknown owner - c:\Windows\system32\ZuneWlanCfgSvc.exe (file missing)

--
End of file - 12258 bytes


----------



## johnb35

Ok, you will have to give me some time to post my next reply.  If you have something to do, go ahead and do it and check back later.  I need to get something to eat and maybe run an errand.  

Before you go though, please navigate to c:\qoobox and in that folder will be a file named add-remove programs.txt.  Please open that file and copy and paste the contents back here.


----------



## M199

Here you go

 Update for Microsoft Office 2007 (KB2508958)
3ivx MPEG-4 5.0.3 (remove only)
Acrobat.com
Adobe AIR
Adobe Community Help
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Reader 9.4.5
Adobe Shockwave Player 11.6
Akamai NetSession Interface
Aleks 3.12
Any Video Converter 2.7.6
Apple Application Support
Apple Software Update
Belkin Wireless USB Adapter Setup
CamStudio
Canon DIGITAL CAMERA Solution Disk Software Guide
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon Personal Printing Guide
Canon PowerShot SX120 IS Camera User Guide
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC 8
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
ccc-core-static
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Norwegian
CCC Help Spanish
CCC Help Swedish
Compatibility Pack for the 2007 Office system
CyberLink Power2Go
D3DX10
DivX Plus Web Player
Firebird SQL Server - MAGIX Edition
Gateway Recovery Management
GIMP 2.6.9
Google Toolbar for Internet Explorer
Google Update Helper
HiJackThis
HopalustRdp
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) 6 Update 5
Joydesk Games Setup - Arcade
KB0817 Keyboard Driver
MAGIX Music Maker 17 Download Version
MAGIX Screenshare
MAGIX Speed burnR (MSI)
Malwarebytes' Anti-Malware version 1.51.0.1200
Marvell Miniport Driver
Mesh Runtime
Messenger Companion
Microsoft Money Essentials
Microsoft Money Shared Libraries
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Mozilla Firefox 5.0 (x86 en-US)
MSVCRT
MSVCRT_amd64
muvee Plugin 1.0
QuickTime
Realtek High Definition Audio Driver
RennerPro e2 v2.02j 
Safari
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Segoe UI
Skins
Sony Media Manager 2.2
Sony Vegas 7.0b
Text-To-Speech-Runtime
The Weather Channel Desktop 6
Unity Web Player
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VC80CRTRedist - 8.0.50727.4053
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Player Firefox Plugin
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar



And thank you for your help so far. Greatly appreciated.


----------



## johnb35

A few things to do here.

1.

Please uninstall the following programs.

Java(TM) 6 Update 22
Java(TM) 6 Update 5

Then go here to install the latest version of Java.

http://www.java.com/en/download/index.jsp


2.

Rerun hijackthis and place checks next to the following entries.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:59778
O2 - BHO: (no name) - {009A6416-669F-4147-8F1B-176A85CCE46a} - C:\Windows\SysWow64\atiumdva32.dll (file missing)
O2 - BHO: (no name) - {010DBB78-2FED-4AED-A7E8-DC083989F51f} - C:\Windows\SysWow64\atiumdva32.dll (file missing)
O2 - BHO: (no name) - {015113EC-A4E0-4FB1-9CE1-2140252DABE2} - C:\Windows\SysWow64\atiumdva32.dll (file missing)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O22 - SharedTaskScheduler: HopalustRdp - {705FB965-7459-4644-BF5E-12152519A1D8} - (no file)

Then click on fix checked at the bottom.


3.

Please move the combofix file to your desktop screen so you can perform the following procedure.


1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

Dirlook::
c:\users\Amanda\AppData\Roaming\chc.4875E02D9FB21E E389F73B8D1702B320485DF8CE.1
c:\users\Amanda\AppData\Local\{E1F1B8AB-513A-42EA-B43A-94676FF227C5}
c:\users\Amanda\AppData\Local\{708EC9E2-0F25-4C8D-B544-C53A5F31C548}
c:\users\Amanda\AppData\Local\{8EEA8D3F-FDE1-427A-92F6-4F625ACCE3C2}
c:\users\Amanda\AppData\Local\{5F8B7C86-D474-42B7-92F2-6AA0752EA20F}
c:\users\Amanda\AppData\Local\{EFF2BFFA-F6EB-44C9-8737-4F83D89ADAFB}
c:\users\Amanda\AppData\Local\{051A39BC-DD8F-4B7D-BB40-9580344EB4A3}
c:\users\Amanda\AppData\Local\{0DDABC47-9933-4B8F-9674-4B45C386B5D2}
c:\users\Amanda\AppData\Local\{A40C2CBC-628F-4051-BA29-DD5D5ED839A8}
c:\users\Amanda\AppData\Local\{F4498E2A-B7D8-483F-B6FB-15C23D892972}
c:\users\Amanda\AppData\Local\{A7791A70-18CE-445F-8D20-C71B3E0BF311}
c:\users\Amanda\AppData\Local\{914FAE73-9EE1-426E-B61E-0F624F85B5D6}
c:\users\Amanda\AppData\Local\{B791BDEA-9467-4223-BAB7-610814CF88EA}
c:\users\Amanda\AppData\Local\{DA34D2A1-88A9-44E3-91A5-FFCDCD4AF749}
c:\users\Amanda\AppData\Local\{D4C97552-AC88-40F7-A737-779335878ECD}
c:\users\Amanda\AppData\Local\{E12DB36D-90BF-49C7-821A-06D891DD8B04}
c:\users\Amanda\AppData\Local\{DEF4FA9B-4320-4395-9272-3FAD4112D6DE}
c:\users\Amanda\AppData\Local\{702E43A5-6481-4DBA-B256-56631C65DAA6}
c:\users\Amanda\AppData\Local\{4862B418-97EB-44E6-B9D6-EE0C914208AF}
c:\users\Amanda\AppData\Local\{C97556C9-F2DE-47F5-B944-D4D31B0E2749}
c:\users\Amanda\AppData\Local\{896A5C8D-22F9-486C-8922-19567548F373}
c:\users\Amanda\AppData\Local\{7BD80AE4-C1A4-4470-B306-E5B2FCE555EE}
c:\users\Amanda\AppData\Local\{3D3A9B2E-9356-4158-BD96-7FF57325A1F0}
c:\users\Amanda\AppData\Local\{387C1C23-49D8-497B-8A7C-EDD96485E0A5}
c:\users\Amanda\AppData\Local\{BAF196F3-24D3-4914-8009-E81B704816EE}
c:\users\Amanda\AppData\Local\{964DB97D-5339-4E6D-847E-A82C5972F672}
c:\users\Amanda\AppData\Local\{3C444365-2D9E-4C9D-BBEF-64B4402B191A}
c:\users\Amanda\AppData\Local\{989BED54-CB62-4FFB-AD59-67060E408F96}
c:\users\Amanda\AppData\Local\{930971A1-C894-45C6-98CD-2E52EDB7258E}
c:\users\Amanda\AppData\Local\{B5ED8CC9-8D53-4F47-8410-87C4B7923543}
c:\users\Amanda\AppData\Local\{B980E578-E4CD-4721-9F5B-58679FA0AAB0}
c:\users\Amanda\AppData\Local\{6BAC88CF-9BFD-4DF5-93D8-3EBC9E1FE2F3}
c:\users\Amanda\AppData\Local\{F575B316-42FB-4DFF-A1B5-E1CB284B93D1}
c:\users\Amanda\AppData\Local\{96BAC7EC-237C-4CE9-A9C2-2B123AAF39FE}
c:\users\Amanda\AppData\Local\{7856E2DD-3445-4AE5-A28A-EBE3711481A5}
c:\users\Amanda\AppData\Local\{6661605C-CD9C-4B9B-9E92-239EFB619CF5}
c:\users\Amanda\AppData\Local\{E480E33E-BF23-45C5-A5FF-D3236330088E}
c:\users\Amanda\AppData\Local\{E6967010-9F29-4EA8-8BAB-5BDE0CB78E7F}
c:\users\Amanda\AppData\Local\{5B81C99C-5405-4287-AB56-84FE27372F27}
c:\users\Amanda\AppData\Local\{30AE5C27-4137-4D93-8C5C-6BCF90350067}
c:\users\Amanda\AppData\Local\{64ECE93A-C153-4C03-81A2-143DEC656BEF}
c:\users\Amanda\AppData\Local\{2A365877-4EBB-45A7-B3F9-D5AD505FFE96}
c:\users\Amanda\AppData\Local\{574707A2-08B5-4F47-B05F-40776CC58D13}
c:\users\Amanda\AppData\Local\{9F923E77-452C-4B68-8571-FB0D384BDD7D}
c:\users\Amanda\AppData\Local\{24AEE9CE-FB43-47F0-AA11-9CB58BA1E431}
c:\users\Amanda\AppData\Local\{BD454A98-10F5-477D-81A9-B5807C41416A}
c:\users\Amanda\AppData\Local\{46540E4E-F89C-4C40-9A49-E030CBB76EB1}
c:\users\Amanda\AppData\Local\{07ACFEBB-1BF7-44D7-9B33-E7C0F7D95432}
c:\users\Amanda\AppData\Local\{DE60CE78-130B-4965-8E5F-43F2E6E26133}
c:\users\Amanda\AppData\Local\{2CB2C257-D560-400E-AA25-08A8D8150D3A}
c:\users\Amanda\AppData\Local\{D3CADEE5-44DE-4EE2-8B7B-170645592A62}
c:\users\Amanda\AppData\Local\{0D238451-BFFB-46AE-BA46-EFC4449A0C45}

Reglock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
[HKEY_USERS\S-1-5-21-2819834726-533737158-1913216436-1000\Software\SecuROM\License information*]
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]



3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!








ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.


----------



## johnb35

Oh and I forgot one thing.

I need you to go to Virustotal and upload this file.

c:\windows\SysWow64\MFC7132.exe

When the page loads, click on browse and navigate to the that file and click on send file.  And then when you get the results give me the link of webaddress so I can look at it.


----------



## M199

Hm.. not finding that file when I browse? Do I do this after I do whats in your first post?


----------



## johnb35

You can do it before if you want.  Are you in the syswow64 folder?


----------



## M199

Found it,
http://www.virustotal.com/file-scan...d8998196f962e0b4ead0939ffa695d2e58-1309998637


----------



## M199

Got this when I went to fix the entries..


----------



## johnb35

Ok, that file is a nasty so we need to get rid of it to.  

Right click on hijackthis and click on "run as" and then perform the action.  If you don't get the "run as" option to appear then press and hold the shift key while right clicking on hijackthis to ge the "run as"option to appear.

Go ahead and run the combofix script I gave you and then I'll add the deletion of the nasty file to the next script I give you.


----------



## M199

Hm.. got this too. 
Do I just let it, then run to combo like you said?


----------



## johnb35

Yep, let it run and then run the combofix script i gave you after you move the combofix file from your downloads directory to the desktop.


