36 replies to this topic

[jgabble]

Hello,

My 2nd laptop seems to be in the infancy stages of being infected by a trojan and/or virus.

What I can do (still):
- boot in Windows XP
- desktop appears, but with no icons or "Start" taskbar in bottom left-hand corner of the screen
- activate and view Task Manager by pressing Ctrl-Alt-Delete
- visible cursor and able to move it

What I am unable to do:
- get into My Computer or Control Panel (to attempt to get into System Restore)
- run any Spyware, ComboFix, or Anti-Malware Malware Bytes

Here is the visual of the Task Manager (I am hoping that anyone might notice which .exe files are ACTUALLY viral files [imposters]):

40-41 processes

svchost.exe SYSTEM
svchost.exe SYSTEM
svchost.exe SYSTEM
svchost.exe SYSTEM
wdfmgr.exe LOCAL SERVICE
symlcsvc.exe SYSTEM
spoolsv.exe SYSTEM
brss01a.exe SYSTEM
brsvc01a.exe SYSTEM
SMAgent.exe SYSTEM
SNDSrvc.exe SYSTEM
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE
svchost.exe SYSTEM
navapsvc.exe SYSTEM
svchost.exe NETWORK SERVICE
SPBBCS.exe SYSTEM
svchost.exe SYSTEM
svchost.exe SYSTEM
lsass.exe SYSTEM
services.exe SYSTEM
winlogon.exe SYSTEM
csrss.exe SYSTEM
ISSVC.exe SYSTEM
smss.exe SYSTEM
ccSetMgr.exe SYSTEM
YahooAUService SYSTEM
ccProxy.exe SYSTEM
CDANTSRV.exe SYSTEM
winzip32.exe Jeff D.
ccEvtMgr.exe SYSTEM
acsd.exe SYSTEM
bcmwltry.exe SYSTEM
svchost.exe LOCAL SERVICE
wltrysvc.exe SYSTEM
wanmpsvc.exe SYSTEM
System.exe SYSTEM
System Idle Process.exe SYSTEM
taskmgr.exe Jeff D.
alg.exe LOCAL SERVICE
ctfmon.exe Jeff D.


Any guidance on how exactly to proceed (step-by-step) from here to regain the desktop and attempt to run anti-spyware to get rid of this trojan/virus would be very much appreciated.

Thanks in advance,

Jeff D.

[AdvancedSetup]

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.


[indent]Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

• DDS.txt
  
• Attach.txt

• Save both reports to your desktop
  
• Please include the following logs in your next reply: DDS.txt and Attach.txt

[/indent]

[AdvancedSetup]

Please post an update on this. Thanks.

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

[AdvancedSetup]

Post reopened at user request.

[jgabble]

AdvancedSetup, on Oct 29 2009, 08:40 AM, said:

Post reopened at user request.

Ron,

Here are the logs you requested:

MBAM (quick scan)

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

10/27/2009 10:35:09 PM
mbam-log-2009-10-27 (22-35-09).txt

Scan type: Quick Scan
Objects scanned: 113457
Time elapsed: 7 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 29
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 8
Files Infected: 44

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\clientax.clientinstaller (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.clientinstaller.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.requiredcomponent (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.requiredcomponent.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.zangoclientax (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.zangoclientax.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lmgr180.wmdrmax (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lmgr180.wmdrmax.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mysearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{014da6cb-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fac94900-96d9-47fa-ba33-7ef1bbfbbcec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mysearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{014da6ca-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{014da6cc-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2b0eceac-f597-4858-a542-d966b49055b9} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6c092742-10fe-4db2-988d-fc71948de70c} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7fa8976f-d00c-4e98-8729-a66569233fb5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a16650a9-b065-40ec-bbd1-f8d370d17fb1} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bdddf1a5-51a9-4f51-b38d-4cd0ad831b31} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ddea2e1d-8555-45e5-af09-ec9aa4ea27ad} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e43dfaa6-8c16-4519-b022-8792408505a4} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f1f1e775-1b21-454d-8d38-7c16519969e5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0ac49246-419b-4ee0-8917-8818daad6a4e} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f31a5d11-bf0b-4a4e-90af-274f2090aaa6} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5b6689b5-c2d4-4dc7-bfd1-24ac17e5fcda} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Search Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02ffac45-0b10-5633-4296-1801f1a36678} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\91797033 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rimawehodu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: urnt32.dll -> Delete on reboot.

Folders Infected:
C:\Program Files\LoveFreeGames (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\urnt32.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\web.ico (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\8.DCR (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\license.txt (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\spacer.gif (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\Tennis.html (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\Tennis.ico (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\uninstall.exe (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\uninstall.ico (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_01.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_02.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_03.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_04.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_05.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_06.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_07.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_08.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_09.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_10.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_11.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_12.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_13.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_14.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_15.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_16.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_17.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_18.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_19.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_20.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_21.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\LoveFreeGames\Tennis\wrapper_22.jpg (Adware.BetterInternet) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4FFXTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4NTSTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\006EB072 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\006F093F.bmp (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\006F354B.bmp (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings\prevcfg.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.


