33 replies to this topic

[MattM22]

Greetings all. First time poster, and sorry that it is not under better circumstances.

I was infected a few days ago with a nasty virus that brought my computer to it's knees, but with the help of malwarebytes, I am back to a point where I have been able to back up all of my files.

HOWEVER, I keep running Malwarebytes just to be sure that the system is clean, and almost every time, it finds a new virus or trojan horse. I instruct mwb to remove it, which it does, but a few hours later, something new shows up. My infected machine has been disconnected from the network for days.

Here is the first MWB log from my very first scan:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 6.0.6001 Service Pack 1 (Safe Mode)

9/27/2009 4:20:30 PM
mbam-log-2009-09-27 (16-20-30).txt

Scan type: Quick Scan
Objects scanned: 85425
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 14
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{59006ffb-69cc-4263-b2da-d7a545faa510} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hazelemus (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19181894 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{59006ffb-69cc-4263-b2da-d7a545faa510} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\norafilav (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\meridewa.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\meridewa.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\ProgramData\19181894 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Files Infected:
c:\Windows\System32\meridewa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\ProgramData\19181894\19181894 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\19181894\19181894.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\19181894\pc19181894ins (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Windows\System32\BtwSrv.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\sofatnet.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\wiwow64.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\wmdtc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\nabukeyu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.




Here is the log from a scan I did tonight:
Malwarebytes' Anti-Malware 1.41
Database version: 2867
Windows 6.0.6002 Service Pack 2

10/1/2009 2:12:46 AM
mbam-log-2009-10-01 (02-12-46).txt

Scan type: Quick Scan
Objects scanned: 90375
Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.





Here is my hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:45 AM, on 10/1/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Portrait Displays\Pivot Software\wpCtrl.exe
C:\Program Files\Portrait Displays\HP My Display\dthtml.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
C:\Windows\system32\jusched.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\Windows\system32\rundll32.exe C:\Windows\TEMP\492534xxx.dll,DllMain (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\Windows\system32\rundll32.exe C:\Windows\TEMP\492534xxx.dll,DllMain (User 'Default user')
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MotionSD STUDIO - SD Browser auto start -.lnk = C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} (Photo Upload Plugin Class) - http://www.costcophotocenter.com/upload/ac...veX_Control.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://webvpn.jpmorganchase.com/dana-cache...SetupClient.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O20 - AppInit_DLLs: hojayefe.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\Windows\System32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11744 bytes





Any advice would be greatly appreciated! thanks!

[miekiemoes]

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[MattM22]

Thanks for your time, and the new instructions. Prior to reading your response, I ran Malwarebytes again, and it found another trojan. So they are still popping up! I can post the log for that if you are interested.

Here is the ComboFix log...

ComboFix 09-10-04.01 - Matt Munson 10/05/2009 17:42.1.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3071.1979 [GMT -4:00]
Running from: c:\users\Matt Munson\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1229 [VPS 091004-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1229 [VPS 091004-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2367982984-1444817323-3124917685-500
c:\$recycle.bin\S-1-5-21-84770381-3685546523-247238146-500
c:\$recycle.bin\S-1-5-21-909821549-444324555-4134441507-1000
c:\users\Matt Munson\AppData\Roaming\inst.exe
c:\windows\run.log
c:\windows\system32\Install.txt
c:\windows\system32\lsprst7.dll
c:\windows\system32\ssprs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MDTDISK
-------\Service_mdtdisk


((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))
.

