21 replies to this topic

[Coalza]

My husband went online looking for an anti-virus program without realising I'd already downloaded Malwarebytes and downloaded a fake MS Removal Tool.
Now it's preventing me from opening a lot of programs, like MBAM for example.
I've been into the safe mode and run both a quick and a full scan, but it's not finding anything.
Does anyone know what I can do now to get rid of it?
Thanks!

[Kenny94]

Hi Coalza and Welcome to Malwarebytes!


We need to look at some information about what is going on in your computer:

Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explanation about the tool.
  
• When done, DDS will open two (2) logs
  1. DDS.txt
  2. Attach.txt
  
• Save both reports to your desktop.
  
• The instructions here ask you to attach the Attach.txt.
  
  
  
• Instead of attaching, please copy/past both logs into your Thread
  
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HEREThen post your DDS (DDS.txt and Attach.txt

[Coalza]

This virus is preventing me from opening the DDS program.
Will I be able to open it in Safe Mode?

[Kenny94]

Let's do the following instead.


Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.
---------------------------------------------------------------------------------------------

Please copy and paste this post to a new text document or print it for reference later.

Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select Safe Mode with Networking and press Enter.
  
• 

Next

• Download ComboFix from below:
  
  Combofix download
  
  
  * IMPORTANT !!! Place combofix.exe on your Desktop
  
  
• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  
  
  You can get help on disabling your protection programs here
  
  
• Double click on combofix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  
  Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  
  
  
  
  
  The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
  
  With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  
  Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
  
  ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
  
  Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
  
  The Recovery Console was successfully installed.
  
  
  
  Click on Yes, to continue scanning for malware.
  
  
• Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  
  
• When finished, it shall produce a log for you. Post that log in your next reply
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  
  ---------------------------------------------------------------------------------------------
  
  
• Ensure your AntiVirus and AntiSpyware applications are re-enabled.
  
  ---------------------------------------------------------------------------------------------

[Coalza]

.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Zack & Colleen at 10:39:27.42 on Sun 27/03/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.811 [GMT 11:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Zack & Colleen\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.crawler.com/homepage.aspx?tbid=60475
uSearch Page = hxxp://search.live.com
uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60475
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60475
mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60475
uURLSearchHooks: N/A: {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\ctbr.dll
uURLSearchHooks: the blinkx toolbar: {f08555b0-9cc3-11d2-aa8e-000000000567} - c:\program

files\blinkx remote toolbar\the_blinkx_shook.dll
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program

files\utorrentbar\tbuTo1.dll
BHO: The blinkx Toolbar: {0069b690-7a2b-41c5-98ca-9f535b4c8532} - c:\program files\blinkx remote

toolbar\the_blinkx_bho.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat

6.0\reader\activex\AcroIEHelper.dll
BHO: ALOT Toolbar Helper: {14ceeaff-96dd-4101-ae37-d5ecdc23c3f6} - c:\program

files\alot\bin\alot.dll
BHO: PriceGongBHO Class: {1631550f-191d-4826-b069-d9439253d926} - c:\program

files\pricegong\2.1.0\PriceGongIE.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\ctbr.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program

files\conduitengine\ConduitEngin0.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program

files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program

files\utorrentbar\tbuTo1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\ctbr.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program

files\utorrentbar\tbuTo1.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program

files\conduitengine\ConduitEngin0.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: GP Bar: {c3538050-face-11de-8a39-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [blinkx_toolbar] "c:\program files\blinkx remote toolbar\the_blinkx_toolbar.exe"