The DDS.txt:

DDS (Ver_09-10-26.01) - NTFSx86
Run by Jeff Dick at 22:42:45.56 on Tue 10/27/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.495.220 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Jeff Dick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: {7cc62ac7-3c0b-442d-9849-326be3c36fc6} - vodarowo.dll
BHO: c:\windows\system32\dbryk.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\dbryk.dll
TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PmProxy] c:\program files\analog devices\soundmax\PmProxy.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TFNF5] TFNF5.exe
mRun: [Tpwrtray] TPWRTRAY.EXE
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [NDSTray.exe] "c:\program files\toshiba\configfree\NDSTray.exe"
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_08\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HostManager] c:\program files\common files\aol\1241910677\ee\AOLSoftware.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {0264505A-6793-44E0-AC75-9DCE3B13185C} - c:\program files\at&t\wnclient\programs\AnyWho.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_08\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
Notify: igfxcui - igfxsrvc.dll
STS: c:\windows\system32\dbryk.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\dbryk.dll
LSA: Notification Packages = scecli urnt32.dll

============= SERVICES / DRIVERS ===============

R? CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver
R? mrtRate;mrtRate
R? Wdm1;USB Bridge Cable Driver
S? wlags48b;Wireless LAN PCCard Driver
S? YahooAUService;Yahoo! Updater

=============== Created Last 30 ================

2009-10-28 02:10:04 0 d-----w- C:\GenericFix
2009-10-28 01:59:24 0 d-----w- c:\windows\pss
2009-10-28 01:53:44 60416 ----a-w- c:\windows\system32\drivers\Combo-Fix.sys
2009-10-28 01:38:03 0 d-s---w- C:\Combo-Fix-09A
2009-10-28 01:04:20 98816 ----a-w- c:\windows\sed.exe
2009-10-28 01:04:20 77312 ----a-w- c:\windows\MBR.exe
2009-10-28 01:04:20 236544 ----a-w- c:\windows\PEV.exe
2009-10-28 01:04:20 161792 ----a-w- c:\windows\SWREG.exe
2009-10-28 01:04:04 0 d-s---w- C:\Combo-Fix-09
2009-10-28 00:55:52 0 d-----w- C:\Combo-Fix
2009-10-28 00:42:09 0 d-----w- c:\docume~1\jeffdi~1\applic~1\Malwarebytes
2009-10-28 00:42:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 00:41:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 00:41:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-28 00:41:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-28 00:39:09 1051168 --sh--w- c:\windows\system32\zogonaha.exe
2009-10-22 23:15:23 388608 ----a-w- c:\windows\system32\cmd.execf
2009-10-22 22:52:50 52224 ----a-w- C:\nvuytlnx.exe
2009-10-22 22:52:48 250368 ----a-w- C:\mgilgqug.exe
2009-10-22 22:52:47 50176 ----a-w- C:\rpvxjx.exe
2009-10-21 22:48:40 38 ----a-w- C:\40.tmp
2009-10-21 22:48:36 64000 ----a-w- C:\3E.tmp
2009-10-20 08:38:07 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2009-10-20 08:38:06 50688 ----a-w- c:\windows\system32\ff_acm.acm
2009-10-20 08:38:01 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-10-20 08:37:57 0 d-----w- c:\program files\ffdshow
2009-10-20 01:42:36 0 d-----w- c:\program files\GPL MPEG Decoder
2009-10-19 23:15:46 3249 ----a-w- c:\windows\system32\wbem\Outlook_01ca511216750fbe.mof
2009-10-17 09:18:01 0 d-----w- c:\docume~1\jeffdi~1\applic~1\GetRightToGo
2009-10-17 08:27:16 0 d-----w- c:\docume~1\jeffdi~1\applic~1\AVS4YOU
2009-10-17 08:27:14 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-10-17 08:22:54 0 d-----w- c:\program files\common files\AVSMedia
2009-10-17 08:22:18 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-10-17 08:22:09 0 d-----w- c:\program files\AVS4YOU
2009-10-17 08:18:52 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-10-16 22:44:30 182912 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-10-16 04:56:34 0 d-----w- c:\program files\Media Player Classic
2009-10-16 04:56:33 0 d-----w- c:\program files\QuickTime Alternative
2009-10-12 06:10:56 0 d-sha-r- C:\cmdcons
2009-10-12 06:05:08 388608 ----a-w- c:\windows\system32\CF31564.exe
2009-10-11 23:36:53 44 ----a-w- c:\windows\SMWizard.INI
2009-10-11 07:53:12 33019 ----a-w- c:\windows\system32\CoreAAC-uninstall.exe
2009-10-11 07:51:35 0 d-----w- c:\program files\OpenSource Flash Video Splitter
2009-10-11 07:28:18 0 d-----w- c:\docume~1\jeffdi~1\applic~1\ESTSoft
2009-10-11 07:25:37 0 d-----w- c:\program files\ESTsoft
2009-10-11 07:14:30 0 d-sh--w- c:\documents and settings\jeff dick\PrivacIE
2009-10-11 07:01:42 0 d-sh--w- c:\documents and settings\jeff dick\IETldCache
2009-10-11 06:57:12 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-11 06:56:16 0 d-----w- c:\windows\ie8updates
2009-10-11 06:55:07 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-11 06:55:06 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-11 06:55:06 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-11 06:55:05 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-11 06:55:05 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-11 06:55:04 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-10-11 06:50:16 0 dc-h--w- c:\windows\ie8
2009-10-11 06:47:36 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-11 06:47:20 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2009-10-11 06:45:54 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-11 06:45:09 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll

==================== Find3M ====================

2009-10-28 01:07:24 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-08-05 09:11:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll

============= FINISH: 22:44:04.31 ===============


And the Attach.txt:

=== Installed Programs ======================

Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Photoshop 7.0
Alps Pointing-device Driver
ALShow
ALTools Update
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
ArcSoft Camera Suite
AT&TWorldNet Service
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Belkin Wireless Utility
C-Dilla Licence Management System
Camera Window
Canon Camera WIA Driver
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon PowerShot S45 WIA Driver
Canon Utilities FileViewerUtility 1.0
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.6
Canon Utilities ZoomBrowser EX
CC_ccProxyExt
ccCommon
ccPxyCore
CoreAAC Audio Decoder (remove only)
Drag'n Drop CD+DVD
Family Feud Hollywood Edition (remove only)
Family Tree Maker
ffdshow [rev 3109] [2009-10-19]
FileViewerUtility 1.0
Golf King
GPL MPEG-1/2 DirectShow Decoder Filter
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
ijji
Image Transfer
ImageMixer for Sony
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
IntelliMover
InterVideo WinDVD 4
iTunes
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 8
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Love Free Games Tennis
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Managed DirectX (0900)
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft Office Professional Edition 2003
Microsoft Office XP Media Content
Microsoft Streets & Trips 2006
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
MicroStaff WINASPI
MSN Music Assistant
MSRedist
MyLabels
MySoftware Fonts
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton WMI Update
Notebook Maximizer
OpenSource Flash Video Splitter (remove only)
PaperPort
PhotoStitch
Quicken 2003 New User Edition
QuickTime
QuickTime Alternative 1.67
RealPlayer Basic
RemoteCapture 2.6
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Software Suite
Sony USB Driver
SoundMAX
SPBBC
Stamps.com Internet Postage
Super Collapse! 3
Symantec Script Blocking Installer
SymNet
TOSHIBA Access
TOSHIBA ConfigFree
TOSHIBA Console
Toshiba Hotkey Utility for Display Devices
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA System Stability Program
Toshiba Tbiosdrv Driver
TOSHIBA TouchPad On/Off Utility V2.05.00
TOSHIBA Utilities
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Yahoo! Install Manager
Yahoo! Software Update
Yahoo! Toolbar

==== End Of File ===========================


You assistance and timely response would be appreciated.

Thanks,
Jeff D.

[AdvancedSetup]

Please UPDATE MBAM, you're database is very old.

Your version: 2775
Current version: 3059

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.


When that's done please uninstall these old compromised version of Java
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 8

[jgabble]

AdvancedSetup, on Oct 30 2009, 07:12 AM, said:

Please UPDATE MBAM, you're database is very old.

Your version: 2775
Current version: 3059

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.


When that's done please uninstall these old compromised version of Java
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 8

Ron,

I am unable to update Malwarebytes. When I select just the "Update" and not "Launch", I get the following error message:

Error Code 732(0,0).

Where do I go from here?

Your assistance and timely response would be appreciated,

Thanks,

Jeff D.

[AdvancedSetup]

Please check your Private Message

[AdvancedSetup]

Okay, please try to run the following. Leave your Internet connection enabled and allow Combofix to automatically download and install the Recovery Console for you.
Disable your AV

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

[jgabble]

Ron,

Before I run this, there are some obstacles: the only way I can connect to the Internet after booting is through the Task Manager (CTRL-ALT-DEL) using the Run command - I can save programs to the desktop but cannot access them after running them the first time (or at least I am not sure how) - my method of communication through this forum is via my other laptop. I have run ComboFix (likely an older version) on the infected laptop - after trying to disable the AV (I can only do this by locating the .exe process on the Task Manager and "end task" - all is does is end the process - since I cannot access My Computer, have no desktop icons on booting the laptop, or having no Start Menu to access any folders), it does run and gets through all 50 stages, prompts itself to reboot the laptop, but when the laptop reboots, it goes to the login screen (since there is more than one user). I know that ComboFix instructs not to login yourself, but nothing happens once the login screen appears after ComboFix reboots the laptop - so I click on my username, enter my password, and the laptop boots into a desktop with only the background and no desktop icons, Start Menu, or quick launch icons on the bottom right of the laptop display (pretty much back where I started). I am a little confused on what exactly you mean by ComboFix download and installing th Recovery Console. Another issue - in my attempts to get ComboFix to run, I have saved it in several names (Combo--Fix, ComboFix1, DiseaseKiller, etc.).