2009-10-01 08:55 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-01 08:46 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-01 08:45 . 2009-10-01 08:46 -------- d-----w- c:\programdata\Lavasoft
2009-10-01 08:45 . 2009-10-01 08:45 -------- d-----w- c:\program files\Lavasoft
2009-10-01 06:30 . 2009-10-01 06:30 -------- d-----w- c:\program files\Trend Micro
2009-10-01 06:25 . 2009-10-01 08:45 -------- dc-h--w- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\ca-ES
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\eu-ES
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\vi-VN
2009-09-28 15:36 . 2009-09-28 15:36 -------- d-----w- c:\windows\system32\EventProviders
2009-09-28 03:22 . 2009-09-28 03:22 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-09-28 02:24 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-09-28 01:54 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-09-28 01:52 . 2009-09-28 01:52 -------- d-----w- c:\program files\CONEXANT
2009-09-28 01:51 . 2009-08-14 16:27 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-28 01:51 . 2009-08-14 13:48 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-09-28 01:51 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-28 01:51 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-28 01:51 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-28 01:51 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-28 01:51 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-28 01:51 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-28 01:51 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-28 01:51 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-28 01:51 . 2009-08-14 15:53 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-28 01:49 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-09-28 01:49 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-09-28 01:49 . 2009-07-15 12:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-28 01:49 . 2009-06-04 12:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-09-28 01:49 . 2009-04-11 06:28 53248 ----a-w- c:\windows\system32\tsgqec.dll
2009-09-28 01:49 . 2009-04-11 06:28 136192 ----a-w- c:\windows\system32\aaclient.dll
2009-09-28 01:49 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2009-09-28 01:49 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-09-28 01:49 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-09-28 01:48 . 2009-04-11 06:28 1696768 ----a-w- c:\windows\system32\gameux.dll
2009-09-28 01:48 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-28 01:48 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Malwarebytes
2009-09-27 20:12 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\programdata\Malwarebytes
2009-09-27 20:12 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-27 15:39 . 2009-09-27 15:39 -------- d-----w- C:\337b6016532e636ec66197a2
2009-09-27 15:38 . 2009-09-27 15:39 -------- d-----w- C:\9b2c6f260054f90a96323606
2009-09-25 11:55 . 2009-09-25 11:55 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Logs
2009-09-09 01:09 . 2009-09-09 01:09 -------- d-----w- c:\program files\Comical
2009-09-08 14:06 . 2009-09-08 14:44 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\ICAClient
2009-09-08 14:03 . 2009-09-25 23:40 -------- d-----w- c:\program files\Citrix
2009-09-08 13:52 . 2009-09-08 13:52 -------- d-----w- c:\program files\Juniper Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-30 02:15 . 2008-09-12 10:52 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\uTorrent
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-28 21:38 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-28 00:58 . 2008-08-21 11:51 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Vso
2009-09-09 00:59 . 2008-09-23 20:02 -------- d-----w- c:\programdata\WebEx
2009-09-08 23:14 . 2009-03-03 03:10 -------- d-----w- c:\programdata\VMware
2009-09-08 23:08 . 2007-11-27 18:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-08 13:52 . 2009-08-13 19:22 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Juniper Networks
2009-08-17 17:24 . 2009-08-17 17:12 -------- d-----w- c:\program files\ACE Mega CoDecS Pack
2009-08-17 17:13 . 2008-08-02 00:30 -------- d-----w- c:\program files\QuickTime
2009-08-17 17:11 . 2008-10-25 10:41 -------- d-----w- c:\program files\DivX
2009-08-17 00:06 . 2009-08-17 00:06 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\AVS4YOU
2009-08-17 00:06 . 2009-08-17 00:06 -------- d-----w- c:\programdata\AVS4YOU
2009-08-17 00:04 . 2009-08-17 00:04 -------- d-----w- c:\program files\AVS4YOU
2009-08-17 00:04 . 2009-08-17 00:04 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-13 19:21 . 2009-08-13 19:21 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\WholeSecurity
2009-08-08 20:36 . 2009-08-08 20:36 -------- d-----w- c:\programdata\Steinberg
2009-08-08 20:36 . 2008-08-01 07:13 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Steinberg
2009-08-08 20:34 . 2009-08-08 20:27 -------- d-----w- c:\program files\Syncrosoft
2009-08-08 20:24 . 2008-08-01 07:04 -------- d-----w- c:\program files\Steinberg
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-21 21:52 . 2009-09-28 02:20 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-09-28 02:20 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-09-28 02:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-09-28 02:20 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-15 12:39 . 2009-09-28 01:50 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 19:01 . 2009-09-28 01:50 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:01 . 2009-09-28 01:50 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:01 . 2009-09-28 01:50 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:01 . 2009-09-28 01:50 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-07-11 17:03 . 2009-09-28 01:50 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2008-07-31 22:49 . 2008-07-31 22:49 22 --sha-w- c:\windows\SMINST\HPCD.sys
2007-11-27 18:30 . 2007-11-27 18:25 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-09-20 455968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-13 178712]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 280064]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"NexusServer"="c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-27 389120]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-08-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-27 8473120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-3 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MotionSD STUDIO - SD Browser auto start -.lnk - c:\program files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe [2009-2-16 66952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:7d,40,26,b8,84,40,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2367982984-1444817323-3124917685-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FB1AB64A-2731-4528-BD01-9CDEFC4B540E}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{CEC64574-D0EA-4F55-AD99-0A333B0A2448}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D308FC1C-6AC1-4D39-AB2F-31B4D8AD38C0}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8EB3973D-7F1D-4B3B-A2FC-53719028B29D}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B03AB320-29E8-4B5B-903F-169D71C869DA}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AE0E68C1-3842-4908-B185-591EA83F4343}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{31DD8186-E214-435B-B382-CBBD7EB3AC9D}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E0FBF8EC-409E-413F-849E-275A92D2AFA5}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{7625F928-2BDA-4C6F-99E7-DDB1375A25C7}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{DEBE9411-6532-469D-A4C0-F139A8911083}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{CA63FBC4-9AF8-4758-814A-7CF4D7B24293}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{5ADAB633-6375-4F88-9B69-8F9B8572581C}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{CC865BB5-4384-4D14-A045-0D85F3DE17B9}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{8F8FAA07-B036-4E98-9746-FE6135BACD57}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{107BEAD5-41B6-4EC7-B761-2AECA61294A6}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D0A9C181-05FF-475D-8911-74BE456FA06E}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9BC07D3E-F5BA-41F5-85A4-B6215E603FB3}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{4C0658F9-6605-4539-BC69-4CE3CF249C51}c:\\program files\\adobe\\adobe flash cs3\\flash.exe"= UDP:c:\program files\adobe\adobe flash cs3\flash.exe:Adobe Flash CS3
"UDP Query User{20042665-9111-447E-B1F6-F78A19DD848A}c:\\program files\\adobe\\adobe flash cs3\\flash.exe"= TCP:c:\program files\adobe\adobe flash cs3\flash.exe:Adobe Flash CS3
"TCP Query User{6E40606E-3925-4178-8C77-55EBD672E17D}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{329E8F33-245D-4CF7-BA9D-046EE1962CCC}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{E6C209A8-50DD-497C-BC60-D9652F492392}"= UDP:c:\windows\explorer.exe:explorer
"{9EF6F52F-BA4B-4936-B414-E858C3AA5DE6}"= TCP:c:\windows\explorer.exe:explorer
"{FE336DCD-A50E-4939-85EE-C95426509586}"= UDP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{D35AD1B9-189D-491F-AEBE-61F71C9937F6}"= TCP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{27D8BC5B-4593-4B96-A4FF-0B9EDCF1DBA6}"= UDP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{CAAE318B-3D6D-4680-8855-D0821E9848BE}"= TCP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{3A210E33-45EE-4690-86CD-66CA3FE9DFB4}"= UDP:c:\windows\System32\wininit.exe:wininit
"{942F891F-65AD-4B05-9124-303F834756EC}"= TCP:c:\windows\System32\wininit.exe:wininit
"{75BC712E-A22A-4ECF-A4C1-631C94614ADE}"= UDP:c:\windows\System32\wininit.exe:wininit
"{0B5EBA88-31B6-4EB8-9EE5-AF22202FBF32}"= TCP:c:\windows\System32\wininit.exe:wininit
"{FD9A974C-D7A8-416A-9F11-8EE1BA216F64}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{06AB9CF2-2DF4-4EF9-A346-8B296DDEE738}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{F3ADBBD2-65AE-49B4-B9B8-0A41F473CF96}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{515B2C5D-8241-442C-A902-C21B8A14CD9A}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{A41FB50E-F69B-4C4F-92FD-F85BCD2FFBA5}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{B17F811A-B470-48D1-B865-EC6C53A7947E}"= TCP:c:\windows\System32\winlogon.exe:winlogon