----------



## M199

Done
Here's the new combo log

ComboFix 11-07-06.04 - Amanda 07/06/2011  21:14:38.2.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.5886.4113 [GMT -4:00]
Running from: c:\users\Amanda\Downloads\ComboFix.exe
Command switches used :: c:\users\Amanda\Desktop\CFScript.txt
AV: Trend Micro Titanium *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\atiumdva32.dll
c:\windows\SysWow64\atiumdva32.dll
.
.
(((((((((((((((((((((((((   Files Created from 2011-06-07 to 2011-07-07  )))))))))))))))))))))))))))))))
.
.
2011-07-07 01:36 . 2011-06-24 03:18	565248	----a-w-	c:\programdata\atiumdva32.exe
2011-07-07 01:36 . 2011-07-07 01:38	--------	d-----w-	c:\users\Amanda\AppData\Local\temp
2011-07-07 01:36 . 2011-07-07 01:36	--------	d-----w-	c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-07-07 01:36 . 2011-07-07 01:36	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-07-07 01:36 . 2011-07-07 01:36	--------	d-----w-	c:\users\Conrad\AppData\Local\temp
2011-07-07 00:39 . 2011-07-07 00:39	--------	d-----w-	c:\program files (x86)\Common Files\Java
2011-07-06 15:11 . 2011-07-06 15:11	388096	----a-r-	c:\users\Amanda\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-06 15:11 . 2011-07-06 15:11	--------	d-----w-	c:\program files (x86)\Trend Micro
2011-07-06 14:56 . 2011-05-29 13:11	39984	----a-w-	c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 14:56 . 2011-07-06 14:56	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2011-07-06 00:17 . 2011-07-06 00:17	--------	d-----w-	c:\users\Amanda\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-07-05 23:25 . 2011-07-05 23:25	--------	d-----w-	c:\users\Amanda\AppData\Local\{E1F1B8AB-513A-42EA-B43A-94676FF227C5}
2011-07-05 23:11 . 2011-07-05 23:11	--------	d-----w-	c:\users\Amanda\AppData\Local\{708EC9E2-0F25-4C8D-B544-C53A5F31C548}
2011-07-05 18:03 . 2011-07-05 18:03	--------	d-----w-	c:\users\Amanda\AppData\Local\{8EEA8D3F-FDE1-427A-92F6-4F625ACCE3C2}
2011-07-04 15:51 . 2011-07-04 15:52	--------	d-----w-	c:\users\Amanda\AppData\Local\{5F8B7C86-D474-42B7-92F2-6AA0752EA20F}
2011-07-04 03:33 . 2011-07-04 03:33	--------	d-----w-	c:\users\Amanda\AppData\Local\{EFF2BFFA-F6EB-44C9-8737-4F83D89ADAFB}
2011-07-03 15:32 . 2011-07-03 15:32	--------	d-----w-	c:\users\Amanda\AppData\Local\{051A39BC-DD8F-4B7D-BB40-9580344EB4A3}
2011-07-03 15:32 . 2011-07-03 15:32	--------	d-----w-	c:\users\Amanda\AppData\Local\{0DDABC47-9933-4B8F-9674-4B45C386B5D2}
2011-07-03 01:08 . 2011-07-03 01:09	--------	d-----w-	c:\users\Amanda\AppData\Local\{A40C2CBC-628F-4051-BA29-DD5D5ED839A8}
2011-07-02 05:12 . 2011-07-02 05:12	--------	d-----w-	c:\users\Amanda\AppData\Local\{F4498E2A-B7D8-483F-B6FB-15C23D892972}
2011-07-01 17:11 . 2011-07-01 17:12	--------	d-----w-	c:\users\Amanda\AppData\Local\{A7791A70-18CE-445F-8D20-C71B3E0BF311}
2011-07-01 05:11 . 2011-07-01 05:11	--------	d-----w-	c:\users\Amanda\AppData\Local\{914FAE73-9EE1-426E-B61E-0F624F85B5D6}
2011-07-01 02:29 . 2011-06-24 03:18	565248	----a-w-	c:\windows\SysWow64\MFC7132.exe
2011-06-30 17:11 . 2011-06-30 17:11	--------	d-----w-	c:\users\Amanda\AppData\Local\{B791BDEA-9467-4223-BAB7-610814CF88EA}
2011-06-30 02:48 . 2011-06-30 02:49	--------	d-----w-	c:\users\Amanda\AppData\Local\{DA34D2A1-88A9-44E3-91A5-FFCDCD4AF749}
2011-06-29 15:00 . 2011-04-29 16:15	344576	----a-w-	c:\windows\system32\schannel.dll
2011-06-29 15:00 . 2011-04-29 15:59	276992	----a-w-	c:\windows\SysWow64\schannel.dll
2011-06-29 14:48 . 2011-06-29 14:48	--------	d-----w-	c:\users\Amanda\AppData\Local\{D4C97552-AC88-40F7-A737-779335878ECD}
2011-06-28 20:10 . 2011-06-28 20:10	--------	d-----w-	c:\users\Amanda\AppData\Local\{E12DB36D-90BF-49C7-821A-06D891DD8B04}
2011-06-28 15:22 . 2011-06-28 15:22	--------	d-----w-	c:\users\Amanda\AppData\Local\{DEF4FA9B-4320-4395-9272-3FAD4112D6DE}
2011-06-28 02:38 . 2011-06-28 02:39	--------	d-----w-	c:\users\Amanda\AppData\Local\{702E43A5-6481-4DBA-B256-56631C65DAA6}
2011-06-27 14:38 . 2011-06-27 14:38	2106216	----a-w-	c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-06-27 14:38 . 2011-06-27 14:38	1998168	----a-w-	c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-06-27 14:38 . 2011-06-27 14:38	--------	d-----w-	c:\users\Amanda\AppData\Local\{4862B418-97EB-44E6-B9D6-EE0C914208AF}
2011-06-26 22:51 . 2011-06-26 22:51	--------	d-----w-	c:\users\Amanda\AppData\Local\{C97556C9-F2DE-47F5-B944-D4D31B0E2749}
2011-06-25 14:40 . 2011-06-25 14:40	--------	d-----w-	c:\users\Amanda\AppData\Local\{896A5C8D-22F9-486C-8922-19567548F373}
2011-06-25 02:40 . 2011-06-25 02:40	--------	d-----w-	c:\users\Amanda\AppData\Local\{7BD80AE4-C1A4-4470-B306-E5B2FCE555EE}
2011-06-24 04:14 . 2011-06-24 04:15	--------	d-----w-	c:\users\Amanda\AppData\Local\{3D3A9B2E-9356-4158-BD96-7FF57325A1F0}
2011-06-23 16:14 . 2011-06-23 16:14	--------	d-----w-	c:\users\Amanda\AppData\Local\{387C1C23-49D8-497B-8A7C-EDD96485E0A5}
2011-06-22 16:47 . 2011-06-22 16:47	--------	d-----w-	c:\users\Amanda\AppData\Local\{BAF196F3-24D3-4914-8009-E81B704816EE}
2011-06-22 02:31 . 2011-06-22 02:31	--------	d-----w-	c:\users\Amanda\AppData\Local\{964DB97D-5339-4E6D-847E-A82C5972F672}
2011-06-21 14:31 . 2011-06-21 14:31	--------	d-----w-	c:\users\Amanda\AppData\Local\{3C444365-2D9E-4C9D-BBEF-64B4402B191A}
2011-06-21 02:30 . 2011-06-21 02:30	--------	d-----w-	c:\users\Amanda\AppData\Local\{989BED54-CB62-4FFB-AD59-67060E408F96}
2011-06-20 14:30 . 2011-06-20 14:30	--------	d-----w-	c:\users\Amanda\AppData\Local\{930971A1-C894-45C6-98CD-2E52EDB7258E}
2011-06-20 02:29 . 2011-06-20 02:29	--------	d-----w-	c:\users\Amanda\AppData\Local\{B5ED8CC9-8D53-4F47-8410-87C4B7923543}
2011-06-19 14:29 . 2011-06-19 14:29	--------	d-----w-	c:\users\Amanda\AppData\Local\{B980E578-E4CD-4721-9F5B-58679FA0AAB0}
2011-06-18 19:51 . 2011-06-18 19:51	--------	d-----w-	c:\users\Amanda\AppData\Local\{6BAC88CF-9BFD-4DF5-93D8-3EBC9E1FE2F3}
2011-06-18 07:00 . 2011-06-18 07:00	--------	d-----w-	c:\users\Amanda\AppData\Local\{F575B316-42FB-4DFF-A1B5-E1CB284B93D1}
2011-06-17 18:21 . 2011-06-17 18:21	--------	d-----w-	c:\users\Amanda\AppData\Local\{96BAC7EC-237C-4CE9-A9C2-2B123AAF39FE}
2011-06-17 03:47 . 2011-06-17 03:47	--------	d-----w-	c:\users\Amanda\AppData\Local\{7856E2DD-3445-4AE5-A28A-EBE3711481A5}
2011-06-16 15:46 . 2011-06-16 15:46	--------	d-----w-	c:\users\Amanda\AppData\Local\{6661605C-CD9C-4B9B-9E92-239EFB619CF5}
2011-06-15 17:05 . 2011-06-15 17:06	--------	d-----w-	c:\users\Amanda\AppData\Local\{E480E33E-BF23-45C5-A5FF-D3236330088E}
2011-06-15 17:05 . 2011-07-01 03:35	404640	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-06-14 16:04 . 2011-06-14 16:04	--------	d-----w-	c:\users\Amanda\AppData\Local\{E6967010-9F29-4EA8-8BAB-5BDE0CB78E7F}
2011-06-14 04:03 . 2011-06-14 04:04	--------	d-----w-	c:\users\Amanda\AppData\Local\{5B81C99C-5405-4287-AB56-84FE27372F27}
2011-06-14 00:03 . 2011-06-14 00:03	--------	d-----w-	c:\program files (x86)\MAGIX
2011-06-14 00:03 . 2011-06-14 00:03	--------	d-----w-	c:\program files (x86)\Common Files\MAGIX Services
2011-06-13 16:03 . 2011-06-13 16:03	--------	d-----w-	c:\users\Amanda\AppData\Local\{30AE5C27-4137-4D93-8C5C-6BCF90350067}
2011-06-13 14:54 . 2011-06-13 14:54	--------	d-----w-	c:\program files (x86)\Safari
2011-06-13 14:42 . 2011-06-13 14:42	--------	d-----w-	c:\program files\iPod
2011-06-13 14:42 . 2011-06-13 14:43	--------	d-----w-	c:\program files\iTunes
2011-06-13 14:42 . 2011-06-13 14:43	--------	d-----w-	c:\program files (x86)\iTunes
2011-06-13 14:38 . 2011-06-13 14:38	--------	d-----w-	c:\program files\Bonjour
2011-06-13 14:38 . 2011-06-13 14:38	--------	d-----w-	c:\program files (x86)\Bonjour
2011-06-13 04:03 . 2011-06-13 04:03	--------	d-----w-	c:\users\Amanda\AppData\Local\{64ECE93A-C153-4C03-81A2-143DEC656BEF}
2011-06-13 01:09 . 2011-06-13 01:09	--------	d-----w-	c:\users\Amanda\AppData\Roaming\Malwarebytes
2011-06-13 01:09 . 2011-06-13 01:09	--------	d-----w-	c:\programdata\Malwarebytes
2011-06-13 01:09 . 2011-05-29 13:11	25912	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-06-13 00:10 . 2011-06-27 14:38	142296	----a-w-	c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-06-13 00:10 . 2011-06-27 14:38	89048	----a-w-	c:\program files (x86)\Mozilla Firefox\libEGL.dll
2011-06-13 00:10 . 2011-06-27 14:38	465880	----a-w-	c:\program files (x86)\Mozilla Firefox\libGLESv2.dll
2011-06-13 00:10 . 2011-06-27 14:38	15832	----a-w-	c:\program files (x86)\Mozilla Firefox\mozalloc.dll
2011-06-13 00:10 . 2011-06-27 14:38	781272	----a-w-	c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-06-13 00:10 . 2011-06-27 14:38	1850328	----a-w-	c:\program files (x86)\Mozilla Firefox\mozjs.dll
2011-06-12 16:02 . 2011-06-12 16:02	--------	d-----w-	c:\users\Amanda\AppData\Local\{2A365877-4EBB-45A7-B3F9-D5AD505FFE96}
2011-06-11 16:38 . 2011-06-11 16:38	--------	d-----w-	c:\users\Amanda\AppData\Local\{574707A2-08B5-4F47-B05F-40776CC58D13}
2011-06-11 04:37 . 2011-06-11 04:38	--------	d-----w-	c:\users\Amanda\AppData\Local\{9F923E77-452C-4B68-8571-FB0D384BDD7D}
2011-06-10 16:37 . 2011-06-10 16:37	--------	d-----w-	c:\users\Amanda\AppData\Local\{24AEE9CE-FB43-47F0-AA11-9CB58BA1E431}
2011-06-10 04:17 . 2011-06-10 04:18	--------	d-----w-	c:\users\Amanda\AppData\Local\{BD454A98-10F5-477D-81A9-B5807C41416A}
2011-06-09 16:17 . 2011-06-09 16:17	--------	d-----w-	c:\users\Amanda\AppData\Local\{46540E4E-F89C-4C40-9A49-E030CBB76EB1}
2011-06-09 02:41 . 2011-06-09 02:41	--------	d-----w-	c:\users\Amanda\AppData\Local\{07ACFEBB-1BF7-44D7-9B33-E7C0F7D95432}
2011-06-08 14:41 . 2011-06-08 14:41	--------	d-----w-	c:\users\Amanda\AppData\Local\{DE60CE78-130B-4965-8E5F-43F2E6E26133}
2011-06-08 02:36 . 2011-06-08 02:36	--------	d-----w-	c:\users\Amanda\AppData\Local\{2CB2C257-D560-400E-AA25-08A8D8150D3A}
2011-06-07 16:35 . 2011-06-07 16:35	103864	----a-w-	c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2011-06-07 16:35 . 2011-06-07 16:35	103864	----a-w-	c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
2011-06-07 14:16 . 2011-06-07 14:17	--------	d-----w-	c:\users\Amanda\AppData\Local\{D3CADEE5-44DE-4EE2-8B7B-170645592A62}
2011-06-07 02:16 . 2011-06-07 02:16	--------	d-----w-	c:\users\Amanda\AppData\Local\{0D238451-BFFB-46AE-BA46-EFC4449A0C45}
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-07 00:38 . 2010-07-25 23:37	472808	----a-w-	c:\windows\SysWow64\deployJava1.dll
2011-05-10 12:06 . 2011-05-10 12:06	51712	----a-w-	c:\windows\system32\drivers\usbaapl64.sys
2011-05-10 12:06 . 2011-05-10 12:06	4517664	----a-w-	c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Amanda\AppData\Local\{051A39BC-DD8F-4B7D-BB40-9580344EB4A3} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{07ACFEBB-1BF7-44D7-9B33-E7C0F7D95432} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{0D238451-BFFB-46AE-BA46-EFC4449A0C45} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{0DDABC47-9933-4B8F-9674-4B45C386B5D2} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{24AEE9CE-FB43-47F0-AA11-9CB58BA1E431} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{2A365877-4EBB-45A7-B3F9-D5AD505FFE96} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{2CB2C257-D560-400E-AA25-08A8D8150D3A} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{30AE5C27-4137-4D93-8C5C-6BCF90350067} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{387C1C23-49D8-497B-8A7C-EDD96485E0A5} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{3C444365-2D9E-4C9D-BBEF-64B4402B191A} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{3D3A9B2E-9356-4158-BD96-7FF57325A1F0} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{46540E4E-F89C-4C40-9A49-E030CBB76EB1} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{4862B418-97EB-44E6-B9D6-EE0C914208AF} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{574707A2-08B5-4F47-B05F-40776CC58D13} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{5B81C99C-5405-4287-AB56-84FE27372F27} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{5F8B7C86-D474-42B7-92F2-6AA0752EA20F} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{64ECE93A-C153-4C03-81A2-143DEC656BEF} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{6661605C-CD9C-4B9B-9E92-239EFB619CF5} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{6BAC88CF-9BFD-4DF5-93D8-3EBC9E1FE2F3} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{702E43A5-6481-4DBA-B256-56631C65DAA6} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{708EC9E2-0F25-4C8D-B544-C53A5F31C548} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{7856E2DD-3445-4AE5-A28A-EBE3711481A5} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{7BD80AE4-C1A4-4470-B306-E5B2FCE555EE} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{896A5C8D-22F9-486C-8922-19567548F373} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{8EEA8D3F-FDE1-427A-92F6-4F625ACCE3C2} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{914FAE73-9EE1-426E-B61E-0F624F85B5D6} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{930971A1-C894-45C6-98CD-2E52EDB7258E} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{964DB97D-5339-4E6D-847E-A82C5972F672} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{96BAC7EC-237C-4CE9-A9C2-2B123AAF39FE} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{989BED54-CB62-4FFB-AD59-67060E408F96} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{9F923E77-452C-4B68-8571-FB0D384BDD7D} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{A40C2CBC-628F-4051-BA29-DD5D5ED839A8} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{A7791A70-18CE-445F-8D20-C71B3E0BF311} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{B5ED8CC9-8D53-4F47-8410-87C4B7923543} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{B791BDEA-9467-4223-BAB7-610814CF88EA} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{B980E578-E4CD-4721-9F5B-58679FA0AAB0} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{BAF196F3-24D3-4914-8009-E81B704816EE} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{BD454A98-10F5-477D-81A9-B5807C41416A} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{C97556C9-F2DE-47F5-B944-D4D31B0E2749} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{D3CADEE5-44DE-4EE2-8B7B-170645592A62} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{D4C97552-AC88-40F7-A737-779335878ECD} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{DA34D2A1-88A9-44E3-91A5-FFCDCD4AF749} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{DE60CE78-130B-4965-8E5F-43F2E6E26133} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{DEF4FA9B-4320-4395-9272-3FAD4112D6DE} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{E12DB36D-90BF-49C7-821A-06D891DD8B04} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{E1F1B8AB-513A-42EA-B43A-94676FF227C5} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{E480E33E-BF23-45C5-A5FF-D3236330088E} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{E6967010-9F29-4EA8-8BAB-5BDE0CB78E7F} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{EFF2BFFA-F6EB-44C9-8737-4F83D89ADAFB} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{F4498E2A-B7D8-483F-B6FB-15C23D892972} ----
.
.
---- Directory of c:\users\Amanda\AppData\Local\{F575B316-42FB-4DFF-A1B5-E1CB284B93D1} ----
.
.
---- Directory of c:\users\Amanda\AppData\Roaming\chc.4875E02D9FB21E E389F73B8D1702B320485DF8CE.1 ----
.
.
.
(((((((((((((((((((((((((((((   [email protected]_21.44.18   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 03:20 . 2011-07-06 21:11	32768              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-06 22:14	32768              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-06 22:14	49152              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-06 21:11	49152              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2011-07-06 22:14	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-06 21:11	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2011-07-07 01:39	87734              c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2011-07-07 01:39	97024              c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-08-09 00:10 . 2011-07-07 01:39	20972              c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2819834726-533737158-1913216436-1000_UserData.bin
- 2011-07-06 21:43 . 2011-07-06 21:43	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-07 01:37 . 2011-07-07 01:37	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-07 01:37 . 2011-07-07 01:37	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-07-06 21:43 . 2011-07-06 21:43	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-07-07 00:39 . 2011-07-07 00:38	157472              c:\windows\SysWOW64\javaws.exe
- 2010-10-27 22:35 . 2010-09-15 08:50	145184              c:\windows\SysWOW64\javaw.exe
+ 2011-07-07 00:39 . 2011-07-07 00:38	145184              c:\windows\SysWOW64\javaw.exe
+ 2011-07-07 00:39 . 2011-07-07 00:38	145184              c:\windows\SysWOW64\java.exe
- 2010-10-27 22:35 . 2010-09-15 08:50	145184              c:\windows\SysWOW64\java.exe
- 2010-11-12 04:49 . 2011-07-06 21:42	441820              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-11-12 04:49 . 2011-07-07 01:36	441820              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-07-07 00:39 . 2011-07-07 00:39	203776              c:\windows\Installer\9d68ec.msi
+ 2011-07-07 00:38 . 2011-07-07 00:38	675840              c:\windows\Installer\9d68de.msi
- 2010-11-12 04:49 . 2011-07-06 21:42	4897704              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-8192.dat
+ 2010-11-12 04:49 . 2011-07-07 01:36	4897704              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-8192.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn4\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{009A6416-669F-4147-8F1B-176A85CCE46a}]
c:\windows\SysWow64\atiumdva32.dll [BU]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{010DBB78-2FED-4AED-A7E8-DC083989F51f}]
c:\windows\SysWow64\atiumdva32.dll [BU]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{015113EC-A4E0-4FB1-9CE1-2140252DABE2}]
c:\windows\SysWow64\atiumdva32.dll [BU]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-09 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"YSearchProtection"="c:\program files (x86)\Yahoo!\Search Protection\YspService.exe" [2010-06-14 296248]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"CLMLServer"="c:\program files (x86)\Cyberlink\Power2Go\CLMLSvc.exe" [2008-12-24 103720]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60a.sys [x]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys [x]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [x]
R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 306416]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R4 ahcix64s;ahcix64s;c:\windows\system32\drivers\ahcix64s.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 27648]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [x]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe [2008-01-21 27648]
S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ   	getPlusHelper
Akamai	REG_MULTI_SZ   	Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
2011-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-30 7574048]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-30 1833504]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 163568]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-02-17 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 197152]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1 74.128.17.114 74.128.19.102
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/\r
FF - prefs.js: network.proxy.http_port - 59778
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{005C3BD7-7E45-425D-AE16-69460AD19D6b} - c:\windows\SysWow64\atiumdva32.dll
SharedTaskScheduler-{705FB965-7459-4644-BF5E-12152519A1D8} - (no file)
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{015113EC-A4E0-4FB1-9CE1-2140252DABE2}"=hex:51,66,7a,6c,4c,1d,38,12,82,10,42,
   05,d2,ea,df,0a,e3,f7,62,00,20,73,ef,f6
"{014D2F73-E2A5-44F6-BD45-F0A791DE42A7}"=hex:51,66,7a,6c,4c,1d,38,12,1d,2c,5e,
   05,97,ac,98,01,c2,53,b3,e7,94,80,06,b3
"{010DBB78-2FED-4AED-A7E8-DC083989F51F}"=hex:51,66,7a,6c,4c,1d,38,12,16,b8,1e,
   05,df,61,83,0f,d8,fe,9f,48,3c,d7,b1,0b
"{009A6416-669F-4147-8F1B-176A85CCE46A}"=hex:51,66,7a,6c,4c,1d,38,12,78,67,89,
   04,ad,28,29,04,f0,0d,54,2a,80,92,a0,7e
"{005C3BD7-7E45-425D-AE16-69460AD19D6B}"=hex:51,66,7a,6c,4c,1d,38,12,b9,38,4f,
   04,77,30,33,07,d1,00,2a,06,0f,8f,d9,7f
.
[HKEY_USERS\S-1-5-21-2819834726-533737158-1913216436-1000\Software\SecuROM\License information*]
"datasecu"=hex:71,1d,81,de,fe,f4,50,82,c4,5b,8b,93,a1,93,1a,f8,e9,47,58,e8,a3,
   0f,6b,38,5c,d0,bf,13,43,71,55,72,c3,27,da,64,dd,d6,91,51,db,17,59,57,a7,a1,\
"rkeysecu"=hex:6d,fd,d5,a6,54,58,d5,b1,55,2c,10,1a,0b,7c,0c,a1
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\windows\SysWOW64\mfc7132.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\programdata\atiumdva32.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\MHotKey.exe
c:\windows\ChiFuncExt.exe
.
**************************************************************************
.
Completion time: 2011-07-06  21:45:36 - machine was rebooted
ComboFix-quarantined-files.txt  2011-07-07 01:45
ComboFix2.txt  2011-07-06 21:50
.
Pre-Run: 397,570,338,816 bytes free
Post-Run: 397,863,190,528 bytes free
.
- - End Of File - - AB6EC6C292003453A34EF6B1043B9DEF