Should I still proceed the way you requested or you now having the above information, is there a different path to take?

Again your assistance and timely response would be appreciated,

Thanks,
Jeff D.

[AdvancedSetup]

Okay download and burn this from the clean computer or a friends computer if needed. Then run on the infected computer.


Avira AntiVir Rescue System
[indent]Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the Avira AntiVir Rescue System from here
  
• Place a blank CD in your burner and double-click on the downloaded file named rescue_system-common-en.exe
  
• If the above link does not work please try this one: here
  
• The program will automatically burn the CD for you.
  
• Place the burned CD into the affected computer and start the computer from this CD.
  
• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  
• Click on the Configuration button.
  
  • Select Scan all files
    
  • Select Try to repair infected files and Rename files, if they cannot be removed
    
  • Select Scan for dialers
    
  • Select Scan for joke programs (Jokes)
    
  • Select Scan for games
    
  • Select Scan for spyware (SPR)
• Click on Virus scanner
  
• Click on Start scanner at the bottom of the screen
  
• Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

• Please see the post here if you're unable to view the entire screen of Avira.
  
• You can also review this one Fixed Rescue CD Resolution Probs with Dell Video
  
• Currently only the German keyboard is supported. Command Line not working English keyboards require work arounds.
  
• Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

[/indent]

[jgabble]

AdvancedSetup, on Oct 31 2009, 07:27 PM, said:

Okay download and burn this from the clean computer or a friends computer if needed. Then run on the infected computer.


Avira AntiVir Rescue System
[indent]Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the Avira AntiVir Rescue System from here
  
• Place a blank CD in your burner and double-click on the downloaded file named rescue_system-common-en.exe
  
• If the above link does not work please try this one: here
  
• The program will automatically burn the CD for you.
  
• Place the burned CD into the affected computer and start the computer from this CD.
  
• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  
• Click on the Configuration button.
  
  • Select Scan all files
    
  • Select Try to repair infected files and Rename files, if they cannot be removed
    
  • Select Scan for dialers
    
  • Select Scan for joke programs (Jokes)
    
  • Select Scan for games
    
  • Select Scan for spyware (SPR)
• Click on Virus scanner
  
• Click on Start scanner at the bottom of the screen
  
• Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

• Please see the post here if you're unable to view the entire screen of Avira.
  
• You can also review this one Fixed Rescue CD Resolution Probs with Dell Video
  
• Currently only the German keyboard is supported. Command Line not working English keyboards require work arounds.
  
• Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

[/indent]

Ron,
I'll go back one reply for you - after being able to delete (to the Recycle Bin) all the Pseudo ComboFix names and running the saved (newer version) of "Combo-Fix", here is the log :


ComboFix 09-10-30.01 - Jeff Dick 10/31/2009 14:49.5.1 - NTFSx86
Running from: c:\documents and settings\Jeff Dick\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

-- Previous Run --

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_TCPSR
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_6to4
-------\Service_tcpsr
-------\Legacy_isapeep
-------\Service_isapeep


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-31 )))))))))))))))))))))))))))))))
.