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [10/1/2009 4:46 AM 64160]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [9/12/2008 6:31 AM 78416]
R1 NEOFLTR_630_13971;Juniper Networks TDI Filter Driver (NEOFLTR_630_13971);c:\windows\System32\drivers\NEOFLTR_630_13971.sys [2/18/2009 5:58 AM 64480]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [9/12/2008 6:31 AM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [9/12/2008 6:31 AM 51280]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1028432]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\System32\drivers\HCW85BDA.sys [11/27/2007 3:01 PM 1129344]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [8/6/2008 3:51 AM 815104]
S3 SynasUSB;SynasUSB;c:\windows\System32\drivers\synasUSB.sys [8/8/2009 4:27 PM 23288]
S3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [9/19/2008 7:33 PM 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [9/19/2008 7:33 PM 251904]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\System32\drivers\wdcsam.sys [4/16/2008 12:27 PM 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 08:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://webvpn.jpmorganchase.com/dana-cached/sc/JuniperSetupClient.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
AddRemove-Steinberg Cubase SX v2.01 - c:\progra~1\STEINB~1\CUBASE~1\UNWISE.EXE



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2367982984-1444817323-3124917685-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:50,19,e2,a4,be,ef,3b,d0,e9,4c,ed,5c,9e,7e,77,98,0d,12,34,6d,7a,a0,a0,
94,e3,65,55,63,ad,e1,78,d7,3c,ec,14,c8,a9,cd,48,35,69,39,e7,c6,b8,9e,95,b1,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e8,c6,93,54,48,fc,f0,1a,94,21,c9,6c,00,43,bf,78,24,3d,b0,97,59,
cf,88,84,dc,cb,1d,1b,2c,df,99,25,09,32,6b,fe,cb,dc,99,59,cd,25,15,40,95,3f,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e8,c6,93,54,48,fc,f0,1a,94,21,c9,6c,00,43,bf,78,24,3d,b0,97,59,
cf,88,84,dc,cb,1d,1b,2c,df,99,25,09,32,6b,fe,cb,dc,99,59,cd,25,15,40,95,3f,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&17752677&0&UID256\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&17752677&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Device Parameters\MODES]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4360)
c:\program files\Portrait Displays\Pivot Software\winphook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\System32\schtasks.exe
c:\windows\System32\jusched.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXKERNL.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-10-05 17:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-05 21:57

Pre-Run: 189,437,235,200 bytes free
Post-Run: 191,483,330,560 bytes free

349 --- E O F --- 2009-10-05 21:05




Thanks again for your time and expertise. I really appreciate it.
m

[miekiemoes]

Hi,

First of all, please update MalwareBytes...

• Start MalwareBytes and click the Update tab. There click "Check for updates"
  
• Once the updates are downloaded, perform a quick scan again.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[MattM22]

The infected PC is not connected to the internet, so I downloaded the MBAM update from this URL
http://www.malwareby.../mbam-rules.exe
and installed it. Here is the log from the run:

Malwarebytes' Anti-Malware 1.41
Database version: 2896
Windows 6.0.6002 Service Pack 2

10/6/2009 12:35:59 PM
mbam-log-2009-10-06 (12-35-59).txt

Scan type: Quick Scan
Objects scanned: 92338
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mdtdisk (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\mdtdisk.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Windows\System32\lsm32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.





Still bad stuff showing up! That PC has been disconnected from the internet for days now, by the way.

Here is the hijack this log I ran immediately after the MBAM restart:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:10 PM, on 10/6/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\KbdStub.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Portrait Displays\Pivot Software\wpCtrl.exe
C:\Program Files\Portrait Displays\HP My Display\dthtml.exe
C:\Windows\system32\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MotionSD STUDIO - SD Browser auto start -.lnk = C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} (Photo Upload Plugin Class) - http://www.costcophotocenter.com/upload/ac...veX_Control.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://webvpn.jpmorganchase.com/dana-cache...SetupClient.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\Windows\System32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10775 bytes







Thanks again for all of the assistance.

[miekiemoes]

Hi,

Please reconnect with the internet and download latest updates via mbam itself, then scan and post the latest log in ypur next reply.

[MattM22]

Ok, new log with MBAM updates downloaded directly from the tool:

Malwarebytes' Anti-Malware 1.41
Database version: 2916
Windows 6.0.6002 Service Pack 2

10/6/2009 5:40:45 PM
mbam-log-2009-10-06 (17-40-45).txt

Scan type: Quick Scan
Objects scanned: 92967
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

[miekiemoes]

Hi,

This looks Ok again.

How are things now?

[MattM22]

I am still getting the occasional weird pop up from windows that I never got prior to infection. I don't have the text handy, but it was something about stopping a process. I also get pop ups that have no bodies, just a title bar. Really weird. I will screen capture one the next time it shows up.

[MattM22]

Ok, JUST got one. It says "Host process for windows services stopped working and was closed. A problem caused the application to stop working correctly. Windows will notify you if a solution is available".

I NEVER got those prior to infection, now I get them all the time. Not sure if this is caused by some damage a virus may have done, or if it's the OS responding to a virus. Or some third thing.

[miekiemoes]

Hi,

This could indeed be damage by the malware you were dealing with previously. After all, your pc was severly infected, so with a manual cleanup on such severly infected pc, it's always possible that errors may still appear. Fixing this isn't always easy since it will be searching for a needle in a haystack. After all, malware damages a lot.
Please see here: http://www.online-tech-tips.com/computer-t...topped-working/
Let me know what EXACT errors are displayed there (matching the latest date ofcourse)

[miekiemoes]

Also, can you redownload Combofix, run it and post the new log?

[MattM22]

Miekiemoes, working on responding to your last two posts. Will get back to you on those shortly. Prior to reading those, I downloaded today's update for MBAM and re-ran it, finding one more certstore.dat trojan. Here is the log...


Malwarebytes' Anti-Malware 1.41
Database version: 2917
Windows 6.0.6002 Service Pack 2

10/7/2009 9:25:22 AM
mbam-log-2009-10-07 (09-25-22).txt

Scan type: Quick Scan
Objects scanned: 93122
Time elapsed: 2 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

[miekiemoes]

That certstore.dat reminds me of Virut infection. I really hope this isn't the case here as it would also explain those errors. The malware you were dealing with comes in 80% of the cases with Virut, so I really hope I am wrong here, because Virut means a format and reinstall unfortunately.