-startservice
uRunOnce: [oMkDdBdOaMn06504] c:\documents and settings\all users\application

data\omkddbdoamn06504\oMkDdBdOaMn06504.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [autodetect] c:\windows\system32\supportappxl\AutoDect.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\zack&c~1\startm~1\programs\startup\pictur~1.lnk - c:\program

files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program

files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program

files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program

files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program

files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program

files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program

files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program

files\winzip\WZQKPICK.EXE
IE: &Search -

http://tbedits.iwon....AU&si=gua182401

&a=13ABCC14-2691-4C62-9658-758ECBBD2079&n=2010100621
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program

files\windows live\writer\WriterBrowserExtension.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft

shared\web folders\PKMCDO.DLL
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\ctbr.dll
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\zack&c~1\applic~1\mozilla\firefox\profiles\oa2j6eys.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - ALOT Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL -

hxxp://search.alot.com/web?&src_id=11649&client_id=9846788c29f85ca76478c4a4&camp_id=1500&install_

time=2010-10-31T12:50:23Z&tb_version=2.4.4000%28F%29&pr=auto&q=
FF - component: c:\documents and settings\zack & colleen\application

data\mozilla\firefox\profiles\oa2j6eys.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\

components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\zack & colleen\application

data\mozilla\firefox\profiles\oa2j6eys.default\extensions\engine@conduit.com\components\RadioWMPC

oreGecko19.dll
FF - component: c:\documents and settings\zack & colleen\application

data\mozilla\firefox\profiles\oa2j6eys.default\extensions\toolbar@alot.com\components\AlotXpcom.d

ll
FF - component: c:\program files\crawler\firefox\components\xcomm.dll
FF - component: c:\program files\crawler\firefox\components\xshared.dll
FF - component: c:\program files\crawler\firefox\components\xsupport.dll
FF - component: c:\program files\crawler\firefox\components\xwsg.dll
FF - component: c:\program files\pricegong\2.1.0\ff\components\PriceGongFF.dll
FF - plugin: c:\documents and settings\zack & colleen\application

data\mozilla\firefox\profiles\oa2j6eys.default\extensions\battlefieldheroespatcher@ea.com\platfor

m\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\zack & colleen\local settings\application

data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\iwong\bar\1.bin\NP9uStub.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np_blinkx_plugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla

firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: IWON: 9uffxtbr@IWONG.com - c:\program files\iwong\bar\1.bin
FF - Ext: Crawler Toolbar: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - c:\program

files\crawler\firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

%profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ALOT Toolbar: toolbar@alot.com - %profile%\extensions\toolbar@alot.com
FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com -

%profile%\extensions\battlefieldheroespatcher@ea.com
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} -

%profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF - Ext: PriceGong: {8A9386B4-E958-4c4c-ADF4-8F26DB3E4829} - c:\program files\pricegong\2.1.0\FF
.
============= SERVICES / DRIVERS ===============
.
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-9-12 54760]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe

[2010-11-2 136176]
S2 IWONGService;IWON Service;c:\progra~1\iwong\bar\1.bin\9ubarsvc.exe [2010-10-7 28766]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family

safety\fsssvc.exe [2010-4-28 704872]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys

[2010-1-29 7680]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee

security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
.
=============== Created Last 30 ================
.
2011-03-26 09:06:19 -------- d-----w- C:\f5fcc391bb7e702f4be258223716
2011-03-26 09:06:10 -------- d-----w- C:\bcc42e3541eb221b28f80cdeab
2011-03-26 08:58:52 -------- d-----w- C:\6f437a5fc8a0b1a93ffb81d741524752
2011-03-26 08:57:35 -------- d-----w- C:\25bec85c0760eaec3b0db21d5f4c
2011-03-26 08:00:36 -------- d-----w- C:\90b445b9c714707fd4
2011-03-26 07:45:01 -------- d-----w- C:\97e4faf146464322cc34156f2734135f
2011-03-26 07:44:06 -------- d-----w- C:\c48df6810fe8389704ee4a4fa6
2011-03-26 04:18:38 -------- d-----w-

c:\docume~1\alluse~1\applic~1\oMkDdBdOaMn06504
2011-03-13 12:14:06 -------- d-----w-

c:\docume~1\zack&c~1\locals~1\applic~1\Roblox
2011-03-13 12:13:29 -------- d-----w-

c:\docume~1\zack&c~1\locals~1\applic~1\RobloxVersions
2011-03-13 12:13:29 -------- d-----w-

c:\docume~1\zack&c~1\locals~1\applic~1\RobloxDownloads
2011-03-12 06:23:59 -------- d-----w- c:\documents and settings\zack &

colleen\NearRealityCachev111
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 07:53:56 1409 ----a-w- c:\windows\QTFont.for
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 10:40:54.68 ===============