2009-10-28 02:10 . 2009-10-28 02:10 -------- d-----w- C:\GenericFix
2009-10-28 01:38 . 2009-10-28 01:53 -------- d-----w- C:\Combo-Fix-09A
2009-10-28 01:04 . 2009-10-28 01:25 -------- d-----w- C:\Combo-Fix-09
2009-10-28 00:55 . 2009-10-28 00:56 -------- d-----w- C:\Combo-Fix
2009-10-28 00:42 . 2009-10-28 00:42 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\Malwarebytes
2009-10-28 00:42 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 00:41 . 2009-10-31 06:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-28 00:41 . 2009-10-28 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-28 00:41 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 00:39 . 2009-10-28 00:39 1051168 --sh--w- c:\windows\system32\zogonaha.exe
2009-10-22 22:52 . 2009-10-22 22:52 52224 ----a-w- C:\nvuytlnx.exe
2009-10-22 22:52 . 2009-10-22 22:52 250368 ----a-w- C:\mgilgqug.exe
2009-10-22 22:52 . 2009-10-22 22:52 50176 ----a-w- C:\rpvxjx.exe
2009-10-21 22:49 . 2009-10-21 22:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-20 08:38 . 2009-10-17 01:53 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-10-20 08:37 . 2009-10-20 08:38 -------- d-----w- c:\program files\ffdshow
2009-10-20 01:42 . 2009-10-20 01:42 -------- d-----w- c:\program files\GPL MPEG Decoder
2009-10-17 12:31 . 2009-10-17 12:31 -------- d-sh--w- c:\documents and settings\Larry C. Dick\PrivacIE
2009-10-17 12:31 . 2009-10-17 12:31 -------- d-----w- c:\documents and settings\Larry C. Dick\Local Settings\Application Data\Yahoo
2009-10-17 12:31 . 2009-10-17 12:31 -------- d-----w- c:\documents and settings\Larry C. Dick\Application Data\Yahoo!
2009-10-17 09:18 . 2009-10-17 09:19 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\GetRightToGo
2009-10-17 08:27 . 2009-10-17 08:27 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\AVS4YOU
2009-10-17 08:27 . 2009-10-17 08:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-10-17 08:22 . 2009-10-17 08:25 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-17 08:22 . 2008-08-13 15:22 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-10-17 08:22 . 2009-10-17 08:25 -------- d-----w- c:\program files\AVS4YOU
2009-10-17 08:18 . 2008-08-13 15:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-10-16 22:44 . 2009-10-28 01:07 182912 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-10-16 04:56 . 2009-10-16 04:56 -------- d-----w- c:\program files\Media Player Classic
2009-10-16 04:56 . 2009-10-16 04:56 -------- d-----w- c:\program files\QuickTime Alternative
2009-10-11 21:58 . 2009-10-14 00:09 -------- d-----w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\Temp
2009-10-11 21:56 . 2009-10-28 01:03 -------- d-----w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\Google
2009-10-11 19:14 . 2009-10-11 19:14 -------- d-----w- c:\documents and settings\Larry C. Dick\Application Data\ESTSoft
2009-10-11 19:11 . 2009-10-11 19:11 -------- d-sh--w- c:\documents and settings\Larry C. Dick\IETldCache
2009-10-11 07:53 . 2009-10-11 07:53 33019 ----a-w- c:\windows\system32\CoreAAC-uninstall.exe
2009-10-11 07:51 . 2009-10-11 07:51 -------- d-----w- c:\program files\OpenSource Flash Video Splitter
2009-10-11 07:28 . 2009-10-11 07:29 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\ESTSoft
2009-10-11 07:25 . 2009-10-11 07:25 -------- d-----w- c:\program files\ESTsoft
2009-10-11 07:14 . 2009-10-11 07:14 -------- d-sh--w- c:\documents and settings\Jeff Dick\PrivacIE
2009-10-11 07:02 . 2009-10-11 07:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-11 07:01 . 2009-10-11 07:01 -------- d-sh--w- c:\documents and settings\Jeff Dick\IETldCache
2009-10-11 06:57 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-11 06:56 . 2009-10-28 01:28 -------- d-----w- c:\windows\ie8updates
2009-10-11 06:55 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-11 06:55 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-11 06:55 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-11 06:55 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-11 06:55 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-11 06:55 . 2009-07-19 22:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-10-11 06:50 . 2009-10-11 06:52 -------- dc-h--w- c:\windows\ie8
2009-10-11 06:47 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-11 06:45 . 2009-07-10 13:42 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-11 06:45 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-10-11 06:42 . 2009-10-11 06:42 -------- d-----w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\Yahoo
2009-10-11 06:40 . 2009-10-11 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-11 06:38 . 2009-10-11 06:38 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 18:43 . 2003-04-29 19:59 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-31 18:25 . 2006-07-02 23:01 -------- d-----w- c:\program files\Java
2009-10-28 01:07 . 2003-04-29 16:32 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-10-21 22:49 . 2009-10-21 22:48 38 ----a-w- C:\40.tmp
2009-10-21 22:49 . 2009-10-21 22:48 64000 ----a-w- C:\3E.tmp
2009-10-16 04:57 . 2006-06-23 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-16 04:56 . 2006-07-23 04:52 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\Apple Computer
2009-10-11 07:04 . 2006-05-03 05:07 72040 ----a-w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 06:42 . 2006-06-10 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-11 06:40 . 2006-06-10 20:26 -------- d-----w- c:\program files\Yahoo!
2009-08-05 09:11 . 2002-12-12 07:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[-] 2004-08-04 07:56 . !HASH: COULD NOT OPEN FILE !!!!! . 1032192 . . [------] . . c:\windows\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\explorer.exe
[-] 2002-08-29 . A82B28BFC2E4455FE43022A498C0EF0A . 1004032 . . [6.00.2800.1106] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-04-16 258048]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-03-01 40960]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-03 172032]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"NDSTray.exe"="c:\program files\Toshiba\ConfigFree\NDSTray.exe" [2003-01-18 458752]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 159744]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-08-27 58488]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-04-29 26112]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-14 278528]
"HostManager"="c:\program files\Common Files\AOL\1241910677\ee\AOLSoftware.exe" [2006-09-26 50736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-23 282624]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2003-04-18 88363]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-04 73728]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-12-10 237568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-9-14 113664]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-5-14 36954]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2003-9-14 73728]
MySoftware NewsFlash.lnk - c:\program files\Common Files\MySoftware\NewsFlsh.exe [2003-9-14 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 mrtRate;mrtRate; [x]
R3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;c:\windows\system32\DRIVERS\cben5.sys [2001-08-17 46108]
R3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2005-06-10 15576]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\DRIVERS\wlags48b.sys [2002-06-28 156672]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-10-12 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8063438622.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 07:52]