Also, did malwarebytes reboot afterwards? Because your Windows defender may interfere here with the cleanup script.
Can you navigate to the file C:\Windows\System32\certstore.dat and delete it manually? Is it getting recreated again?

[MattM22]

Latest ComboFix log from new download:




ComboFix 09-10-06.04 - Matt Munson 10/07/2009 9:39.2.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3071.2028 [GMT -4:00]
Running from: c:\users\Matt Munson\Desktop\ComboFixs.exe
AV: avast! antivirus 4.8.1229 [VPS 091006-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1229 [VPS 091006-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MDTDISK


((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.

2009-10-07 13:52 . 2009-10-07 13:52 41631 ----a-w- c:\windows\system32\certstore.dat
2009-10-07 13:44 . 2009-10-07 13:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-07 13:44 . 2009-10-07 13:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-01 08:55 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-01 08:46 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-01 08:45 . 2009-10-01 08:46 -------- d-----w- c:\programdata\Lavasoft
2009-10-01 08:45 . 2009-10-01 08:45 -------- d-----w- c:\program files\Lavasoft
2009-10-01 06:30 . 2009-10-01 06:30 -------- d-----w- c:\program files\Trend Micro
2009-10-01 06:25 . 2009-10-01 08:45 -------- dc-h--w- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\ca-ES
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\eu-ES
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\vi-VN
2009-09-28 15:36 . 2009-09-28 15:36 -------- d-----w- c:\windows\system32\EventProviders
2009-09-28 03:22 . 2009-09-28 03:22 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-09-28 02:24 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-09-28 01:54 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-09-28 01:52 . 2009-09-28 01:52 -------- d-----w- c:\program files\CONEXANT
2009-09-28 01:51 . 2009-08-14 16:27 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-28 01:51 . 2009-08-14 13:48 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-09-28 01:51 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-28 01:51 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-28 01:51 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-28 01:51 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-28 01:51 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-28 01:51 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-28 01:51 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-28 01:51 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-28 01:51 . 2009-08-14 15:53 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-28 01:49 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-09-28 01:49 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-09-28 01:49 . 2009-07-15 12:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-28 01:49 . 2009-06-04 12:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-09-28 01:49 . 2009-04-11 06:28 53248 ----a-w- c:\windows\system32\tsgqec.dll
2009-09-28 01:49 . 2009-04-11 06:28 136192 ----a-w- c:\windows\system32\aaclient.dll
2009-09-28 01:49 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2009-09-28 01:49 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-09-28 01:49 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-09-28 01:48 . 2009-04-11 06:28 1696768 ----a-w- c:\windows\system32\gameux.dll
2009-09-28 01:48 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-28 01:48 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Malwarebytes
2009-09-27 20:12 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\programdata\Malwarebytes
2009-09-27 20:12 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-27 15:39 . 2009-09-27 15:39 -------- d-----w- C:\337b6016532e636ec66197a2
2009-09-27 15:38 . 2009-09-27 15:39 -------- d-----w- C:\9b2c6f260054f90a96323606
2009-09-25 11:55 . 2009-09-25 11:55 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Logs
2009-09-09 01:09 . 2009-09-09 01:09 -------- d-----w- c:\program files\Comical
2009-09-08 14:06 . 2009-09-08 14:44 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\ICAClient
2009-09-08 14:03 . 2009-09-25 23:40 -------- d-----w- c:\program files\Citrix
2009-09-08 13:52 . 2009-09-08 13:52 -------- d-----w- c:\program files\Juniper Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-07 12:47 . 2008-09-12 10:52 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\uTorrent
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-28 21:38 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-28 00:58 . 2008-08-21 11:51 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Vso
2009-09-09 00:59 . 2008-09-23 20:02 -------- d-----w- c:\programdata\WebEx
2009-09-08 23:14 . 2009-03-03 03:10 -------- d-----w- c:\programdata\VMware
2009-09-08 23:08 . 2007-11-27 18:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-08 13:52 . 2009-08-13 19:22 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Juniper Networks
2009-08-17 17:24 . 2009-08-17 17:12 -------- d-----w- c:\program files\ACE Mega CoDecS Pack
2009-08-17 17:13 . 2008-08-02 00:30 -------- d-----w- c:\program files\QuickTime
2009-08-17 17:11 . 2008-10-25 10:41 -------- d-----w- c:\program files\DivX
2009-08-17 00:06 . 2009-08-17 00:06 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\AVS4YOU
2009-08-17 00:06 . 2009-08-17 00:06 -------- d-----w- c:\programdata\AVS4YOU
2009-08-17 00:04 . 2009-08-17 00:04 -------- d-----w- c:\program files\AVS4YOU
2009-08-17 00:04 . 2009-08-17 00:04 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-13 19:21 . 2009-08-13 19:21 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\WholeSecurity
2009-08-08 20:36 . 2009-08-08 20:36 -------- d-----w- c:\programdata\Steinberg
2009-08-08 20:36 . 2008-08-01 07:13 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Steinberg
2009-08-08 20:34 . 2009-08-08 20:27 -------- d-----w- c:\program files\Syncrosoft
2009-08-08 20:24 . 2008-08-01 07:04 -------- d-----w- c:\program files\Steinberg
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-21 21:52 . 2009-09-28 02:20 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-09-28 02:20 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-09-28 02:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-09-28 02:20 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-15 12:39 . 2009-09-28 01:50 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 19:01 . 2009-09-28 01:50 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:01 . 2009-09-28 01:50 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:01 . 2009-09-28 01:50 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:01 . 2009-09-28 01:50 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-07-11 17:03 . 2009-09-28 01:50 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2008-07-31 22:49 . 2008-07-31 22:49 22 --sha-w- c:\windows\SMINST\HPCD.sys
2007-11-27 18:30 . 2007-11-27 18:25 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-10-05_21.54.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-27 18:52 . 2009-10-07 13:29 48836 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-07 13:29 75508 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-07-31 09:44 . 2009-10-05 21:54 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-31 09:44 . 2009-10-07 16:27 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-31 09:44 . 2009-10-07 16:27 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-07-31 09:44 . 2009-10-05 21:54 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-02 19:19 . 2009-10-05 22:41 4162 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-07-31 09:36 . 2009-10-07 13:29 8712 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2367982984-1444817323-3124917685-1000_UserData.bin
- 2009-10-05 21:49 . 2009-10-05 21:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-07 13:46 . 2009-10-07 13:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-10-05 21:49 . 2009-10-05 21:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-10-07 13:46 . 2009-10-07 13:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 10:33 . 2009-10-05 21:40 633850 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-10-07 13:51 633850 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-10-05 21:40 117038 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-10-07 13:51 117038 c:\windows\System32\perfc009.dat
+ 2009-09-28 02:39 . 2009-10-07 13:27 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-09-28 02:39 . 2009-09-28 22:33 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2008-07-31 09:44 . 2009-10-05 21:54 327680 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-31 09:44 . 2009-10-07 16:27 327680 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-09-20 455968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-13 178712]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 280064]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"NexusServer"="c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-27 389120]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-08-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-27 8473120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-3 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MotionSD STUDIO - SD Browser auto start -.lnk - c:\program files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe [2009-2-16 66952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:7d,40,26,b8,84,40,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2367982984-1444817323-3124917685-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FB1AB64A-2731-4528-BD01-9CDEFC4B540E}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{CEC64574-D0EA-4F55-AD99-0A333B0A2448}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D308FC1C-6AC1-4D39-AB2F-31B4D8AD38C0}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8EB3973D-7F1D-4B3B-A2FC-53719028B29D}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B03AB320-29E8-4B5B-903F-169D71C869DA}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AE0E68C1-3842-4908-B185-591EA83F4343}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{31DD8186-E214-435B-B382-CBBD7EB3AC9D}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E0FBF8EC-409E-413F-849E-275A92D2AFA5}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{7625F928-2BDA-4C6F-99E7-DDB1375A25C7}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{DEBE9411-6532-469D-A4C0-F139A8911083}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{CA63FBC4-9AF8-4758-814A-7CF4D7B24293}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{5ADAB633-6375-4F88-9B69-8F9B8572581C}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{CC865BB5-4384-4D14-A045-0D85F3DE17B9}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{8F8FAA07-B036-4E98-9746-FE6135BACD57}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{107BEAD5-41B6-4EC7-B761-2AECA61294A6}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D0A9C181-05FF-475D-8911-74BE456FA06E}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9BC07D3E-F5BA-41F5-85A4-B6215E603FB3}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{4C0658F9-6605-4539-BC69-4CE3CF249C51}c:\\program files\\adobe\\adobe flash cs3\\flash.exe"= UDP:c:\program files\adobe\adobe flash cs3\flash.exe:Adobe Flash CS3
"UDP Query User{20042665-9111-447E-B1F6-F78A19DD848A}c:\\program files\\adobe\\adobe flash cs3\\flash.exe"= TCP:c:\program files\adobe\adobe flash cs3\flash.exe:Adobe Flash CS3
"TCP Query User{6E40606E-3925-4178-8C77-55EBD672E17D}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{329E8F33-245D-4CF7-BA9D-046EE1962CCC}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{E6C209A8-50DD-497C-BC60-D9652F492392}"= UDP:c:\windows\explorer.exe:explorer
"{9EF6F52F-BA4B-4936-B414-E858C3AA5DE6}"= TCP:c:\windows\explorer.exe:explorer
"{FE336DCD-A50E-4939-85EE-C95426509586}"= UDP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{D35AD1B9-189D-491F-AEBE-61F71C9937F6}"= TCP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{27D8BC5B-4593-4B96-A4FF-0B9EDCF1DBA6}"= UDP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{CAAE318B-3D6D-4680-8855-D0821E9848BE}"= TCP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{3A210E33-45EE-4690-86CD-66CA3FE9DFB4}"= UDP:c:\windows\System32\wininit.exe:wininit
"{942F891F-65AD-4B05-9124-303F834756EC}"= TCP:c:\windows\System32\wininit.exe:wininit
"{75BC712E-A22A-4ECF-A4C1-631C94614ADE}"= UDP:c:\windows\System32\wininit.exe:wininit
"{0B5EBA88-31B6-4EB8-9EE5-AF22202FBF32}"= TCP:c:\windows\System32\wininit.exe:wininit
"{FD9A974C-D7A8-416A-9F11-8EE1BA216F64}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{06AB9CF2-2DF4-4EF9-A346-8B296DDEE738}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{F3ADBBD2-65AE-49B4-B9B8-0A41F473CF96}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{515B2C5D-8241-442C-A902-C21B8A14CD9A}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{A41FB50E-F69B-4C4F-92FD-F85BCD2FFBA5}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{B17F811A-B470-48D1-B865-EC6C53A7947E}"= TCP:c:\windows\System32\winlogon.exe:winlogon