----------



## johnb35

okay, another script to run.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

Folder::

c:\users\Amanda\AppData\Roaming\chc.4875E02D9FB21E E389F73B8D1702B320485DF8CE.1
c:\users\Amanda\AppData\Local\{E1F1B8AB-513A-42EA-B43A-94676FF227C5}
c:\users\Amanda\AppData\Local\{708EC9E2-0F25-4C8D-B544-C53A5F31C548}
c:\users\Amanda\AppData\Local\{8EEA8D3F-FDE1-427A-92F6-4F625ACCE3C2}
c:\users\Amanda\AppData\Local\{5F8B7C86-D474-42B7-92F2-6AA0752EA20F}
c:\users\Amanda\AppData\Local\{EFF2BFFA-F6EB-44C9-8737-4F83D89ADAFB}
c:\users\Amanda\AppData\Local\{051A39BC-DD8F-4B7D-BB40-9580344EB4A3}
c:\users\Amanda\AppData\Local\{0DDABC47-9933-4B8F-9674-4B45C386B5D2}
c:\users\Amanda\AppData\Local\{A40C2CBC-628F-4051-BA29-DD5D5ED839A8}
c:\users\Amanda\AppData\Local\{F4498E2A-B7D8-483F-B6FB-15C23D892972}
c:\users\Amanda\AppData\Local\{A7791A70-18CE-445F-8D20-C71B3E0BF311}
c:\users\Amanda\AppData\Local\{914FAE73-9EE1-426E-B61E-0F624F85B5D6}
c:\users\Amanda\AppData\Local\{B791BDEA-9467-4223-BAB7-610814CF88EA}
c:\users\Amanda\AppData\Local\{DA34D2A1-88A9-44E3-91A5-FFCDCD4AF749}
c:\users\Amanda\AppData\Local\{D4C97552-AC88-40F7-A737-779335878ECD}
c:\users\Amanda\AppData\Local\{E12DB36D-90BF-49C7-821A-06D891DD8B04}
c:\users\Amanda\AppData\Local\{DEF4FA9B-4320-4395-9272-3FAD4112D6DE}
c:\users\Amanda\AppData\Local\{702E43A5-6481-4DBA-B256-56631C65DAA6}
c:\users\Amanda\AppData\Local\{4862B418-97EB-44E6-B9D6-EE0C914208AF}
c:\users\Amanda\AppData\Local\{C97556C9-F2DE-47F5-B944-D4D31B0E2749}
c:\users\Amanda\AppData\Local\{896A5C8D-22F9-486C-8922-19567548F373}
c:\users\Amanda\AppData\Local\{7BD80AE4-C1A4-4470-B306-E5B2FCE555EE}
c:\users\Amanda\AppData\Local\{3D3A9B2E-9356-4158-BD96-7FF57325A1F0}
c:\users\Amanda\AppData\Local\{387C1C23-49D8-497B-8A7C-EDD96485E0A5}
c:\users\Amanda\AppData\Local\{BAF196F3-24D3-4914-8009-E81B704816EE}
c:\users\Amanda\AppData\Local\{964DB97D-5339-4E6D-847E-A82C5972F672}
c:\users\Amanda\AppData\Local\{3C444365-2D9E-4C9D-BBEF-64B4402B191A}
c:\users\Amanda\AppData\Local\{989BED54-CB62-4FFB-AD59-67060E408F96}
c:\users\Amanda\AppData\Local\{930971A1-C894-45C6-98CD-2E52EDB7258E}
c:\users\Amanda\AppData\Local\{B5ED8CC9-8D53-4F47-8410-87C4B7923543}
c:\users\Amanda\AppData\Local\{B980E578-E4CD-4721-9F5B-58679FA0AAB0}
c:\users\Amanda\AppData\Local\{6BAC88CF-9BFD-4DF5-93D8-3EBC9E1FE2F3}
c:\users\Amanda\AppData\Local\{F575B316-42FB-4DFF-A1B5-E1CB284B93D1}
c:\users\Amanda\AppData\Local\{96BAC7EC-237C-4CE9-A9C2-2B123AAF39FE}
c:\users\Amanda\AppData\Local\{7856E2DD-3445-4AE5-A28A-EBE3711481A5}
c:\users\Amanda\AppData\Local\{6661605C-CD9C-4B9B-9E92-239EFB619CF5}
c:\users\Amanda\AppData\Local\{E480E33E-BF23-45C5-A5FF-D3236330088E}
c:\users\Amanda\AppData\Local\{E6967010-9F29-4EA8-8BAB-5BDE0CB78E7F}
c:\users\Amanda\AppData\Local\{5B81C99C-5405-4287-AB56-84FE27372F27}
c:\users\Amanda\AppData\Local\{30AE5C27-4137-4D93-8C5C-6BCF90350067}
c:\users\Amanda\AppData\Local\{64ECE93A-C153-4C03-81A2-143DEC656BEF}
c:\users\Amanda\AppData\Local\{2A365877-4EBB-45A7-B3F9-D5AD505FFE96}
c:\users\Amanda\AppData\Local\{574707A2-08B5-4F47-B05F-40776CC58D13}
c:\users\Amanda\AppData\Local\{9F923E77-452C-4B68-8571-FB0D384BDD7D}
c:\users\Amanda\AppData\Local\{24AEE9CE-FB43-47F0-AA11-9CB58BA1E431}
c:\users\Amanda\AppData\Local\{BD454A98-10F5-477D-81A9-B5807C41416A}
c:\users\Amanda\AppData\Local\{46540E4E-F89C-4C40-9A49-E030CBB76EB1}
c:\users\Amanda\AppData\Local\{07ACFEBB-1BF7-44D7-9B33-E7C0F7D95432}
c:\users\Amanda\AppData\Local\{DE60CE78-130B-4965-8E5F-43F2E6E26133}
c:\users\Amanda\AppData\Local\{2CB2C257-D560-400E-AA25-08A8D8150D3A}
c:\users\Amanda\AppData\Local\{D3CADEE5-44DE-4EE2-8B7B-170645592A62}
c:\users\Amanda\AppData\Local\{0D238451-BFFB-46AE-BA46-EFC4449A0C45}

File::

c:\windows\SysWow64\MFC7132.exe



3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!







ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.


Then do the following.

Please download and run the ESET Online Scanner
Disable any antivirus/security programs.
IMPORTANT! UN-check Remove found threats 
Accept any security warnings from your browser. 
Check Scan archives 
Click Start 
ESET will then download updates, install and then start scanning your system. 
When the scan is done, push list of found threats 
Click on Export to text file , and save the file to your desktop using a file name, such as ESETlog. Include the contents of this report in your next reply. 
If no threats are found then it won't produce a log.


----------



## M199

New combo then the last steps log.. 
By looking at this I see a lot of 'troj'. That would come up on my trend micro too. Do I have a trojan horse? 