2009-10-31 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Larry C. Dick.job
- c:\progra~1\NORTON~2\NORTON~1\Navw32.exe [2004-08-30 18:34]

2009-10-22 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-04-29 22:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: {{0264505A-6793-44E0-AC75-9DCE3B13185C} - c:\program files\AT&T\WnClient\Programs\AnyWho.exe
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{7cc62ac7-3c0b-442d-9849-326be3c36fc6} - vodarowo.dll
AddRemove-ijji.com - c:\ijji\ENGLISH\ijjiUninstall.exe
AddRemove-Tennis - c:\program files\LoveFreeGames\Tennis\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-31 15:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,49,1c,4a,be,3d,d4,54,4b,89,57,4d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,49,1c,4a,be,3d,d4,54,4b,89,57,4d,\
.
Completion time: 2009-10-31 15:13
ComboFix-quarantined-files.txt 2009-10-31 19:13

Pre-Run: 25,532,477,440 bytes free
Post-Run: 25,544,589,312 bytes free

- - End Of File - - 8BFF9C33ABF4603CC065014DE639C78B

Hopefully this should help for the next step to fully restoring the laptop.

Again your assistance and timely response would be appreciated,

Thanks,
Jeff D.

[AdvancedSetup]

Okay, change your CFscript.txt file to the following and drop it or run it on Combofix again

KillAll::
File::
Fcopy::
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
c:\windows\system32\zogonaha.exe
C:\nvuytlnx.exe
C:\mgilgqug.exe
C:\rpvxjx.exe
C:\40.tmp
C:\3E.tmp
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

[jgabble]

AdvancedSetup, on Oct 31 2009, 09:52 PM, said:

Okay, change your CFscript.txt file to the following and drop it or run it on Combofix again

KillAll::
File::
Fcopy::
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
c:\windows\system32\zogonaha.exe
C:\nvuytlnx.exe
C:\mgilgqug.exe
C:\rpvxjx.exe
C:\40.tmp
C:\3E.tmp
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Ron,

How exactly would I do this? Where do I locate the CFscript.txt file? How would I "drop" it or "run" it on ComboFix?

Your assistance and timely response would again be appreciated,

Thanks,
Jeff D.

[AdvancedSetup]

I'm sorry. My fault. Please try the following.

Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
Fcopy::
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
File::
c:\windows\system32\zogonaha.exe
C:\nvuytlnx.exe
C:\mgilgqug.exe
C:\rpvxjx.exe
C:\40.tmp
C:\3E.tmp
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disconnect from the Internet.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

[jgabble]

AdvancedSetup, on Oct 31 2009, 10:15 PM, said:

I'm sorry. My fault. Please try the following.

Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
Fcopy::
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
File::
c:\windows\system32\zogonaha.exe
C:\nvuytlnx.exe
C:\mgilgqug.exe
C:\rpvxjx.exe
C:\40.tmp
C:\3E.tmp
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disconnect from the Internet.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

Ron,

Another stumbling block here: there is nothing visible on my desktop except for the background - so even if I save it to the desktop, the only way I can access it is through th Task Manager and clicking on Browse and locating it in the Desktop folder.

Could I save it to my 5GB Flashdrive on my uninfected laptop then connect it to my infected laptop - I can copy paste it to the laptop, but again, I am unable to see any icons on my desktop. Is there a way to do this and run ComboFix with the script? I also have an old Norton 2005 trial version of AV on the laptop - how can I disable this?

Again your assistance and timely response would be appreciated,

Thanks,
Jeff D.

[jgabble]

jgabble, on Oct 31 2009, 09:41 PM, said:

Ron,

Another stumbling block here: there is nothing visible on my desktop except for the background - so even if I save it to the desktop, the only way I can access it is through th Task Manager and clicking on Browse and locating it in the Desktop folder.

Could I save it to my 5GB Flashdrive on my uninfected laptop then connect it to my infected laptop - I can copy paste it to the laptop, but again, I am unable to see any icons on my desktop. Is there a way to do this and run ComboFix with the script? I also have an old Norton 2005 trial version of AV on the laptop - how can I disable this?

Again your assistance and timely response would be appreciated,

Thanks,
Jeff D.

P.S. - How would I open a new notepad session? I have never done this before.
Thanks again.