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [10/1/2009 4:46 AM 64160]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [9/12/2008 6:31 AM 78416]
R1 NEOFLTR_630_13971;Juniper Networks TDI Filter Driver (NEOFLTR_630_13971);c:\windows\System32\drivers\NEOFLTR_630_13971.sys [2/18/2009 5:58 AM 64480]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [9/12/2008 6:31 AM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [9/12/2008 6:31 AM 51280]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1028432]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\System32\drivers\HCW85BDA.sys [11/27/2007 3:01 PM 1129344]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [8/6/2008 3:51 AM 815104]
S3 SynasUSB;SynasUSB;c:\windows\System32\drivers\synasUSB.sys [8/8/2009 4:27 PM 23288]
S3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [9/19/2008 7:33 PM 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [9/19/2008 7:33 PM 251904]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\System32\drivers\wdcsam.sys [4/16/2008 12:27 PM 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 08:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://webvpn.jpmorganchase.com/dana-cached/sc/JuniperSetupClient.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 12:27
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2367982984-1444817323-3124917685-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:50,19,e2,a4,be,ef,3b,d0,e9,4c,ed,5c,9e,7e,77,98,0d,12,34,6d,7a,a0,a0,
94,e3,65,55,63,ad,e1,78,d7,3c,ec,14,c8,a9,cd,48,35,69,39,e7,c6,b8,9e,95,b1,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e8,c6,93,54,48,fc,f0,1a,94,21,c9,6c,00,43,bf,78,24,3d,b0,97,59,
cf,88,84,dc,cb,1d,1b,2c,df,99,25,09,32,6b,fe,cb,dc,99,59,cd,25,15,40,95,3f,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e8,c6,93,54,48,fc,f0,1a,94,21,c9,6c,00,43,bf,78,24,3d,b0,97,59,
cf,88,84,dc,cb,1d,1b,2c,df,99,25,09,32,6b,fe,cb,dc,99,59,cd,25,15,40,95,3f,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&17752677&0&UID256\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&17752677&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Device Parameters\MODES]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(6004)
c:\program files\Portrait Displays\Pivot Software\winphook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\windows\System32\schtasks.exe
c:\windows\System32\jusched.exe
c:\program files\Portrait Displays\Pivot Software\Floater.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\System32\wermgr.exe
.
**************************************************************************
.
Completion time: 2009-10-07 12:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-07 16:32
ComboFix2.txt 2009-10-05 21:57