ComboFix 11-07-07.02 - Amanda 07/07/2011  11:03:36.3.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.5886.4236 [GMT -4:00]
Running from: c:\users\Amanda\Downloads\ComboFix.exe
Command switches used :: c:\users\Amanda\Desktop\CFScript.txt
AV: Trend Micro Titanium *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\SysWow64\MFC7132.exe"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\atiumdva32.dll
c:\programdata\atiumdva32.exe
c:\users\Amanda\AppData\Local\{051A39BC-DD8F-4B7D-BB40-9580344EB4A3}
c:\users\Amanda\AppData\Local\{07ACFEBB-1BF7-44D7-9B33-E7C0F7D95432}
c:\users\Amanda\AppData\Local\{0D238451-BFFB-46AE-BA46-EFC4449A0C45}
c:\users\Amanda\AppData\Local\{0DDABC47-9933-4B8F-9674-4B45C386B5D2}
c:\users\Amanda\AppData\Local\{24AEE9CE-FB43-47F0-AA11-9CB58BA1E431}
c:\users\Amanda\AppData\Local\{2A365877-4EBB-45A7-B3F9-D5AD505FFE96}
c:\users\Amanda\AppData\Local\{2CB2C257-D560-400E-AA25-08A8D8150D3A}
c:\users\Amanda\AppData\Local\{30AE5C27-4137-4D93-8C5C-6BCF90350067}
c:\users\Amanda\AppData\Local\{387C1C23-49D8-497B-8A7C-EDD96485E0A5}
c:\users\Amanda\AppData\Local\{3C444365-2D9E-4C9D-BBEF-64B4402B191A}
c:\users\Amanda\AppData\Local\{3D3A9B2E-9356-4158-BD96-7FF57325A1F0}
c:\users\Amanda\AppData\Local\{46540E4E-F89C-4C40-9A49-E030CBB76EB1}
c:\users\Amanda\AppData\Local\{4862B418-97EB-44E6-B9D6-EE0C914208AF}
c:\users\Amanda\AppData\Local\{574707A2-08B5-4F47-B05F-40776CC58D13}
c:\users\Amanda\AppData\Local\{5B81C99C-5405-4287-AB56-84FE27372F27}
c:\users\Amanda\AppData\Local\{5F8B7C86-D474-42B7-92F2-6AA0752EA20F}
c:\users\Amanda\AppData\Local\{64ECE93A-C153-4C03-81A2-143DEC656BEF}
c:\users\Amanda\AppData\Local\{6661605C-CD9C-4B9B-9E92-239EFB619CF5}
c:\users\Amanda\AppData\Local\{6BAC88CF-9BFD-4DF5-93D8-3EBC9E1FE2F3}
c:\users\Amanda\AppData\Local\{702E43A5-6481-4DBA-B256-56631C65DAA6}
c:\users\Amanda\AppData\Local\{708EC9E2-0F25-4C8D-B544-C53A5F31C548}
c:\users\Amanda\AppData\Local\{7856E2DD-3445-4AE5-A28A-EBE3711481A5}
c:\users\Amanda\AppData\Local\{7BD80AE4-C1A4-4470-B306-E5B2FCE555EE}
c:\users\Amanda\AppData\Local\{896A5C8D-22F9-486C-8922-19567548F373}
c:\users\Amanda\AppData\Local\{8EEA8D3F-FDE1-427A-92F6-4F625ACCE3C2}
c:\users\Amanda\AppData\Local\{914FAE73-9EE1-426E-B61E-0F624F85B5D6}
c:\users\Amanda\AppData\Local\{930971A1-C894-45C6-98CD-2E52EDB7258E}
c:\users\Amanda\AppData\Local\{964DB97D-5339-4E6D-847E-A82C5972F672}
c:\users\Amanda\AppData\Local\{96BAC7EC-237C-4CE9-A9C2-2B123AAF39FE}
c:\users\Amanda\AppData\Local\{989BED54-CB62-4FFB-AD59-67060E408F96}
c:\users\Amanda\AppData\Local\{9F923E77-452C-4B68-8571-FB0D384BDD7D}
c:\users\Amanda\AppData\Local\{A40C2CBC-628F-4051-BA29-DD5D5ED839A8}
c:\users\Amanda\AppData\Local\{A7791A70-18CE-445F-8D20-C71B3E0BF311}
c:\users\Amanda\AppData\Local\{B5ED8CC9-8D53-4F47-8410-87C4B7923543}
c:\users\Amanda\AppData\Local\{B791BDEA-9467-4223-BAB7-610814CF88EA}
c:\users\Amanda\AppData\Local\{B980E578-E4CD-4721-9F5B-58679FA0AAB0}
c:\users\Amanda\AppData\Local\{BAF196F3-24D3-4914-8009-E81B704816EE}
c:\users\Amanda\AppData\Local\{BD454A98-10F5-477D-81A9-B5807C41416A}
c:\users\Amanda\AppData\Local\{C97556C9-F2DE-47F5-B944-D4D31B0E2749}
c:\users\Amanda\AppData\Local\{D3CADEE5-44DE-4EE2-8B7B-170645592A62}
c:\users\Amanda\AppData\Local\{D4C97552-AC88-40F7-A737-779335878ECD}
c:\users\Amanda\AppData\Local\{DA34D2A1-88A9-44E3-91A5-FFCDCD4AF749}
c:\users\Amanda\AppData\Local\{DE60CE78-130B-4965-8E5F-43F2E6E26133}
c:\users\Amanda\AppData\Local\{DEF4FA9B-4320-4395-9272-3FAD4112D6DE}
c:\users\Amanda\AppData\Local\{E12DB36D-90BF-49C7-821A-06D891DD8B04}
c:\users\Amanda\AppData\Local\{E1F1B8AB-513A-42EA-B43A-94676FF227C5}
c:\users\Amanda\AppData\Local\{E480E33E-BF23-45C5-A5FF-D3236330088E}
c:\users\Amanda\AppData\Local\{E6967010-9F29-4EA8-8BAB-5BDE0CB78E7F}
c:\users\Amanda\AppData\Local\{EFF2BFFA-F6EB-44C9-8737-4F83D89ADAFB}
c:\users\Amanda\AppData\Local\{F4498E2A-B7D8-483F-B6FB-15C23D892972}
c:\users\Amanda\AppData\Local\{F575B316-42FB-4DFF-A1B5-E1CB284B93D1}
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{49f47bbd-32ed-49c3-82ab-9affdc67d001}
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{49f47bbd-32ed-49c3-82ab-9affdc67d001}\chrome.manifest
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{49f47bbd-32ed-49c3-82ab-9affdc67d001}\chrome\xulcache.jar
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{49f47bbd-32ed-49c3-82ab-9affdc67d001}\defaults\preferences\xulcache.js
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{49f47bbd-32ed-49c3-82ab-9affdc67d001}\install.rdf
c:\windows\SysWow64\atiumdva32.dll
.
.
(((((((((((((((((((((((((   Files Created from 2011-06-07 to 2011-07-07  )))))))))))))))))))))))))))))))
.
.
2011-07-07 15:24 . 2011-07-07 15:26	--------	d-----w-	c:\users\Amanda\AppData\Local\temp
2011-07-07 15:24 . 2011-07-07 15:24	--------	d-----w-	c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-07-07 15:24 . 2011-07-07 15:24	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-07-07 15:24 . 2011-07-07 15:24	--------	d-----w-	c:\users\Conrad\AppData\Local\temp
2011-07-07 00:39 . 2011-07-07 00:39	--------	d-----w-	c:\program files (x86)\Common Files\Java
2011-07-06 15:11 . 2011-07-06 15:11	388096	----a-r-	c:\users\Amanda\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-06 15:11 . 2011-07-06 15:11	--------	d-----w-	c:\program files (x86)\Trend Micro
2011-07-06 14:56 . 2011-05-29 13:11	39984	----a-w-	c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 14:56 . 2011-07-06 14:56	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2011-07-06 00:17 . 2011-07-06 00:17	--------	d-----w-	c:\users\Amanda\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-07-01 02:29 . 2011-06-24 03:18	565248	----a-w-	c:\windows\SysWow64\MFC7132.exe
2011-06-29 15:00 . 2011-04-29 16:15	344576	----a-w-	c:\windows\system32\schannel.dll
2011-06-29 15:00 . 2011-04-29 15:59	276992	----a-w-	c:\windows\SysWow64\schannel.dll
2011-06-27 14:38 . 2011-06-27 14:38	2106216	----a-w-	c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-06-27 14:38 . 2011-06-27 14:38	1998168	----a-w-	c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-06-15 17:05 . 2011-07-01 03:35	404640	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-06-14 00:03 . 2011-06-14 00:03	--------	d-----w-	c:\program files (x86)\MAGIX
2011-06-14 00:03 . 2011-06-14 00:03	--------	d-----w-	c:\program files (x86)\Common Files\MAGIX Services
2011-06-13 14:54 . 2011-06-13 14:54	--------	d-----w-	c:\program files (x86)\Safari
2011-06-13 14:42 . 2011-06-13 14:42	--------	d-----w-	c:\program files\iPod
2011-06-13 14:42 . 2011-06-13 14:43	--------	d-----w-	c:\program files\iTunes
2011-06-13 14:42 . 2011-06-13 14:43	--------	d-----w-	c:\program files (x86)\iTunes
2011-06-13 14:38 . 2011-06-13 14:38	--------	d-----w-	c:\program files\Bonjour
2011-06-13 14:38 . 2011-06-13 14:38	--------	d-----w-	c:\program files (x86)\Bonjour
2011-06-13 01:09 . 2011-06-13 01:09	--------	d-----w-	c:\users\Amanda\AppData\Roaming\Malwarebytes
2011-06-13 01:09 . 2011-06-13 01:09	--------	d-----w-	c:\programdata\Malwarebytes
2011-06-13 01:09 . 2011-05-29 13:11	25912	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-06-13 00:10 . 2011-06-27 14:38	142296	----a-w-	c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-06-13 00:10 . 2011-06-27 14:38	89048	----a-w-	c:\program files (x86)\Mozilla Firefox\libEGL.dll
2011-06-13 00:10 . 2011-06-27 14:38	465880	----a-w-	c:\program files (x86)\Mozilla Firefox\libGLESv2.dll
2011-06-13 00:10 . 2011-06-27 14:38	15832	----a-w-	c:\program files (x86)\Mozilla Firefox\mozalloc.dll
2011-06-13 00:10 . 2011-06-27 14:38	781272	----a-w-	c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-06-13 00:10 . 2011-06-27 14:38	1850328	----a-w-	c:\program files (x86)\Mozilla Firefox\mozjs.dll
2011-06-07 16:35 . 2011-06-07 16:35	103864	----a-w-	c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2011-06-07 16:35 . 2011-06-07 16:35	103864	----a-w-	c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-07 00:38 . 2010-07-25 23:37	472808	----a-w-	c:\windows\SysWow64\deployJava1.dll
2011-05-10 12:06 . 2011-05-10 12:06	51712	----a-w-	c:\windows\system32\drivers\usbaapl64.sys
2011-05-10 12:06 . 2011-05-10 12:06	4517664	----a-w-	c:\windows\system32\usbaaplrc.dll
.
.
(((((((((((((((((((((((((((((   [email protected]_21.44.18   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 03:20 . 2011-07-06 21:11	32768              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-07 02:09	32768              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-07 02:09	49152              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-06 21:11	49152              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2011-07-07 02:09	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-06 21:11	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2011-07-07 15:27	87912              c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2011-07-07 15:27	97040              c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-08-09 00:10 . 2011-07-07 01:39	20972              c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2819834726-533737158-1913216436-1000_UserData.bin
- 2011-07-06 21:43 . 2011-07-06 21:43	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-07 15:25 . 2011-07-07 15:25	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-07 15:25 . 2011-07-07 15:25	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-07-06 21:43 . 2011-07-06 21:43	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-07-07 00:39 . 2011-07-07 00:38	157472              c:\windows\SysWOW64\javaws.exe
+ 2011-07-07 00:39 . 2011-07-07 00:38	145184              c:\windows\SysWOW64\javaw.exe
- 2010-10-27 22:35 . 2010-09-15 08:50	145184              c:\windows\SysWOW64\javaw.exe
- 2010-10-27 22:35 . 2010-09-15 08:50	145184              c:\windows\SysWOW64\java.exe
+ 2011-07-07 00:39 . 2011-07-07 00:38	145184              c:\windows\SysWOW64\java.exe
- 2009-08-09 17:38 . 2011-07-06 14:42	305860              c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-08-09 17:38 . 2011-07-07 14:57	305860              c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2010-11-12 04:49 . 2011-07-06 21:42	441820              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-11-12 04:49 . 2011-07-07 15:24	441820              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-07-07 00:39 . 2011-07-07 00:39	203776              c:\windows\Installer\9d68ec.msi
+ 2011-07-07 00:38 . 2011-07-07 00:38	675840              c:\windows\Installer\9d68de.msi
- 2010-11-12 04:49 . 2011-07-06 21:42	4897704              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-8192.dat
+ 2010-11-12 04:49 . 2011-07-07 15:24	4897704              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-8192.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn4\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{005C3BD7-7E45-425D-AE16-69460AD19D6b}]
c:\windows\SysWow64\atiumdva32.dll [BU]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{009A6416-669F-4147-8F1B-176A85CCE46a}]
c:\windows\SysWow64\atiumdva32.dll [BU]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{010DBB78-2FED-4AED-A7E8-DC083989F51f}]
c:\windows\SysWow64\atiumdva32.dll [BU]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{015113EC-A4E0-4FB1-9CE1-2140252DABE2}]
c:\windows\SysWow64\atiumdva32.dll [BU]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-09 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"YSearchProtection"="c:\program files (x86)\Yahoo!\Search Protection\YspService.exe" [2010-06-14 296248]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"CLMLServer"="c:\program files (x86)\Cyberlink\Power2Go\CLMLSvc.exe" [2008-12-24 103720]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60a.sys [x]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys [x]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [x]
R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 306416]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R4 ahcix64s;ahcix64s;c:\windows\system32\drivers\ahcix64s.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 27648]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [x]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe [2008-01-21 27648]
S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ   	getPlusHelper
Akamai	REG_MULTI_SZ   	Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
2011-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-30 7574048]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-30 1833504]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 163568]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-02-17 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 197152]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1 74.128.17.114 74.128.19.102
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/\r
FF - prefs.js: network.proxy.http_port - 59778
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -
.
SharedTaskScheduler-{705FB965-7459-4644-BF5E-12152519A1D8} - (no file)
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{015113EC-A4E0-4FB1-9CE1-2140252DABE2}"=hex:51,66,7a,6c,4c,1d,38,12,82,10,42,
   05,d2,ea,df,0a,e3,f7,62,00,20,73,ef,f6
"{014D2F73-E2A5-44F6-BD45-F0A791DE42A7}"=hex:51,66,7a,6c,4c,1d,38,12,1d,2c,5e,
   05,97,ac,98,01,c2,53,b3,e7,94,80,06,b3
"{010DBB78-2FED-4AED-A7E8-DC083989F51F}"=hex:51,66,7a,6c,4c,1d,38,12,16,b8,1e,
   05,df,61,83,0f,d8,fe,9f,48,3c,d7,b1,0b
"{009A6416-669F-4147-8F1B-176A85CCE46A}"=hex:51,66,7a,6c,4c,1d,38,12,78,67,89,
   04,ad,28,29,04,f0,0d,54,2a,80,92,a0,7e
"{005C3BD7-7E45-425D-AE16-69460AD19D6B}"=hex:51,66,7a,6c,4c,1d,38,12,b9,38,4f,
   04,77,30,33,07,d1,00,2a,06,0f,8f,d9,7f
.
[HKEY_USERS\S-1-5-21-2819834726-533737158-1913216436-1000\Software\SecuROM\License information*]
"datasecu"=hex:71,1d,81,de,fe,f4,50,82,c4,5b,8b,93,a1,93,1a,f8,e9,47,58,e8,a3,
   0f,6b,38,5c,d0,bf,13,43,71,55,72,c3,27,da,64,dd,d6,91,51,db,17,59,57,a7,a1,\
"rkeysecu"=hex:6d,fd,d5,a6,54,58,d5,b1,55,2c,10,1a,0b,7c,0c,a1
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\windows\SysWOW64\mfc7132.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\programdata\atiumdva32.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\MHotKey.exe
c:\windows\ChiFuncExt.exe
c:\windows\CNYHKey.exe
.
**************************************************************************
.
Completion time: 2011-07-07  11:32:51 - machine was rebooted
ComboFix-quarantined-files.txt  2011-07-07 15:32
ComboFix2.txt  2011-07-07 01:45
ComboFix3.txt  2011-07-06 21:50
.
Pre-Run: 398,012,280,832 bytes free
Post-Run: 397,691,637,760 bytes free
.
- - End Of File - - 0F6B31598D394122F952681BAC6C046F