[AdvancedSetup]

You can copy and save it to your desktop and through Task Manager you can run this. Type in NOTEPAD and launch it. Then save the document to the Dekstop for your profile.
"C:\Documents and Settings\<username>\Desktop\combofix.exe" "C:\Documents and Settings\<username>\Desktop\cfscript.txt"
Or something like this
%USERNAME%\Desktop\combofix.exe %USERNAME%\Desktop\cfscript.txt

Where <username> is the name of your account.

Try to run the following first and see if it helps or not.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

• rkill.exe
  
• rkill.com
  
• rkill.scr
  
• rkill.pif
  
• WiNlOgOn.exe
  
• uSeRiNiT.exe

Once you've gotten one of them to run then try to immediately run the Combofix script.

[jgabble]

AdvancedSetup, on Nov 1 2009, 09:29 AM, said:

You can copy and save it to your desktop and through Task Manager you can run this. Type in NOTEPAD and launch it. Then save the document to the Dekstop for your profile.
"C:\Documents and Settings\<username>\Desktop\combofix.exe" "C:\Documents and Settings\<username>\Desktop\cfscript.txt"
Or something like this
%USERNAME%\Desktop\combofix.exe %USERNAME%\Desktop\cfscript.txt

Where <username> is the name of your account.

Try to run the following first and see if it helps or not.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

• rkill.exe
  
• rkill.com
  
• rkill.scr
  
• rkill.pif
  
• WiNlOgOn.exe
  
• uSeRiNiT.exe

Once you've gotten one of them to run then try to immediately run the Combofix script.

Ron,

Here is the log from the most recent ComboFix run (I think with the CFscript - if not, please let me know and I will try at again)

ComboFix 09-10-30.01 - Jeff Dick 11/01/2009 14:49.6.1 - NTFSx86
Running from: F:\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.