Pre-Run: 182,075,994,112 bytes free
Post-Run: 182,018,392,064 bytes free

367 --- E O F --- 2009-10-05 21:05






I will respond shortly to other questions.

[MattM22]

miekiemoes, on Oct 7 2009, 01:40 PM, said:

Also, did malwarebytes reboot afterwards? Because your Windows defender may interfere here with the cleanup script.
Can you navigate to the file C:\Windows\System32\certstore.dat and delete it manually? Is it getting recreated again?

Malware did reboot after the scan.

the certstore.dat file was created again.

I was able to navigate to it and delete it manually.

I did not see any instructions for disabling Windows Defender prior to running MBAM. If that is something you think I should do, please point me to directions on disabling.




I am almost prepared for a full reinstall if necessary. My system is quasi-stable as is, and I'm backing up personal data. So no matter what happens, I am already extremely grateful for your assistance so far. Ideally, I would be able to recover the system, but if that is off the table, I will survive

[MattM22]

miekiemoes, on Oct 7 2009, 12:50 PM, said:

Hi,

This could indeed be damage by the malware you were dealing with previously. After all, your pc was severly infected, so with a manual cleanup on such severly infected pc, it's always possible that errors may still appear. Fixing this isn't always easy since it will be searching for a needle in a haystack. After all, malware damages a lot.
Please see here: http://www.online-tech-tips.com/computer-t...topped-working/
Let me know what EXACT errors are displayed there (matching the latest date ofcourse)

I followed the link you provided, and went through the steps described to open my event log. There were a few errors that occurred right around the time the "Host process for windows services stopped working and was closed" dialog was issued. Here are the messsages from those errors;


Error 10/7/2009 12:37:48 PM Application Error 1000 (100)
Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, faulting module svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, exception code 0xc0000005, fault offset 0x000019f8, process id 0xe8c, application start time 0x01ca476c8065c47e.

Error 10/7/2009 12:33:06 PM Application Error 1000 (100)
Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, faulting module svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, exception code 0xc0000005, fault offset 0x000019f8, process id 0x14c4, application start time 0x01ca476bd86ab73e.

Error 10/7/2009 12:31:12 PM Application Error 1000 (100)
Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, faulting module svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, exception code 0xc0000005, fault offset 0x000019f8, process id 0x17ec, application start time 0x01ca476b945cc79e.



I also got a weird warning right after login:

Information 10/7/2009 12:31:09 PM Winlogon 1002 None
The shell stopped unexpectedly and Explorer.exe was restarted.







Please let me know what you think.

[MattM22]

I have reviewed my windows defender settings, and it appears that it was indeed disabled for my last few scans of MBAM and Combofix.

[miekiemoes]

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

Collect::[8]
c:\windows\system32\certstore.dat
NetSvc::
BtwSrv

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.
Then, please visit this site:
http://www.bleepingc...e.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[MattM22]

I ran the script as instructed.

When I went to upload the file you requested, I did not find it in the directory you specified. There were four items in that directory:

C
Registry_backups
catchme.log
catchme.txt


The first two are folders. If there is somewhere else I should be browsing for that file, Please advise. There is a file in the qoobox directory named "CFScript_used_2009-10-07_13.29.04.txt", which is similar to what you were looking for. Is that the one??


Here is the combofix log after the script execution:



ComboFix 09-10-06.04 - Matt Munson 10/07/2009 13:29.3.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3071.1826 [GMT -4:00]
Running from: c:\users\Matt Munson\Desktop\ComboFixs.exe
Command switches used :: c:\users\Matt Munson\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1229 [VPS 091006-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1229 [VPS 091006-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\10b1b.msi

.
((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.