C:\Qoobox\Quarantine\C\ProgramData\atiumdva32.exe.vir	probably a variant of Win32/TrojanDownloader.Agent.BLHNAIM trojan
C:\Qoobox\Quarantine\C\ProgramData\KBDCZ132.dll.vir	probably a variant of Win32/TrojanDownloader.Agent.HIVKBDM trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{155ca05c-939f-4003-ad1f-993591e624bd}\chrome.manifest.vir	Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{155ca05c-939f-4003-ad1f-993591e624bd}\chrome\xulcache.jar.vir	JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{49f47bbd-32ed-49c3-82ab-9affdc67d001}\chrome.manifest.vir	Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{49f47bbd-32ed-49c3-82ab-9affdc67d001}\chrome\xulcache.jar.vir	JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{910a7df3-474a-45ec-b9d1-95dba03b39fd}\chrome.manifest.vir	Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{910a7df3-474a-45ec-b9d1-95dba03b39fd}\chrome\xulcache.jar.vir	JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{9cfbdb48-7ddf-4789-bec1-1e50ccb17b26}\chrome.manifest.vir	Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{9cfbdb48-7ddf-4789-bec1-1e50ccb17b26}\chrome\xulcache.jar.vir	JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{f14115e8-1aab-4400-a2c1-21d1536d6fd9}\chrome.manifest.vir	Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{f14115e8-1aab-4400-a2c1-21d1536d6fd9}\chrome\xulcache.jar.vir	JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Windows\SysWOW64\atiumdva32.dll.vir	a variant of Win32/Kryptik.PQF trojan
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\49e03e00-74eed42a	multiple threats
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\21b718cc-3e184666	a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\21b718cc-4bc2f6c7	a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\21b718cc-55a84f31	a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\21b718cc-5a64089a	a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\21b718cc-73971878	a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\21b718cc-761bca28	a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\33562790-129a35ec	Java/TrojanDownloader.OpenStream.NCA trojan
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\27c3f96-66ff3c47	probably a variant of Win32/Agent.KBEESLR trojan
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\57f6ba56-5f63f049	Java/TrojanDownloader.OpenStream.NCA trojan
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\4ff6a7d8-11c4065f	Java/TrojanDownloader.OpenStream.NCA trojan
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\77aee51b-2a06ebf2	a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\77aee51b-3ce3e01d	a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\f29bcdf-27e3e071	multiple threats
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\1bddbe67-5e80516e	Java/TrojanDownloader.OpenStream.NCA trojan
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\6fedd8a9-239e7bc9	multiple threats
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\13673cb0-47c46c03	a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\6e97d631-1c46fecb	Java/TrojanDownloader.OpenStream.NCA trojan
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\63aaf5b8-4e3e7244	Java/TrojanDownloader.OpenStream.NCA trojan
C:\Users\Amanda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\9b78b7f-5f647917	probably a variant of Win32/Agent.KBEESLR trojan
C:\Users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\14852C7\stormwarningss.msi	multiple threats
C:\Users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\FA366A1\stormwarningss.msi	multiple threats
C:\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{b32afd51-1d5c-42eb-9cf2-91f2af93c6dd}\chrome.manifest	Win32/TrojanDownloader.Tracur.F trojan
C:\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{b32afd51-1d5c-42eb-9cf2-91f2af93c6dd}\chrome\xulcache.jar	JS/Agent.NDB trojan
C:\Users\Amanda\Downloads\7artChristmasLand3DInst.exe	multiple threats
C:\Users\Amanda\Downloads\moviebar_us_z(2).exe	Win32/Toolbar.Zugo application
C:\Users\Amanda\Downloads\moviebar_us_z(3).exe	Win32/Toolbar.Zugo application
C:\Users\Amanda\Downloads\moviebar_us_z.exe	Win32/Toolbar.Zugo application
C:\Windows\System32\MFC7132.exe	probably a variant of Win32/TrojanDownloader.Agent.BLHNAIM trojan
C:\Windows\SysWOW64\MFC7132.exe	probably a variant of Win32/TrojanDownloader.Agent.BLHNAIM trojan


----------



## johnb35

Please do the following.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

Folder::
c:\users\Amanda\AppData\Roaming\chc.4875E02D9FB21E E389F73B8D1702B320485DF8CE.1

File::
C:\Users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\14852C7\stormwarningss.msi multiple threats
C:\Users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\FA366A1\stormwarningss.msi multiple threats
C:\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{b32afd51-1d5c-42eb-9cf2-91f2af93c6dd}\chrome.manifest  
C:\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{b32afd51-1d5c-42eb-9cf2-91f2af93c6dd}\chrome\xulcache.jar  
C:\Users\Amanda\Downloads\7artChristmasLand3DInst.exe  
C:\Users\Amanda\Downloads\moviebar_us_z(3).exe  
C:\Users\Amanda\Downloads\moviebar_us_z.exe  
C:\Windows\System32\MFC7132.exe  
C:\Windows\SysWOW64\MFC7132.exe   
c:\programdata\atiumdva32.exe

Registry::

[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{005C3BD7-7E45-425D-AE16-69460AD19D6b}]
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{009A6416-669F-4147-8F1B-176A85CCE46a}]
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{010DBB78-2FED-4AED-A7E8-DC083989F51f}]
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{015113EC-A4E0-4FB1-9CE1-2140252DABE2}]




3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!







ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.


Then go here and follow the directions to delete the java cache files.

http://www.java.com/en/download/help/plugin_cache.xml


----------



## M199

Here we are.

ComboFix 11-07-07.05 - Amanda 07/07/2011  21:00:02.4.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.5886.3844 [GMT -4:00]
Running from: c:\users\Amanda\Downloads\ComboFix.exe
Command switches used :: c:\users\Amanda\Desktop\CFScript.txt
AV: Trend Micro Titanium *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\programdata\atiumdva32.exe"
"c:\users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\14852C7\stormwarningss.msi multiple threats"
"c:\users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\FA366A1\stormwarningss.msi multiple threats"
"c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{b32afd51-1d5c-42eb-9cf2-91f2af93c6dd}\chrome.manifest"
"c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{b32afd51-1d5c-42eb-9cf2-91f2af93c6dd}\chrome\xulcache.jar"
"c:\users\Amanda\Downloads\7artChristmasLand3DInst.exe"
"c:\users\Amanda\Downloads\moviebar_us_z(3).exe"
"c:\users\Amanda\Downloads\moviebar_us_z.exe"
"c:\windows\System32\MFC7132.exe"
"c:\windows\SysWOW64\MFC7132.exe"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Amanda\AppData\Local\Temp\07072054-000008b4-6wwhup5hml\tmp1723.tmp
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{b32afd51-1d5c-42eb-9cf2-91f2af93c6dd}
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{b32afd51-1d5c-42eb-9cf2-91f2af93c6dd}\chrome.manifest
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{b32afd51-1d5c-42eb-9cf2-91f2af93c6dd}\chrome\xulcache.jar
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{b32afd51-1d5c-42eb-9cf2-91f2af93c6dd}\defaults\preferences\xulcache.js
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{b32afd51-1d5c-42eb-9cf2-91f2af93c6dd}\install.rdf
.
.
(((((((((((((((((((((((((   Files Created from 2011-06-08 to 2011-07-08  )))))))))))))))))))))))))))))))
.
.
2011-07-08 01:22 . 2011-07-08 01:22	357376	----a-w-	c:\windows\SysWow64\atiumdva32.dll
2011-07-08 01:22 . 2011-06-24 03:18	565248	----a-w-	c:\programdata\atiumdva32.exe
2011-07-08 01:21 . 2011-07-08 01:21	--------	d-----w-	c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-07-08 01:21 . 2011-07-08 01:21	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-07-08 01:21 . 2011-07-08 01:21	--------	d-----w-	c:\users\Conrad\AppData\Local\temp
2011-07-08 00:54 . 2011-07-08 00:54	--------	d-----w-	c:\users\Amanda\AppData\Local\{AA0416E0-8EDB-49F3-A75E-C7AD2CB9B336}
2011-07-07 17:36 . 2011-07-07 17:36	8896	--sha-w-	c:\programdata\findnetprinters32.dll
2011-07-07 17:04 . 2011-07-07 17:04	8896	--sha-w-	c:\programdata\certenc32.dll
2011-07-07 16:31 . 2011-07-07 16:31	8896	--sha-w-	c:\programdata\KBDDIV132.dll
2011-07-07 15:58 . 2011-07-07 15:58	8896	--sha-w-	c:\programdata\atiumdva32.dll
2011-07-07 15:34 . 2011-07-07 15:34	--------	d-----w-	c:\program files (x86)\ESET
2011-07-07 15:32 . 2011-07-08 01:51	--------	d-----w-	c:\users\Amanda\AppData\Local\temp
2011-07-07 00:39 . 2011-07-07 00:39	--------	d-----w-	c:\program files (x86)\Common Files\Java
2011-07-06 15:11 . 2011-07-06 15:11	388096	----a-r-	c:\users\Amanda\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-06 15:11 . 2011-07-06 15:11	--------	d-----w-	c:\program files (x86)\Trend Micro
2011-07-06 14:56 . 2011-05-29 13:11	39984	----a-w-	c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 14:56 . 2011-07-06 14:56	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2011-07-06 00:17 . 2011-07-06 00:17	--------	d-----w-	c:\users\Amanda\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-07-01 02:29 . 2011-06-24 03:18	565248	------w-	c:\windows\SysWow64\MFC7132.exe
2011-06-29 15:00 . 2011-04-29 16:15	344576	----a-w-	c:\windows\system32\schannel.dll
2011-06-29 15:00 . 2011-04-29 15:59	276992	----a-w-	c:\windows\SysWow64\schannel.dll
2011-06-27 14:38 . 2011-06-27 14:38	2106216	----a-w-	c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-06-27 14:38 . 2011-06-27 14:38	1998168	----a-w-	c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-06-15 17:05 . 2011-07-01 03:35	404640	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-06-14 00:03 . 2011-06-14 00:03	--------	d-----w-	c:\program files (x86)\MAGIX
2011-06-14 00:03 . 2011-06-14 00:03	--------	d-----w-	c:\program files (x86)\Common Files\MAGIX Services
2011-06-13 14:54 . 2011-06-13 14:54	--------	d-----w-	c:\program files (x86)\Safari
2011-06-13 14:42 . 2011-06-13 14:42	--------	d-----w-	c:\program files\iPod
2011-06-13 14:42 . 2011-06-13 14:43	--------	d-----w-	c:\program files\iTunes
2011-06-13 14:42 . 2011-06-13 14:43	--------	d-----w-	c:\program files (x86)\iTunes
2011-06-13 14:38 . 2011-06-13 14:38	--------	d-----w-	c:\program files\Bonjour
2011-06-13 14:38 . 2011-06-13 14:38	--------	d-----w-	c:\program files (x86)\Bonjour
2011-06-13 01:09 . 2011-06-13 01:09	--------	d-----w-	c:\users\Amanda\AppData\Roaming\Malwarebytes
2011-06-13 01:09 . 2011-06-13 01:09	--------	d-----w-	c:\programdata\Malwarebytes
2011-06-13 01:09 . 2011-05-29 13:11	25912	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-06-13 00:10 . 2011-06-27 14:38	142296	----a-w-	c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-06-13 00:10 . 2011-06-27 14:38	89048	----a-w-	c:\program files (x86)\Mozilla Firefox\libEGL.dll
2011-06-13 00:10 . 2011-06-27 14:38	465880	----a-w-	c:\program files (x86)\Mozilla Firefox\libGLESv2.dll
2011-06-13 00:10 . 2011-06-27 14:38	15832	----a-w-	c:\program files (x86)\Mozilla Firefox\mozalloc.dll
2011-06-13 00:10 . 2011-06-27 14:38	781272	----a-w-	c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-06-13 00:10 . 2011-06-27 14:38	1850328	----a-w-	c:\program files (x86)\Mozilla Firefox\mozjs.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-07 00:38 . 2010-07-25 23:37	472808	----a-w-	c:\windows\SysWow64\deployJava1.dll
2011-05-10 12:06 . 2011-05-10 12:06	51712	----a-w-	c:\windows\system32\drivers\usbaapl64.sys
2011-05-10 12:06 . 2011-05-10 12:06	4517664	----a-w-	c:\windows\system32\usbaaplrc.dll
.
.
(((((((((((((((((((((((((((((   [email protected]_21.44.18   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 03:20 . 2011-07-06 21:11	32768              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-07 15:58	32768              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-07 15:58	49152              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-06 21:11	49152              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2011-07-07 15:58	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-06 21:11	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2011-07-07 15:27	87912              c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2011-07-07 15:27	97040              c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-08-09 00:10 . 2011-07-07 01:39	20972              c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2819834726-533737158-1913216436-1000_UserData.bin
- 2011-07-06 21:43 . 2011-07-06 21:43	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-08 01:23 . 2011-07-08 01:23	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-08 01:23 . 2011-07-08 01:23	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-07-06 21:43 . 2011-07-06 21:43	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-07-07 00:39 . 2011-07-07 00:38	157472              c:\windows\SysWOW64\javaws.exe
- 2010-10-27 22:35 . 2010-09-15 08:50	145184              c:\windows\SysWOW64\javaw.exe
+ 2011-07-07 00:39 . 2011-07-07 00:38	145184              c:\windows\SysWOW64\javaw.exe
- 2010-10-27 22:35 . 2010-09-15 08:50	145184              c:\windows\SysWOW64\java.exe
+ 2011-07-07 00:39 . 2011-07-07 00:38	145184              c:\windows\SysWOW64\java.exe
+ 2009-08-09 17:38 . 2011-07-07 20:27	306092              c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2010-11-12 04:49 . 2011-07-06 21:42	441820              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-11-12 04:49 . 2011-07-08 01:22	441820              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-07-07 00:39 . 2011-07-07 00:39	203776              c:\windows\Installer\9d68ec.msi
+ 2011-07-07 00:38 . 2011-07-07 00:38	675840              c:\windows\Installer\9d68de.msi
- 2010-11-12 04:49 . 2011-07-06 21:42	4897704              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-8192.dat
+ 2010-11-12 04:49 . 2011-07-08 01:22	4897704              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-8192.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn4\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-09 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"YSearchProtection"="c:\program files (x86)\Yahoo!\Search Protection\YspService.exe" [2010-06-14 296248]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"CLMLServer"="c:\program files (x86)\Cyberlink\Power2Go\CLMLSvc.exe" [2008-12-24 103720]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60a.sys [x]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys [x]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [x]
R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 306416]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R4 ahcix64s;ahcix64s;c:\windows\system32\drivers\ahcix64s.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 27648]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [x]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe [2008-01-21 27648]
S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ   	getPlusHelper
Akamai	REG_MULTI_SZ   	Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
2011-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-30 7574048]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-30 1833504]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 163568]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-02-17 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 197152]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1 74.128.17.114 74.128.19.102
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/\r
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -
.
SharedTaskScheduler-{705FB965-7459-4644-BF5E-12152519A1D8} - (no file)
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{015113EC-A4E0-4FB1-9CE1-2140252DABE2}"=hex:51,66,7a,6c,4c,1d,38,12,82,10,42,
   05,d2,ea,df,0a,e3,f7,62,00,20,73,ef,f6
"{014D2F73-E2A5-44F6-BD45-F0A791DE42A7}"=hex:51,66,7a,6c,4c,1d,38,12,1d,2c,5e,
   05,97,ac,98,01,c2,53,b3,e7,94,80,06,b3
"{010DBB78-2FED-4AED-A7E8-DC083989F51F}"=hex:51,66,7a,6c,4c,1d,38,12,16,b8,1e,
   05,df,61,83,0f,d8,fe,9f,48,3c,d7,b1,0b
"{009A6416-669F-4147-8F1B-176A85CCE46A}"=hex:51,66,7a,6c,4c,1d,38,12,78,67,89,
   04,ad,28,29,04,f0,0d,54,2a,80,92,a0,7e
"{005C3BD7-7E45-425D-AE16-69460AD19D6B}"=hex:51,66,7a,6c,4c,1d,38,12,b9,38,4f,
   04,77,30,33,07,d1,00,2a,06,0f,8f,d9,7f
.
[HKEY_USERS\S-1-5-21-2819834726-533737158-1913216436-1000\Software\SecuROM\License information*]
"datasecu"=hex:71,1d,81,de,fe,f4,50,82,c4,5b,8b,93,a1,93,1a,f8,e9,47,58,e8,a3,
   0f,6b,38,5c,d0,bf,13,43,71,55,72,c3,27,da,64,dd,d6,91,51,db,17,59,57,a7,a1,\
"rkeysecu"=hex:6d,fd,d5,a6,54,58,d5,b1,55,2c,10,1a,0b,7c,0c,a1
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\windows\SysWOW64\mfc7132.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\programdata\atiumdva32.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\MHotKey.exe
c:\windows\ChiFuncExt.exe
c:\windows\CNYHKey.exe
.
**************************************************************************
.
Completion time: 2011-07-07  21:53:47 - machine was rebooted
ComboFix-quarantined-files.txt  2011-07-08 01:53
ComboFix2.txt  2011-07-07 15:32
ComboFix3.txt  2011-07-07 01:45
ComboFix4.txt  2011-07-06 21:50
.
Pre-Run: 396,727,746,560 bytes free
Post-Run: 395,902,644,224 bytes free
.
- - End Of File - - E1C14E0177C3BB13CA40C22318C74893






Also got this as combo was finishing. Said it wanted to 'upload some files to server' ;


----------



## M199

Oh, and going to the 2nd step. I don't see a Java Icon on my control panel?