2009-10-28 02:10 . 2009-10-28 02:10 -------- d-----w- C:\GenericFix
2009-10-28 01:38 . 2009-10-28 01:53 -------- d-----w- C:\Combo-Fix-09A
2009-10-28 01:04 . 2009-10-28 01:25 -------- d-----w- C:\Combo-Fix-09
2009-10-28 00:55 . 2009-10-28 00:56 -------- d-----w- C:\Combo-Fix
2009-10-28 00:42 . 2009-10-28 00:42 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\Malwarebytes
2009-10-28 00:42 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 00:41 . 2009-10-31 06:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-28 00:41 . 2009-10-28 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-28 00:41 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 00:39 . 2009-10-28 00:39 1051168 --sh--w- c:\windows\system32\zogonaha.exe
2009-10-22 22:52 . 2009-10-22 22:52 52224 ----a-w- C:\nvuytlnx.exe
2009-10-22 22:52 . 2009-10-22 22:52 250368 ----a-w- C:\mgilgqug.exe
2009-10-22 22:52 . 2009-10-22 22:52 50176 ----a-w- C:\rpvxjx.exe
2009-10-21 22:49 . 2009-10-21 22:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-20 08:38 . 2009-10-17 01:53 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-10-20 08:37 . 2009-10-20 08:38 -------- d-----w- c:\program files\ffdshow
2009-10-20 01:42 . 2009-10-20 01:42 -------- d-----w- c:\program files\GPL MPEG Decoder
2009-10-17 12:31 . 2009-10-17 12:31 -------- d-sh--w- c:\documents and settings\Larry C. Dick\PrivacIE
2009-10-17 12:31 . 2009-10-17 12:31 -------- d-----w- c:\documents and settings\Larry C. Dick\Local Settings\Application Data\Yahoo
2009-10-17 12:31 . 2009-10-17 12:31 -------- d-----w- c:\documents and settings\Larry C. Dick\Application Data\Yahoo!
2009-10-17 09:18 . 2009-10-17 09:19 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\GetRightToGo
2009-10-17 08:27 . 2009-10-17 08:27 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\AVS4YOU
2009-10-17 08:27 . 2009-10-17 08:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-10-17 08:22 . 2009-10-17 08:25 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-17 08:22 . 2008-08-13 15:22 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-10-17 08:22 . 2009-10-17 08:25 -------- d-----w- c:\program files\AVS4YOU
2009-10-17 08:18 . 2008-08-13 15:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-10-16 22:44 . 2009-10-28 01:07 182912 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-10-16 04:56 . 2009-10-16 04:56 -------- d-----w- c:\program files\Media Player Classic
2009-10-16 04:56 . 2009-10-16 04:56 -------- d-----w- c:\program files\QuickTime Alternative
2009-10-11 21:58 . 2009-10-14 00:09 -------- d-----w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\Temp
2009-10-11 21:56 . 2009-10-28 01:03 -------- d-----w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\Google
2009-10-11 19:14 . 2009-10-11 19:14 -------- d-----w- c:\documents and settings\Larry C. Dick\Application Data\ESTSoft
2009-10-11 19:11 . 2009-10-11 19:11 -------- d-sh--w- c:\documents and settings\Larry C. Dick\IETldCache
2009-10-11 07:53 . 2009-10-11 07:53 33019 ----a-w- c:\windows\system32\CoreAAC-uninstall.exe
2009-10-11 07:51 . 2009-10-11 07:51 -------- d-----w- c:\program files\OpenSource Flash Video Splitter
2009-10-11 07:28 . 2009-10-11 07:29 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\ESTSoft
2009-10-11 07:25 . 2009-10-11 07:25 -------- d-----w- c:\program files\ESTsoft
2009-10-11 07:14 . 2009-10-11 07:14 -------- d-sh--w- c:\documents and settings\Jeff Dick\PrivacIE
2009-10-11 07:02 . 2009-10-11 07:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-11 07:01 . 2009-10-11 07:01 -------- d-sh--w- c:\documents and settings\Jeff Dick\IETldCache
2009-10-11 06:57 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-11 06:56 . 2009-10-28 01:28 -------- d-----w- c:\windows\ie8updates
2009-10-11 06:55 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-11 06:55 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-11 06:55 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-11 06:55 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-11 06:55 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-11 06:55 . 2009-07-19 22:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-10-11 06:50 . 2009-10-11 06:52 -------- dc-h--w- c:\windows\ie8
2009-10-11 06:47 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-11 06:45 . 2009-07-10 13:42 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-11 06:45 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-10-11 06:42 . 2009-10-11 06:42 -------- d-----w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\Yahoo
2009-10-11 06:40 . 2009-10-11 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-11 06:38 . 2009-10-11 06:38 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 19:25 . 2003-04-29 19:59 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-31 18:25 . 2006-07-02 23:01 -------- d-----w- c:\program files\Java
2009-10-28 01:07 . 2003-04-29 16:32 182912 ------w- c:\windows\system32\drivers\ndis.sys
2009-10-21 22:49 . 2009-10-21 22:48 38 ----a-w- C:\40.tmp
2009-10-21 22:49 . 2009-10-21 22:48 64000 ----a-w- C:\3E.tmp
2009-10-16 04:57 . 2006-06-23 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-16 04:56 . 2006-07-23 04:52 -------- d-----w- c:\documents and settings\Jeff Dick\Application Data\Apple Computer
2009-10-11 07:04 . 2006-05-03 05:07 72040 ----a-w- c:\documents and settings\Jeff Dick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 06:42 . 2006-06-10 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-11 06:40 . 2006-06-10 20:26 -------- d-----w- c:\program files\Yahoo!
2009-08-05 09:11 . 2002-12-12 07:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[-] 2004-08-04 07:56 . !HASH: COULD NOT OPEN FILE !!!!! . 1032192 . . [------] . . c:\windows\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\explorer.exe
[-] 2002-08-29 . A82B28BFC2E4455FE43022A498C0EF0A . 1004032 . . [6.00.2800.1106] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-10-31_19.04.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-04-29 16:32 . 2009-11-01 19:40 47122 c:\windows\system32\perfc009.dat
- 2003-04-29 16:32 . 2009-10-19 23:15 47122 c:\windows\system32\perfc009.dat
+ 2003-04-29 16:32 . 2009-11-01 19:40 368218 c:\windows\system32\perfh009.dat
- 2003-04-29 16:32 . 2009-10-19 23:15 368218 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-04-16 258048]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-03-01 40960]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-03 172032]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"NDSTray.exe"="c:\program files\Toshiba\ConfigFree\NDSTray.exe" [2003-01-18 458752]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 159744]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-08-27 58488]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-04-29 26112]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-14 278528]
"HostManager"="c:\program files\Common Files\AOL\1241910677\ee\AOLSoftware.exe" [2006-09-26 50736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-23 282624]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2003-04-18 88363]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-04 73728]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-12-10 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 mrtRate;mrtRate; [x]
R3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;c:\windows\system32\DRIVERS\cben5.sys [2001-08-17 46108]
R3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2005-06-10 15576]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\DRIVERS\wlags48b.sys [2002-06-28 156672]


--- Other Services/Drivers In Memory ---

*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-10-12 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8063438622.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 07:52]

2009-10-31 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Larry C. Dick.job
- c:\progra~1\NORTON~2\NORTON~1\Navw32.exe [2004-08-30 18:34]

2009-10-31 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-04-29 22:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: {{0264505A-6793-44E0-AC75-9DCE3B13185C} - c:\program files\AT&T\WnClient\Programs\AnyWho.exe
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 15:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,49,1c,4a,be,3d,d4,54,4b,89,57,4d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,49,1c,4a,be,3d,d4,54,4b,89,57,4d,\
.
Completion time: 2009-11-01 15:55
ComboFix-quarantined-files.txt 2009-11-01 20:55
ComboFix2.txt 2009-10-31 19:13

Pre-Run: 25,548,931,072 bytes free
Post-Run: 25,520,250,880 bytes free

- - End Of File - - A1D36CA9993AA828050923C3A63D9840


This does not seem to look right.

Your assistance and timely response would be appreciated.

Thanks,
Jeff D.