2009-10-07 17:33 . 2009-10-07 17:33 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-07 17:33 . 2009-10-07 17:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-01 08:55 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-01 08:46 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-01 08:45 . 2009-10-01 08:46 -------- d-----w- c:\programdata\Lavasoft
2009-10-01 08:45 . 2009-10-01 08:45 -------- d-----w- c:\program files\Lavasoft
2009-10-01 06:30 . 2009-10-01 06:30 -------- d-----w- c:\program files\Trend Micro
2009-10-01 06:25 . 2009-10-01 08:45 -------- dc-h--w- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\ca-ES
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\eu-ES
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\vi-VN
2009-09-28 15:36 . 2009-09-28 15:36 -------- d-----w- c:\windows\system32\EventProviders
2009-09-28 03:22 . 2009-09-28 03:22 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-09-28 02:24 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-09-28 01:54 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-09-28 01:51 . 2009-08-14 16:27 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-28 01:51 . 2009-08-14 13:48 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-09-28 01:51 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-28 01:51 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-28 01:51 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-28 01:51 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-28 01:51 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-28 01:51 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-28 01:51 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-28 01:51 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-28 01:51 . 2009-08-14 15:53 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-28 01:49 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-09-28 01:49 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-09-28 01:49 . 2009-07-15 12:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-28 01:49 . 2009-06-04 12:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-09-28 01:49 . 2009-04-11 06:28 53248 ----a-w- c:\windows\system32\tsgqec.dll
2009-09-28 01:49 . 2009-04-11 06:28 136192 ----a-w- c:\windows\system32\aaclient.dll
2009-09-28 01:49 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2009-09-28 01:49 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-09-28 01:49 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-09-28 01:48 . 2009-04-11 06:28 1696768 ----a-w- c:\windows\system32\gameux.dll
2009-09-28 01:48 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-28 01:48 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Malwarebytes
2009-09-27 20:12 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\programdata\Malwarebytes
2009-09-27 20:12 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-27 15:39 . 2009-09-27 15:39 -------- d-----w- C:\337b6016532e636ec66197a2
2009-09-27 15:38 . 2009-09-27 15:39 -------- d-----w- C:\9b2c6f260054f90a96323606
2009-09-25 11:55 . 2009-09-25 11:55 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Logs
2009-09-09 01:09 . 2009-09-09 01:09 -------- d-----w- c:\program files\Comical
2009-09-08 14:06 . 2009-09-08 14:44 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\ICAClient
2009-09-08 14:03 . 2009-09-25 23:40 -------- d-----w- c:\program files\Citrix
2009-09-08 13:52 . 2009-09-08 13:52 -------- d-----w- c:\program files\Juniper Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-07 17:08 . 2009-08-17 00:04 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-07 17:08 . 2009-08-17 00:04 -------- d-----w- c:\program files\AVS4YOU
2009-10-07 17:07 . 2007-11-27 18:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-07 17:06 . 2007-11-27 19:05 -------- d-----w- c:\program files\CyberLink
2009-10-07 16:53 . 2007-11-27 19:10 -------- d---a-w- c:\program files\Common Files\LightScribe
2009-10-07 12:47 . 2008-09-12 10:52 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\uTorrent
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-28 21:38 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-28 00:58 . 2008-08-21 11:51 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Vso
2009-09-09 00:59 . 2008-09-23 20:02 -------- d-----w- c:\programdata\WebEx
2009-09-08 23:14 . 2009-03-03 03:10 -------- d-----w- c:\programdata\VMware
2009-09-08 13:52 . 2009-08-13 19:22 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Juniper Networks
2009-08-17 17:24 . 2009-08-17 17:12 -------- d-----w- c:\program files\ACE Mega CoDecS Pack
2009-08-17 17:13 . 2008-08-02 00:30 -------- d-----w- c:\program files\QuickTime
2009-08-17 17:11 . 2008-10-25 10:41 -------- d-----w- c:\program files\DivX
2009-08-17 00:06 . 2009-08-17 00:06 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\AVS4YOU
2009-08-17 00:06 . 2009-08-17 00:06 -------- d-----w- c:\programdata\AVS4YOU
2009-08-13 19:21 . 2009-08-13 19:21 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\WholeSecurity
2009-08-08 20:36 . 2009-08-08 20:36 -------- d-----w- c:\programdata\Steinberg
2009-08-08 20:36 . 2008-08-01 07:13 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Steinberg
2009-08-08 20:34 . 2009-08-08 20:27 -------- d-----w- c:\program files\Syncrosoft
2009-08-08 20:24 . 2008-08-01 07:04 -------- d-----w- c:\program files\Steinberg
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-21 21:52 . 2009-09-28 02:20 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-09-28 02:20 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-09-28 02:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-09-28 02:20 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-15 12:39 . 2009-09-28 01:50 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 19:01 . 2009-09-28 01:50 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:01 . 2009-09-28 01:50 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:01 . 2009-09-28 01:50 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:01 . 2009-09-28 01:50 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-07-11 17:03 . 2009-09-28 01:50 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2008-07-31 22:49 . 2008-07-31 22:49 22 --sha-w- c:\windows\SMINST\HPCD.sys
2007-11-27 18:30 . 2007-11-27 18:25 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-10-05_21.54.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-27 18:52 . 2009-10-07 13:29 48836 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-07 13:29 75508 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-07-31 09:44 . 2009-10-07 17:28 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-31 09:44 . 2009-10-05 21:54 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-31 09:44 . 2009-10-05 21:54 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-31 09:44 . 2009-10-07 17:28 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 10:25 . 2009-09-28 21:42 51200 c:\windows\inf\infpub.dat
+ 2006-11-02 10:25 . 2009-10-07 17:07 51200 c:\windows\inf\infpub.dat
+ 2008-08-02 19:19 . 2009-10-05 22:41 4162 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-07-31 09:36 . 2009-10-07 13:29 8712 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2367982984-1444817323-3124917685-1000_UserData.bin
- 2009-10-05 21:49 . 2009-10-05 21:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-07 13:46 . 2009-10-07 13:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-10-05 21:49 . 2009-10-05 21:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-10-07 13:46 . 2009-10-07 13:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-10-07 13:51 633850 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-10-05 21:40 633850 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-10-07 13:51 117038 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-10-05 21:40 117038 c:\windows\System32\perfc009.dat
- 2009-09-28 02:39 . 2009-09-28 22:33 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-09-28 02:39 . 2009-10-07 13:27 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2008-07-31 09:44 . 2009-10-07 17:28 327680 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-31 09:44 . 2009-10-05 21:54 327680 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-15 01:00 . 2009-10-07 16:55 102400 c:\windows\Installer\{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}\iTunesIco.exe
- 2008-10-15 01:00 . 2008-10-15 01:00 102400 c:\windows\Installer\{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}\iTunesIco.exe
- 2006-11-02 10:25 . 2009-09-28 21:42 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-10-07 17:07 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-10-07 17:07 143360 c:\windows\inf\infstor.dat
- 2006-11-02 10:25 . 2009-09-28 21:42 143360 c:\windows\inf\infstor.dat
+ 2009-10-07 16:55 . 2009-10-07 16:55 3771904 c:\windows\Installer\aa9be1.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-13 178712]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 280064]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"NexusServer"="c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-27 389120]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-08-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-27 8473120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-3 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MotionSD STUDIO - SD Browser auto start -.lnk - c:\program files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe [2009-2-16 66952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:7d,40,26,b8,84,40,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2367982984-1444817323-3124917685-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FB1AB64A-2731-4528-BD01-9CDEFC4B540E}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{CEC64574-D0EA-4F55-AD99-0A333B0A2448}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D308FC1C-6AC1-4D39-AB2F-31B4D8AD38C0}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8EB3973D-7F1D-4B3B-A2FC-53719028B29D}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B03AB320-29E8-4B5B-903F-169D71C869DA}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AE0E68C1-3842-4908-B185-591EA83F4343}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{31DD8186-E214-435B-B382-CBBD7EB3AC9D}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E0FBF8EC-409E-413F-849E-275A92D2AFA5}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{7625F928-2BDA-4C6F-99E7-DDB1375A25C7}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{DEBE9411-6532-469D-A4C0-F139A8911083}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{CA63FBC4-9AF8-4758-814A-7CF4D7B24293}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{5ADAB633-6375-4F88-9B69-8F9B8572581C}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{CC865BB5-4384-4D14-A045-0D85F3DE17B9}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{8F8FAA07-B036-4E98-9746-FE6135BACD57}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{107BEAD5-41B6-4EC7-B761-2AECA61294A6}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D0A9C181-05FF-475D-8911-74BE456FA06E}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9BC07D3E-F5BA-41F5-85A4-B6215E603FB3}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{4C0658F9-6605-4539-BC69-4CE3CF249C51}c:\\program files\\adobe\\adobe flash cs3\\flash.exe"= UDP:c:\program files\adobe\adobe flash cs3\flash.exe:Adobe Flash CS3
"UDP Query User{20042665-9111-447E-B1F6-F78A19DD848A}c:\\program files\\adobe\\adobe flash cs3\\flash.exe"= TCP:c:\program files\adobe\adobe flash cs3\flash.exe:Adobe Flash CS3
"TCP Query User{6E40606E-3925-4178-8C77-55EBD672E17D}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{329E8F33-245D-4CF7-BA9D-046EE1962CCC}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{E6C209A8-50DD-497C-BC60-D9652F492392}"= UDP:c:\windows\explorer.exe:explorer
"{9EF6F52F-BA4B-4936-B414-E858C3AA5DE6}"= TCP:c:\windows\explorer.exe:explorer
"{FE336DCD-A50E-4939-85EE-C95426509586}"= UDP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{D35AD1B9-189D-491F-AEBE-61F71C9937F6}"= TCP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{27D8BC5B-4593-4B96-A4FF-0B9EDCF1DBA6}"= UDP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{CAAE318B-3D6D-4680-8855-D0821E9848BE}"= TCP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{3A210E33-45EE-4690-86CD-66CA3FE9DFB4}"= UDP:c:\windows\System32\wininit.exe:wininit
"{942F891F-65AD-4B05-9124-303F834756EC}"= TCP:c:\windows\System32\wininit.exe:wininit
"{75BC712E-A22A-4ECF-A4C1-631C94614ADE}"= UDP:c:\windows\System32\wininit.exe:wininit
"{0B5EBA88-31B6-4EB8-9EE5-AF22202FBF32}"= TCP:c:\windows\System32\wininit.exe:wininit
"{FD9A974C-D7A8-416A-9F11-8EE1BA216F64}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{06AB9CF2-2DF4-4EF9-A346-8B296DDEE738}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{F3ADBBD2-65AE-49B4-B9B8-0A41F473CF96}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{515B2C5D-8241-442C-A902-C21B8A14CD9A}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{A41FB50E-F69B-4C4F-92FD-F85BCD2FFBA5}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{B17F811A-B470-48D1-B865-EC6C53A7947E}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{A2B907C7-D647-4EBD-A57D-3C5C15CBDE24}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{D28DF65B-3936-4C88-A1C9-7B77D1023390}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [10/1/2009 4:46 AM 64160]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [9/12/2008 6:31 AM 78416]
R1 NEOFLTR_630_13971;Juniper Networks TDI Filter Driver (NEOFLTR_630_13971);c:\windows\System32\drivers\NEOFLTR_630_13971.sys [2/18/2009 5:58 AM 64480]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [9/12/2008 6:31 AM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [9/12/2008 6:31 AM 51280]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1028432]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\System32\drivers\HCW85BDA.sys [11/27/2007 3:01 PM 1129344]
R3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [9/19/2008 7:33 PM 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [9/19/2008 7:33 PM 251904]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [8/6/2008 3:51 AM 815104]
S3 SynasUSB;SynasUSB;c:\windows\System32\drivers\synasUSB.sys [8/8/2009 4:27 PM 23288]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\System32\drivers\wdcsam.sys [4/16/2008 12:27 PM 11520]