----------



## johnb35

M199 said:


> Oh, and going to the 2nd step. I don't see a Java Icon on my control panel?



did you install the latest version from my post i gave you here?

http://www.computerforum.com/198003-having-some-issues-very-confused-2.html#post1650805

I'm working on your combofix log now, it seems there are still issues going on.


----------



## M199

I did.
I had to go to my tools>java console to get to the control panel for java. So I'm doing step 2 now.

-done


----------



## johnb35

I need you to run an updated malwarebytes scan for me.  New files have appeared since the last scan.  Open malwarebytes, click on the update tab, click on check for updates.  After it updates please run a quick scan on your system and post the logfile.


----------



## M199

Here you go

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7045

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

7/7/2011 10:37:57 PM
mbam-log-2011-07-07 (22-37-57).txt

Scan type: Quick scan
Objects scanned: 189559
Time elapsed: 4 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## johnb35

This is one of those few occassions I have users download and run Superantispyware. 

http://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html

Download, install, and update it before running and post the log when complete.  To access the log, click on the preferences button on the main page, then click on the statistics/logs tab and then open the log and copy and paste it back here.  Please let it remove whatever it finds.


----------



## M199

Do I run a quick or full scan?


----------



## johnb35

Quick scan


----------



## M199

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/07/2011 at 11:20 PM

Application Version : 4.55.1000

Core Rules Database Version : 7386
Trace Rules Database Version: 5198

Scan type       : Quick Scan
Total Scan Time : 00:26:02

Memory items scanned      : 636
Memory threats detected   : 0
Registry items scanned    : 2456
Registry threats detected : 15
File items scanned        : 20181
File threats detected     : 63

Adware.Tracking Cookie
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
	C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
	cdn.insights.gravity.com [ C:\Users\Amanda\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MAXZBRPT ]
	spe.atdmt.com [ C:\Users\Amanda\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MAXZBRPT ]
	C:\Users\Conrad\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
	C:\Users\Conrad\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
	C:\Users\Conrad\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt

Adware.MyWebSearch/FunWebProducts
	(x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
	(x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
	(x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
	(x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
	(x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
	(x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
	(x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid
	(x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32
	(x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib
	(x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib#Version

Browser Hijacker.Deskbar
	(x86) HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
	(x86) HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
	(x86) HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
	(x86) HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
	(x86) HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version

Trojan.Agent/Gen-FakeDrop
	C:\PROGRAM FILES (X86)\MOVIE MAKER\SHARED\DPL HILITE FILTER EFFECTS UNINSTALLER.EXE


----------



## johnb35

Okay, sorry for the late reply.

First thing to do would be to download and run Ccleaner.

http://download.cnet.com/ccleaner/

download, install and run it.  Open the program, don't change any settings and just click on run cleaner.  Then do the following.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

Kill all::

Folder::

c:\users\Amanda\AppData\Local\{AA0416E0-8EDB-49F3-A75E-C7AD2CB9B336}

File::

c:\windows\SysWow64\atiumdva32.dll
c:\programdata\atiumdva32.exe
c:\programdata\findnetprinters32.dll
c:\programdata\certenc32.dll
c:\programdata\KBDDIV132.dll
c:\programdata\atiumdva32.dll
c:\windows\SysWOW64\mfc7132.exe


Dirlook::

c:\users\Amanda\AppData\Roaming

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!








ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.


----------



## M199

Sorry late reply too.
I see this program labels history on the scanner? It's not going to clear it is it?


----------



## johnb35

If you don't want internet history to be deleted then uncheck the box.


----------



## M199

So it's going to delete what's checked off?  I have art programs I can't get rid of. lol


----------



## johnb35

It won't delete any programs you have installed.


----------



## M199

Ok - just wanted to be sure.
Running now.


----------



## johnb35

I'm headed to bed so I will reply tomorrow when I get home from work.  Post your log and I'll look at it when I get home.


----------



## M199

That's fine, here you go!

ComboFix 11-07-07.05 - Amanda 07/09/2011  22:34:09.5.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.5886.4037 [GMT -4:00]
Running from: c:\users\Amanda\Downloads\ComboFix.exe
Command switches used :: c:\users\Amanda\Desktop\CFScript.txt
AV: Trend Micro Titanium *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\programdata\atiumdva32.dll"
"c:\programdata\atiumdva32.exe"
"c:\programdata\certenc32.dll"
"c:\programdata\findnetprinters32.dll"
"c:\programdata\KBDDIV132.dll"
"c:\windows\SysWow64\atiumdva32.dll"
"c:\windows\SysWOW64\mfc7132.exe"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\atiumdva32.exe
c:\users\Amanda\AppData\Local\{AA0416E0-8EDB-49F3-A75E-C7AD2CB9B336}
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{19bf2274-6f60-409f-993d-ac26dd482737}
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{19bf2274-6f60-409f-993d-ac26dd482737}\chrome.manifest
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{19bf2274-6f60-409f-993d-ac26dd482737}\chrome\xulcache.jar
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{19bf2274-6f60-409f-993d-ac26dd482737}\defaults\preferences\xulcache.js
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{19bf2274-6f60-409f-993d-ac26dd482737}\install.rdf
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{c4d0a5ac-f947-475b-9a40-139a4c350fa9}
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{c4d0a5ac-f947-475b-9a40-139a4c350fa9}\chrome.manifest
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{c4d0a5ac-f947-475b-9a40-139a4c350fa9}\chrome\xulcache.jar
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{c4d0a5ac-f947-475b-9a40-139a4c350fa9}\defaults\preferences\xulcache.js
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{c4d0a5ac-f947-475b-9a40-139a4c350fa9}\install.rdf
.
.
(((((((((((((((((((((((((   Files Created from 2011-06-10 to 2011-07-10  )))))))))))))))))))))))))))))))
.
.
2011-07-10 02:52 . 2011-07-10 02:53	--------	d-----w-	c:\users\Amanda\AppData\Local\temp
2011-07-10 02:52 . 2011-07-10 02:52	--------	d-----w-	c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-07-10 02:52 . 2011-07-10 02:52	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-07-10 02:52 . 2011-07-10 02:52	--------	d-----w-	c:\users\Conrad\AppData\Local\temp
2011-07-10 01:58 . 2011-07-10 01:58	--------	d-----w-	c:\program files\CCleaner
2011-07-08 16:11 . 2011-07-08 16:11	8896	--sha-w-	c:\programdata\SMBHelperClass32.dll
2011-07-08 15:41 . 2011-07-08 15:41	8896	--sha-w-	c:\programdata\feclient32.dll
2011-07-08 04:26 . 2011-07-08 04:26	8896	--sha-w-	c:\programdata\CddbLangJA32.dll
2011-07-08 03:54 . 2011-07-08 03:54	8896	--sha-w-	c:\programdata\KBDCZ232.dll
2011-07-08 03:22 . 2011-07-08 03:22	357376	------w-	c:\windows\SysWow64\atiumdva32.dll
2011-07-08 02:57 . 2011-07-08 02:57	8896	--sha-w-	c:\programdata\D3DCompiler_3432.dll
2011-07-08 02:49 . 2011-07-08 02:49	--------	d-----w-	c:\users\Amanda\AppData\Roaming\SUPERAntiSpyware.com
2011-07-08 02:49 . 2011-07-08 02:49	--------	d-----w-	c:\programdata\SUPERAntiSpyware.com
2011-07-08 02:49 . 2011-07-08 02:49	--------	d-----w-	c:\programdata\!SASCORE
2011-07-08 02:49 . 2011-07-08 02:49	--------	d-----w-	c:\program files\SUPERAntiSpyware
2011-07-08 02:27 . 2011-07-08 02:27	8896	--sha-w-	c:\programdata\TimeDateMUICallback32.dll
2011-07-08 01:56 . 2011-07-08 01:56	8896	--sha-w-	c:\programdata\snmpapi32.dll
2011-07-07 17:36 . 2011-07-07 17:36	8896	--sha-w-	c:\programdata\findnetprinters32.dll
2011-07-07 17:04 . 2011-07-07 17:04	8896	--sha-w-	c:\programdata\certenc32.dll
2011-07-07 16:31 . 2011-07-07 16:31	8896	--sha-w-	c:\programdata\KBDDIV132.dll
2011-07-07 15:58 . 2011-07-07 15:58	8896	--sha-w-	c:\programdata\atiumdva32.dll
2011-07-07 15:34 . 2011-07-07 15:34	--------	d-----w-	c:\program files (x86)\ESET
2011-07-07 00:39 . 2011-07-07 00:39	--------	d-----w-	c:\program files (x86)\Common Files\Java
2011-07-06 15:11 . 2011-07-06 15:11	388096	----a-r-	c:\users\Amanda\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-06 15:11 . 2011-07-06 15:11	--------	d-----w-	c:\program files (x86)\Trend Micro
2011-07-06 14:56 . 2011-05-29 13:11	39984	----a-w-	c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 14:56 . 2011-07-06 14:56	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2011-07-06 00:17 . 2011-07-06 00:17	--------	d-----w-	c:\users\Amanda\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-07-01 02:29 . 2011-06-24 03:18	565248	------w-	c:\windows\SysWow64\MFC7132.exe
2011-06-29 15:00 . 2011-04-29 16:15	344576	----a-w-	c:\windows\system32\schannel.dll
2011-06-29 15:00 . 2011-04-29 15:59	276992	----a-w-	c:\windows\SysWow64\schannel.dll
2011-06-27 14:38 . 2011-06-27 14:38	2106216	----a-w-	c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-06-27 14:38 . 2011-06-27 14:38	1998168	----a-w-	c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-06-15 17:05 . 2011-07-01 03:35	404640	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-06-14 00:03 . 2011-06-14 00:03	--------	d-----w-	c:\program files (x86)\MAGIX
2011-06-14 00:03 . 2011-06-14 00:03	--------	d-----w-	c:\program files (x86)\Common Files\MAGIX Services
2011-06-13 14:54 . 2011-06-13 14:54	--------	d-----w-	c:\program files (x86)\Safari
2011-06-13 14:42 . 2011-06-13 14:42	--------	d-----w-	c:\program files\iPod
2011-06-13 14:42 . 2011-06-13 14:43	--------	d-----w-	c:\program files\iTunes
2011-06-13 14:42 . 2011-06-13 14:43	--------	d-----w-	c:\program files (x86)\iTunes
2011-06-13 14:38 . 2011-06-13 14:38	--------	d-----w-	c:\program files\Bonjour
2011-06-13 14:38 . 2011-06-13 14:38	--------	d-----w-	c:\program files (x86)\Bonjour
2011-06-13 01:09 . 2011-06-13 01:09	--------	d-----w-	c:\users\Amanda\AppData\Roaming\Malwarebytes
2011-06-13 01:09 . 2011-06-13 01:09	--------	d-----w-	c:\programdata\Malwarebytes
2011-06-13 01:09 . 2011-05-29 13:11	25912	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-06-13 00:10 . 2011-06-27 14:38	142296	----a-w-	c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-06-13 00:10 . 2011-06-27 14:38	89048	----a-w-	c:\program files (x86)\Mozilla Firefox\libEGL.dll
2011-06-13 00:10 . 2011-06-27 14:38	465880	----a-w-	c:\program files (x86)\Mozilla Firefox\libGLESv2.dll
2011-06-13 00:10 . 2011-06-27 14:38	15832	----a-w-	c:\program files (x86)\Mozilla Firefox\mozalloc.dll
2011-06-13 00:10 . 2011-06-27 14:38	781272	----a-w-	c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-06-13 00:10 . 2011-06-27 14:38	1850328	----a-w-	c:\program files (x86)\Mozilla Firefox\mozjs.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-07 00:38 . 2010-07-25 23:37	472808	----a-w-	c:\windows\SysWow64\deployJava1.dll
2011-05-10 12:06 . 2011-05-10 12:06	51712	----a-w-	c:\windows\system32\drivers\usbaapl64.sys
2011-05-10 12:06 . 2011-05-10 12:06	4517664	----a-w-	c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Amanda\AppData\Roaming ----
.
.
.
(((((((((((((((((((((((((((((   [email protected]_21.44.18   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 03:20 . 2011-07-06 21:11	32768              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-08 03:54	32768              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-08 03:54	49152              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-06 21:11	49152              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2011-07-08 03:54	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-06 21:11	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2011-07-10 02:55	89034              c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2011-07-10 02:55	97396              c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-08-09 00:10 . 2011-07-10 02:55	21352              c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2819834726-533737158-1913216436-1000_UserData.bin
+ 2009-08-09 00:11 . 2011-07-10 01:58	16384              c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-08-09 00:11 . 2011-07-06 20:45	16384              c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-08-09 00:11 . 2011-07-06 20:45	32768              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-09 00:11 . 2011-07-10 01:58	32768              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-08-09 00:11 . 2011-07-06 20:45	16384              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-09 00:11 . 2011-07-10 01:58	16384              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-07-10 02:53 . 2011-07-10 02:53	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-07-06 21:43 . 2011-07-06 21:43	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-10 02:53 . 2011-07-10 02:53	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-07-06 21:43 . 2011-07-06 21:43	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-07-07 00:39 . 2011-07-07 00:38	157472              c:\windows\SysWOW64\javaws.exe
- 2010-10-27 22:35 . 2010-09-15 08:50	145184              c:\windows\SysWOW64\javaw.exe
+ 2011-07-07 00:39 . 2011-07-07 00:38	145184              c:\windows\SysWOW64\javaw.exe
+ 2011-07-07 00:39 . 2011-07-07 00:38	145184              c:\windows\SysWOW64\java.exe
- 2010-10-27 22:35 . 2010-09-15 08:50	145184              c:\windows\SysWOW64\java.exe
+ 2009-08-09 17:38 . 2011-07-08 17:21	307024              c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2010-11-12 04:49 . 2011-07-10 02:52	441820              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2010-11-12 04:49 . 2011-07-06 21:42	441820              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-06-13 00:39 . 2011-07-04 03:40	853060              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-12288.dat
+ 2011-06-13 00:39 . 2011-07-10 02:52	853060              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-12288.dat
+ 2011-07-07 00:39 . 2011-07-07 00:39	203776              c:\windows\Installer\9d68ec.msi
+ 2011-07-07 00:38 . 2011-07-07 00:38	675840              c:\windows\Installer\9d68de.msi
+ 2010-11-12 04:49 . 2011-07-10 02:52	4897704              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-8192.dat
- 2010-11-12 04:49 . 2011-07-06 21:42	4897704              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-8192.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn4\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{005C3BD7-7E45-425D-AE16-69460AD19D6b}]
2011-07-08 03:22	357376	------w-	c:\windows\SysWOW64\atiumdva32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-09 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"YSearchProtection"="c:\program files (x86)\Yahoo!\Search Protection\YspService.exe" [2010-06-14 296248]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-30 2988928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"CLMLServer"="c:\program files (x86)\Cyberlink\Power2Go\CLMLSvc.exe" [2008-12-24 103720]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60a.sys [x]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys [x]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [x]
R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [x]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 306416]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R4 ahcix64s;ahcix64s;c:\windows\system32\drivers\ahcix64s.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-05-04 128384]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 27648]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [x]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe [2008-01-21 27648]
S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [x]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ   	getPlusHelper
Akamai	REG_MULTI_SZ   	Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-30 7574048]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-30 1833504]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 163568]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-02-17 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 197152]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1 74.128.17.114 74.128.19.102
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/\r
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -
.
SharedTaskScheduler-{705FB965-7459-4644-BF5E-12152519A1D8} - (no file)
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{015113EC-A4E0-4FB1-9CE1-2140252DABE2}"=hex:51,66,7a,6c,4c,1d,38,12,82,10,42,
   05,d2,ea,df,0a,e3,f7,62,00,20,73,ef,f6
"{014D2F73-E2A5-44F6-BD45-F0A791DE42A7}"=hex:51,66,7a,6c,4c,1d,38,12,1d,2c,5e,
   05,97,ac,98,01,c2,53,b3,e7,94,80,06,b3
"{010DBB78-2FED-4AED-A7E8-DC083989F51F}"=hex:51,66,7a,6c,4c,1d,38,12,16,b8,1e,
   05,df,61,83,0f,d8,fe,9f,48,3c,d7,b1,0b
"{009A6416-669F-4147-8F1B-176A85CCE46A}"=hex:51,66,7a,6c,4c,1d,38,12,78,67,89,
   04,ad,28,29,04,f0,0d,54,2a,80,92,a0,7e
"{005C3BD7-7E45-425D-AE16-69460AD19D6B}"=hex:51,66,7a,6c,4c,1d,38,12,b9,38,4f,
   04,77,30,33,07,d1,00,2a,06,0f,8f,d9,7f
.
[HKEY_USERS\S-1-5-21-2819834726-533737158-1913216436-1000\Software\SecuROM\License information*]
"datasecu"=hex:71,1d,81,de,fe,f4,50,82,c4,5b,8b,93,a1,93,1a,f8,e9,47,58,e8,a3,
   0f,6b,38,5c,d0,bf,13,43,71,55,72,c3,27,da,64,dd,d6,91,51,db,17,59,57,a7,a1,\
"rkeysecu"=hex:6d,fd,d5,a6,54,58,d5,b1,55,2c,10,1a,0b,7c,0c,a1
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\windows\SysWOW64\mfc7132.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\programdata\atiumdva32.exe
c:\windows\MHotKey.exe
c:\windows\ChiFuncExt.exe
c:\windows\CNYHKey.exe
c:\windows\ModLedKey.exe
c:\program files (x86)\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2011-07-09  23:01:12 - machine was rebooted
ComboFix-quarantined-files.txt  2011-07-10 03:01
ComboFix2.txt  2011-07-08 01:53
ComboFix3.txt  2011-07-07 15:32
ComboFix4.txt  2011-07-07 01:45
ComboFix5.txt  2011-07-10 02:32
.
Pre-Run: 398,228,615,168 bytes free
Post-Run: 397,970,735,104 bytes free
.
- - End Of File - - 6F78C94D7F03D2FC745D93FA26045FF7