--- Other Services/Drivers In Memory ---

*Deregistered* - XAudio

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 08:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://webvpn.jpmorganchase.com/dana-cached/sc/JuniperSetupClient.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 13:33
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2367982984-1444817323-3124917685-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:50,19,e2,a4,be,ef,3b,d0,e9,4c,ed,5c,9e,7e,77,98,0d,12,34,6d,7a,a0,a0,
94,e3,65,55,63,ad,e1,78,d7,3c,ec,14,c8,a9,cd,48,35,69,39,e7,c6,b8,9e,95,b1,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e8,c6,93,54,48,fc,f0,1a,94,21,c9,6c,00,43,bf,78,24,3d,b0,97,59,
cf,88,84,dc,cb,1d,1b,2c,df,99,25,09,32,6b,fe,cb,dc,99,59,cd,25,15,40,95,3f,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e8,c6,93,54,48,fc,f0,1a,94,21,c9,6c,00,43,bf,78,24,3d,b0,97,59,
cf,88,84,dc,cb,1d,1b,2c,df,99,25,09,32,6b,fe,cb,dc,99,59,cd,25,15,40,95,3f,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&17752677&0&UID256\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&17752677&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Device Parameters\MODES]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)
.
Completion time: 2009-10-07 13:35
ComboFix-quarantined-files.txt 2009-10-07 17:35
ComboFix2.txt 2009-10-07 16:32
ComboFix3.txt 2009-10-05 21:57

Pre-Run: 179,572,355,072 bytes free
Post-Run: 179,539,976,192 bytes free

339 --- E O F --- 2009-10-05 21:05