----------



## johnb35

Ok, lets attack this from a different angle.  

I need you to run tdsskiller again to make sure we aren't still dealing with a nast 

Please do a full system scan with malwarebytes and post the log.  Then reboot and do the following.

Please download and run the ESET Online Scanner
Disable any antivirus/security programs.
IMPORTANT! UN-check Remove found threats 
Accept any security warnings from your browser. 
Check Scan archives 
Click Start 
ESET will then download updates, install and then start scanning your system. 
When the scan is done, push list of found threats 
Click on Export to text file , and save the file to your desktop using a file name, such as ESETlog. Include the contents of this report in your next reply. 
If no threats are found then it won't produce a log.


----------



## M199

TDS killer came up with nothing found. 
Running Malwarebytes now.


----------



## M199

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7045

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

7/10/2011 11:23:10 PM
mbam-log-2011-07-10 (23-23-09).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 357500
Time elapsed: 59 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{005C3BD7-7E45-425D-AE16-69460AD19D6b} (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{005C3BD7-7E45-425D-AE16-69460AD19D6B} (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\SysWOW64\atiumdva32.dll (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.
c:\Windows\System32\atiumdva32.dll (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.


----------



## magna86

@*johnb35*

According to the last Combofix log first he need to create a new System Restore point then you allow the following script:


		Code:
	

KillAll::

Driver::
yksvc

File::
c:\programdata\CddbLangJA32.dll
c:\programdata\feclient32.dll
c:\programdata\SMBHelperClass32.dll
c:\programdata\KBDCZ232.dll
c:\programdata\TimeDateMUICallback32.dll
c:\programdata\snmpapi32.dll
c:\programdata\findnetprinters32.dll
c:\programdata\certenc32.dll
c:\programdata\KBDDIV132.dll
c:\windows\SysWow64\MFC7132.exe




CF log after this script should be clean ...

Malwarebytes has just detected infected BHO that can be seen in the CF logs.

.......

Also check his Master boot record (MBR). If the MBR does not belong to Windows OS should be replaced.

Use *aswMBR* for check MBR
http://public.avast.com/~gmerek/aswMBR.htm

If the MBR is not standard or is infected it is best to do the replacement with clean copy with Recovery Disc:

http://members.rushmore.com/~jsky/id39.html



		Code:
	

bootrec.exe /fixmbr
bootrec.exe /fixboot


----------



## johnb35

m199,

I still need to see the results from the Eset online scan.


----------



## M199

Thought I forgot something.
Here you are

C:\ProgramData\atiumdva32.exe	probably a variant of Win32/TrojanDownloader.Agent.BLHNAIM trojan
C:\Qoobox\Quarantine\[4]-Submit_2011-07-07_20.59.15.zip	multiple threats
C:\Qoobox\Quarantine\[4]-Submit_2011-07-09_22.33.47.zip	multiple threats
C:\Qoobox\Quarantine\C\ProgramData\atiumdva32.exe.vir	probably a variant of Win32/TrojanDownloader.Agent.BLHNAIM trojan
C:\Qoobox\Quarantine\C\ProgramData\KBDCZ132.dll.vir	probably a variant of Win32/TrojanDownloader.Agent.HIVKBDM trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{155ca05c-939f-4003-ad1f-993591e624bd}\chrome.manifest.vir	Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{155ca05c-939f-4003-ad1f-993591e624bd}\chrome\xulcache.jar.vir	JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{19bf2274-6f60-409f-993d-ac26dd482737}\chrome.manifest.vir	Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{19bf2274-6f60-409f-993d-ac26dd482737}\chrome\xulcache.jar.vir	JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{49f47bbd-32ed-49c3-82ab-9affdc67d001}\chrome.manifest.vir	Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{49f47bbd-32ed-49c3-82ab-9affdc67d001}\chrome\xulcache.jar.vir	JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{910a7df3-474a-45ec-b9d1-95dba03b39fd}\chrome.manifest.vir	Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{910a7df3-474a-45ec-b9d1-95dba03b39fd}\chrome\xulcache.jar.vir	JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{9cfbdb48-7ddf-4789-bec1-1e50ccb17b26}\chrome.manifest.vir	Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{9cfbdb48-7ddf-4789-bec1-1e50ccb17b26}\chrome\xulcache.jar.vir	JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{b32afd51-1d5c-42eb-9cf2-91f2af93c6dd}\chrome.manifest.vir	Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{b32afd51-1d5c-42eb-9cf2-91f2af93c6dd}\chrome\xulcache.jar.vir	JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{c4d0a5ac-f947-475b-9a40-139a4c350fa9}\chrome.manifest.vir	Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{c4d0a5ac-f947-475b-9a40-139a4c350fa9}\chrome\xulcache.jar.vir	JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{f14115e8-1aab-4400-a2c1-21d1536d6fd9}\chrome.manifest.vir	Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{f14115e8-1aab-4400-a2c1-21d1536d6fd9}\chrome\xulcache.jar.vir	JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Windows\SysWOW64\atiumdva32.dll.vir	a variant of Win32/Kryptik.PQF trojan
C:\Users\All Users\atiumdva32.exe	probably a variant of Win32/TrojanDownloader.Agent.BLHNAIM trojan
C:\Users\All Users\Application Data\atiumdva32.exe	probably a variant of Win32/TrojanDownloader.Agent.BLHNAIM trojan
C:\Users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\14852C7\stormwarningss.msi	multiple threats
C:\Users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\FA366A1\stormwarningss.msi	multiple threats
C:\Users\Amanda\Downloads\7artChristmasLand3DInst.exe	multiple threats
C:\Users\Amanda\Downloads\moviebar_us_z(2).exe	Win32/Toolbar.Zugo application
C:\Users\Amanda\Downloads\moviebar_us_z(3).exe	Win32/Toolbar.Zugo application
C:\Users\Amanda\Downloads\moviebar_us_z.exe	Win32/Toolbar.Zugo application


----------



## johnb35

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

File::

C:\ProgramData\atiumdva32.exe 
C:\Users\All Users\atiumdva32.exe 
C:\Users\All Users\Application Data\atiumdva32.exe 
C:\Users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\14852C7\stormwarningss.msi 
C:\Users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\FA366A1\stormwarningss.msi 
C:\Users\Amanda\Downloads\7artChristmasLand3DInst.exe 
C:\Users\Amanda\Downloads\moviebar_us_z(2).exe 
C:\Users\Amanda\Downloads\moviebar_us_z(3).exe 
C:\Users\Amanda\Downloads\moviebar_us_z.exe 
c:\programdata\SMBHelperClass32.dll
c:\programdata\feclient32.dll
c:\programdata\CddbLangJA32.dll
c:\programdata\KBDCZ232.dll
c:\windows\SysWow64\atiumdva32.dll
c:\programdata\D3DCompiler_3432.dll
c:\programdata\TimeDateMUICallback32.dll
c:\programdata\snmpapi32.dll
c:\programdata\findnetprinters32.dll
c:\programdata\certenc32.dll
c:\programdata\KBDDIV132.dll
c:\programdata\atiumdva32.dll
c:\windows\SysWow64\MFC7132.exe




3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!








ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.


----------



## M199

Here you go;

ComboFix 11-07-12.09 - Amanda 07/12/2011  20:56:50.6.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.5886.3936 [GMT -4:00]
Running from: c:\users\Amanda\Downloads\ComboFix.exe
Command switches used :: c:\users\Amanda\Desktop\CFScript.txt
AV: Trend Micro Titanium *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\programdata\atiumdva32.dll"
"c:\programdata\atiumdva32.exe"
"c:\programdata\CddbLangJA32.dll"
"c:\programdata\certenc32.dll"
"c:\programdata\D3DCompiler_3432.dll"
"c:\programdata\feclient32.dll"
"c:\programdata\findnetprinters32.dll"
"c:\programdata\KBDCZ232.dll"
"c:\programdata\KBDDIV132.dll"
"c:\programdata\SMBHelperClass32.dll"
"c:\programdata\snmpapi32.dll"
"c:\programdata\TimeDateMUICallback32.dll"
"c:\users\All Users\Application Data\atiumdva32.exe"
"c:\users\All Users\atiumdva32.exe"
"c:\users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\14852C7\stormwarningss.msi"
"c:\users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\FA366A1\stormwarningss.msi"
"c:\users\Amanda\Downloads\7artChristmasLand3DInst.exe"
"c:\users\Amanda\Downloads\moviebar_us_z(2).exe"
"c:\users\Amanda\Downloads\moviebar_us_z(3).exe"
"c:\users\Amanda\Downloads\moviebar_us_z.exe"
"c:\windows\SysWow64\atiumdva32.dll"
"c:\windows\SysWow64\MFC7132.exe"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\atiumdva32.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-06-13 to 2011-07-13  )))))))))))))))))))))))))))))))
.
.
2011-07-13 01:15 . 2011-07-13 01:20	--------	d-----w-	c:\users\Amanda\AppData\Local\temp
2011-07-13 01:15 . 2011-07-13 01:15	--------	d-----w-	c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-07-13 01:15 . 2011-07-13 01:15	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-07-13 01:15 . 2011-07-13 01:15	--------	d-----w-	c:\users\Conrad\AppData\Local\temp
2011-07-11 05:34 . 2011-07-11 05:34	8896	--sha-w-	c:\programdata\ole3232.dll
2011-07-11 05:02 . 2011-07-11 05:02	8896	--sha-w-	c:\programdata\dnsapi32.dll
2011-07-11 04:29 . 2011-07-11 04:29	8896	--sha-w-	c:\programdata\msvcp6032.dll
2011-07-11 03:56 . 2011-07-11 03:56	8896	--sha-w-	c:\programdata\chsbrkr32.dll
2011-07-11 03:06 . 2011-07-11 03:06	8896	--sha-w-	c:\programdata\msvbvm6032.dll
2011-07-11 02:36 . 2011-07-11 02:36	8896	--sha-w-	c:\programdata\cewmdm32.dll
2011-07-11 02:04 . 2011-07-11 02:04	8896	--sha-w-	c:\programdata\d3d8thk32.dll
2011-07-11 01:34 . 2011-07-11 01:34	8896	--sha-w-	c:\programdata\termmgr32.dll
2011-07-10 01:58 . 2011-07-10 01:58	--------	d-----w-	c:\program files\CCleaner
2011-07-08 16:11 . 2011-07-08 16:11	8896	--sha-w-	c:\programdata\SMBHelperClass32.dll
2011-07-08 15:41 . 2011-07-08 15:41	8896	--sha-w-	c:\programdata\feclient32.dll
2011-07-08 04:26 . 2011-07-08 04:26	8896	--sha-w-	c:\programdata\CddbLangJA32.dll
2011-07-08 03:54 . 2011-07-08 03:54	8896	--sha-w-	c:\programdata\KBDCZ232.dll
2011-07-08 02:57 . 2011-07-08 02:57	8896	--sha-w-	c:\programdata\D3DCompiler_3432.dll
2011-07-08 02:49 . 2011-07-08 02:49	--------	d-----w-	c:\users\Amanda\AppData\Roaming\SUPERAntiSpyware.com
2011-07-08 02:49 . 2011-07-08 02:49	--------	d-----w-	c:\programdata\SUPERAntiSpyware.com
2011-07-08 02:49 . 2011-07-08 02:49	--------	d-----w-	c:\programdata\!SASCORE
2011-07-08 02:49 . 2011-07-08 02:49	--------	d-----w-	c:\program files\SUPERAntiSpyware
2011-07-08 02:27 . 2011-07-08 02:27	8896	--sha-w-	c:\programdata\TimeDateMUICallback32.dll
2011-07-08 01:56 . 2011-07-08 01:56	8896	--sha-w-	c:\programdata\snmpapi32.dll
2011-07-07 17:36 . 2011-07-07 17:36	8896	--sha-w-	c:\programdata\findnetprinters32.dll
2011-07-07 17:04 . 2011-07-07 17:04	8896	--sha-w-	c:\programdata\certenc32.dll
2011-07-07 16:31 . 2011-07-07 16:31	8896	--sha-w-	c:\programdata\KBDDIV132.dll
2011-07-07 15:58 . 2011-07-07 15:58	8896	--sha-w-	c:\programdata\atiumdva32.dll
2011-07-07 15:34 . 2011-07-07 15:34	--------	d-----w-	c:\program files (x86)\ESET
2011-07-07 00:39 . 2011-07-07 00:39	--------	d-----w-	c:\program files (x86)\Common Files\Java
2011-07-06 15:11 . 2011-07-06 15:11	388096	----a-r-	c:\users\Amanda\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-06 15:11 . 2011-07-06 15:11	--------	d-----w-	c:\program files (x86)\Trend Micro
2011-07-06 14:56 . 2011-05-29 13:11	39984	----a-w-	c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 14:56 . 2011-07-06 14:56	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2011-07-06 00:17 . 2011-07-06 00:17	--------	d-----w-	c:\users\Amanda\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-07-01 02:29 . 2011-06-24 03:18	565248	------w-	c:\windows\SysWow64\MFC7132.exe
2011-06-29 15:00 . 2011-04-29 16:15	344576	----a-w-	c:\windows\system32\schannel.dll
2011-06-29 15:00 . 2011-04-29 15:59	276992	----a-w-	c:\windows\SysWow64\schannel.dll
2011-06-27 14:38 . 2011-06-27 14:38	2106216	----a-w-	c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-06-27 14:38 . 2011-06-27 14:38	1998168	----a-w-	c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-06-15 17:05 . 2011-07-01 03:35	404640	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-06-14 00:03 . 2011-06-14 00:03	--------	d-----w-	c:\program files (x86)\MAGIX
2011-06-14 00:03 . 2011-06-14 00:03	--------	d-----w-	c:\program files (x86)\Common Files\MAGIX Services
2011-06-13 14:54 . 2011-06-13 14:54	--------	d-----w-	c:\program files (x86)\Safari
2011-06-13 14:42 . 2011-06-13 14:42	--------	d-----w-	c:\program files\iPod
2011-06-13 14:42 . 2011-06-13 14:43	--------	d-----w-	c:\program files\iTunes
2011-06-13 14:42 . 2011-06-13 14:43	--------	d-----w-	c:\program files (x86)\iTunes
2011-06-13 14:38 . 2011-06-13 14:38	--------	d-----w-	c:\program files\Bonjour
2011-06-13 14:38 . 2011-06-13 14:38	--------	d-----w-	c:\program files (x86)\Bonjour
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-07 00:38 . 2010-07-25 23:37	472808	----a-w-	c:\windows\SysWow64\deployJava1.dll
2011-05-29 13:11 . 2011-06-13 01:09	25912	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-05-10 12:06 . 2011-05-10 12:06	51712	----a-w-	c:\windows\system32\drivers\usbaapl64.sys
2011-05-10 12:06 . 2011-05-10 12:06	4517664	----a-w-	c:\windows\system32\usbaaplrc.dll
.
.
(((((((((((((((((((((((((((((   [email protected]_21.44.18   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 03:20 . 2011-07-06 21:11	32768              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-11 03:56	32768              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-11 03:56	49152              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-06 21:11	49152              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-06 21:11	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:20 . 2011-07-11 03:56	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-07-13 01:17 . 2011-07-13 01:17	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-07-06 21:43 . 2011-07-06 21:43	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-07-06 21:43 . 2011-07-06 21:43	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-07-13 01:17 . 2011-07-13 01:17	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-07-07 00:39 . 2011-07-07 00:38	157472              c:\windows\SysWOW64\javaws.exe
+ 2011-07-07 00:39 . 2011-07-07 00:38	145184              c:\windows\SysWOW64\javaw.exe
- 2010-10-27 22:35 . 2010-09-15 08:50	145184              c:\windows\SysWOW64\javaw.exe
+ 2011-07-07 00:39 . 2011-07-07 00:38	145184              c:\windows\SysWOW64\java.exe
- 2010-10-27 22:35 . 2010-09-15 08:50	145184              c:\windows\SysWOW64\java.exe
+ 2010-11-12 04:49 . 2011-07-13 01:16	441820              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2010-11-12 04:49 . 2011-07-06 21:42	441820              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-06-13 00:39 . 2011-07-04 03:40	853060              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-12288.dat
+ 2011-06-13 00:39 . 2011-07-10 02:52	853060              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-12288.dat
+ 2011-07-07 00:39 . 2011-07-07 00:39	203776              c:\windows\Installer\9d68ec.msi
+ 2011-07-07 00:38 . 2011-07-07 00:38	675840              c:\windows\Installer\9d68de.msi
+ 2010-11-12 04:49 . 2011-07-13 01:16	4897704              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-8192.dat
- 2010-11-12 04:49 . 2011-07-06 21:42	4897704              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-8192.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn4\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-09 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"YSearchProtection"="c:\program files (x86)\Yahoo!\Search Protection\YspService.exe" [2010-06-14 296248]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-30 2988928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"CLMLServer"="c:\program files (x86)\Cyberlink\Power2Go\CLMLSvc.exe" [2008-12-24 103720]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60a.sys [x]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys [x]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [x]
R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [x]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 306416]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R4 ahcix64s;ahcix64s;c:\windows\system32\drivers\ahcix64s.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-05-04 128384]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 27648]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [x]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe [2008-01-21 27648]
S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [x]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ   	getPlusHelper
Akamai	REG_MULTI_SZ   	Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
2011-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-30 7574048]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-30 1833504]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 163568]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-02-17 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 197152]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1 74.128.17.114 74.128.19.102
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/\r
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -
.
SharedTaskScheduler-{705FB965-7459-4644-BF5E-12152519A1D8} - (no file)
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{015113EC-A4E0-4FB1-9CE1-2140252DABE2}"=hex:51,66,7a,6c,4c,1d,38,12,82,10,42,
   05,d2,ea,df,0a,e3,f7,62,00,20,73,ef,f6
"{014D2F73-E2A5-44F6-BD45-F0A791DE42A7}"=hex:51,66,7a,6c,4c,1d,38,12,1d,2c,5e,
   05,97,ac,98,01,c2,53,b3,e7,94,80,06,b3
"{010DBB78-2FED-4AED-A7E8-DC083989F51F}"=hex:51,66,7a,6c,4c,1d,38,12,16,b8,1e,
   05,df,61,83,0f,d8,fe,9f,48,3c,d7,b1,0b
"{009A6416-669F-4147-8F1B-176A85CCE46A}"=hex:51,66,7a,6c,4c,1d,38,12,78,67,89,
   04,ad,28,29,04,f0,0d,54,2a,80,92,a0,7e
"{005C3BD7-7E45-425D-AE16-69460AD19D6B}"=hex:51,66,7a,6c,4c,1d,38,12,b9,38,4f,
   04,77,30,33,07,d1,00,2a,06,0f,8f,d9,7f
.
[HKEY_USERS\S-1-5-21-2819834726-533737158-1913216436-1000\Software\SecuROM\License information*]
"datasecu"=hex:71,1d,81,de,fe,f4,50,82,c4,5b,8b,93,a1,93,1a,f8,e9,47,58,e8,a3,
   0f,6b,38,5c,d0,bf,13,43,71,55,72,c3,27,da,64,dd,d6,91,51,db,17,59,57,a7,a1,\
"rkeysecu"=hex:6d,fd,d5,a6,54,58,d5,b1,55,2c,10,1a,0b,7c,0c,a1
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\windows\SysWOW64\mfc7132.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\programdata\atiumdva32.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\CNYHKey.exe
c:\windows\MHotkey.exe
c:\windows\ModLedKey.exe
c:\windows\ChiFuncExt.exe
.
**************************************************************************
.
Completion time: 2011-07-12  21:26:18 - machine was rebooted
ComboFix-quarantined-files.txt  2011-07-13 01:26
ComboFix2.txt  2011-07-10 03:01
ComboFix3.txt  2011-07-08 01:53
ComboFix4.txt  2011-07-07 15:32
ComboFix5.txt  2011-07-13 00:55
.
Pre-Run: 398,820,945,920 bytes free
Post-Run: 399,442,997,248 bytes free
.
- - End Of File - - B57C1C86EA4B8468684FEC2E5312886C


----------



## johnb35

Sorry for the late reply, went to bed early last night and had a long day at work today.


OK, something is definately going on here that won't stop.

Please download aswMBR to your desktop.

Double click the aswMBR.exe to run it.  Click the [Scan] button to start scan.  On completion of the scan click [Save log], save it to your desktop and post in your next reply.


----------



## M199

It's fine,
and I'll get right on that.

My computer re-started itself to update last night. It asked my permission to run 'Microsoft Windows Malicious Software Removal Tool - July 2011'
Did you want to see the results of 
'Malicious software was detected and removed from your computer'  ?


----------



## M199

I also got this. Yes or no?


----------



## johnb35

M199 said:


> It's fine,
> and I'll get right on that.
> 
> My computer re-started itself to update last night. It asked my permission to run 'Microsoft Windows Malicious Software Removal Tool - July 2011'
> Did you want to see the results of
> 'Malicious software was detected and removed from your computer'  ?



Yeah, that would be great.



M199 said:


> I also got this. Yes or no?



Nope, you already have trend micro so you can't install avast as well.


----------



## M199

Well, no way to c/p it.
My computer went to blue screen as soon as I hit 'scan' on Aswmbr


----------



## johnb35

Ok, at this point in time, I recommend you to back up any data you need and then do a fresh install of windows.


----------



## magna86

malicious service that uses the svchost.exe  is still active in the system ...
and Combofix can not see the rootkit in kenler mode it Gmer's integrated tools in the Combofix not detect presence...


----------



## M199

Ok, thanks for your help!
For now..can I take all the virus scanners and what not I've downloaded off?


----------



## johnb35

magna86 said:


> malicious service that uses the svchost.exe  is still active in the system ...
> and Combofix can not see the rootkit in kenler mode it Gmer's integrated tools in the Combofix not detect presence...



Ok, prove to me that the yukon service is malicious....



M199 said:


> Ok, thanks for your help!
> For now..can I take all the virus scanners and what not I've downloaded off?



If you are going to reinstall windows then everything will be gone when you do it.  You may delete them if you wish.


----------



## M199

Well, that's true.

My trend micro is saying it finds Troj_ etcetc.. 
Aren't there ways to manually remove trojan viruses? (If that's what this means..)
Or is that what we've been trying to do here?


----------



## johnb35

Can you post the log that trend micro comes up with?  There should be a report somewhere that you can export and post.


----------



## M199

Here's what I was talking about..

7/4/2011 9:36 PM,C:\Users\Amanda\AppData\Local\Temp\4F33.exe,BKDR_CYCBOT.SMIB,Threat,Removed
7/4/2011 9:37 PM,C:\Users\Amanda\AppData\Local\Temp\8A9E.exe,BKDR_CYCBOT.SMIB,Threat,Removed
7/4/2011 9:44 PM,C:\Users\Amanda\AppData\Local\Temp\F063.exe,BKDR_CYCBOT.SMIB,Threat,Removed
7/4/2011 9:44 PM,C:\Users\Amanda\AppData\Local\Temp\29CC.exe,BKDR_CYCBOT.SMIB,Threat,Removed
7/4/2011 10:05 PM,C:\Users\Amanda\AppData\Local\Temp\7888.exe,BKDR_CYCBOT.SMIB,Threat,Removed
7/4/2011 10:05 PM,C:\Users\Amanda\AppData\Local\Temp\B7AB.exe,BKDR_CYCBOT.SMIB,Threat,Removed
7/6/2011 8:31 PM,C:\Qoobox\Quarantine\C\Windows\SysWOW64\atiumdva32.dll.vir,TROJ_GEN.R47C1G5,Threat,Removed
7/7/2011 9:51 PM,C:\Windows\SysWow64\atiumdva32.dll,TROJ_GEN.R47C1G5,Threat,Removed
7/10/2011 11:23 PM,C:\Windows\SysWOW64\atiumdva32.dll,TROJ_GEN.R47C1G5,Threat,Removed
7/11/2011 1:13 AM,C:\Windows\SysWOW64\MFC7132.exe,TROJ_GEN.RC1C1G9,Threat,Access Denied
7/11/2011 1:16 AM,C:\Windows\SysWOW64\MFC7132.exe,TROJ_GEN.RC1C1G9,Threat,Access Denied
7/12/2011 9:22 PM,C:\Windows\SysWow64\MFC7132.exe,TROJ_GEN.RC1C1G9,Threat,Access Denied
7/14/2011 3:02 AM,C:\Windows\SysWOW64\mfc7132.exe,TROJ_GEN.RC1C1G9,Threat,Access Denied
7/14/2011 3:02 AM,C:\Windows\SysWOW64\mfc7132.exe,TROJ_GEN.RC1C1G9,Threat,Access Denied
7/14/2011 3:02 AM,C:\Windows\SysWOW64\mfc7132.exe,TROJ_GEN.RC1C1G9,Threat,Access Denied
7/14/2011 3:03 AM,C:\Windows\SysWOW64\mfc7132.exe,TROJ_GEN.RC1C1G9,Threat,Access Denied
7/14/2011 3:06 AM,C:\Windows\SysWOW64\mfc7132.exe,TROJ_GEN.RC1C1G9,Threat,Access Denied


----------