.
UNLESS SPECIFICALLY INSTRUCTED,

DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH

IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device:

\Device\HarddiskVolume1
Install Date: 27/06/2008 1:47:33

PM
System Uptime: 27/03/2011

10:38:27 AM (0 hours ago)
.
Motherboard: Gigabyte Technology

Co., Ltd. | | 8IPE775/-G
Processor: Intel®

Pentium® 4 CPU 3.40GHz | Socket

775 | 3416/200mhz
.
==== Disk Partitions

=========================
.
A: is Removable
C: is FIXED (NTFS) - 112 GiB

total, 61.693 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager

Items =============
.
Class GUID:

{4D36E97E-E325-11CE-BFC1-08002BE1

0318}
Description: Ethernet Controller
Device ID:

PCI\VEN_168C&DEV_0013&SUBSYS_3A13

1186&REV_01\4&1F7DBC9F&0&08F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID:

PCI\VEN_168C&DEV_0013&SUBSYS_3A13

1186&REV_01\4&1F7DBC9F&0&08F0
Service:
.
Class GUID:

{4D36E97E-E325-11CE-BFC1-08002BE1

0318}
Description: PCI Simple

Communications Controller
Device ID:

PCI\VEN_14F1&DEV_2F30&SUBSYS_20D5

14F1&REV_01\4&1F7DBC9F&0&20F0
Manufacturer:
Name: PCI Simple Communications

Controller
PNP Device ID:

PCI\VEN_14F1&DEV_2F30&SUBSYS_20D5

14F1&REV_01\4&1F7DBC9F&0&20F0
Service:
.
==== System Restore Points

===================
.
RP627: 27/12/2010 12:36:16 AM -

System Checkpoint
RP628: 28/12/2010 12:36:55 AM -

System Checkpoint
RP629: 29/12/2010 7:55:38 AM -

System Checkpoint
RP630: 30/12/2010 8:50:04 AM -

System Checkpoint
RP631: 31/12/2010 9:29:01 AM -

System Checkpoint
RP632: 1/01/2011 3:00:16 AM -

Software Distribution Service 3.0
RP633: 2/01/2011 3:41:13 AM -

System Checkpoint
RP634: 3/01/2011 10:53:11 AM -

System Checkpoint
RP635: 4/01/2011 12:08:44 PM -

System Checkpoint
RP636: 5/01/2011 8:57:04 PM -

System Checkpoint
RP637: 6/01/2011 11:37:56 PM -

Software Distribution Service 3.0
RP638: 7/01/2011 7:41:07 AM -

Software Distribution Service 3.0
RP639: 8/01/2011 9:56:27 PM -

System Checkpoint
RP640: 9/01/2011 10:17:23 PM -

System Checkpoint
RP641: 11/01/2011 8:19:41 AM -

System Checkpoint
RP642: 12/01/2011 1:56:20 PM -

System Checkpoint
RP643: 12/01/2011 9:55:50 PM -

Software Distribution Service 3.0
RP644: 13/01/2011 8:50:22 AM -

Software Distribution Service 3.0
RP645: 14/01/2011 12:42:01 PM -

System Checkpoint
RP646: 15/01/2011 1:11:03 PM -

System Checkpoint
RP647: 16/01/2011 1:51:58 PM -

System Checkpoint
RP648: 17/01/2011 3:26:56 PM -

System Checkpoint
RP649: 18/01/2011 4:01:16 PM -

System Checkpoint
RP650: 19/01/2011 4:06:14 PM -

System Checkpoint
RP651: 20/01/2011 5:34:30 PM -

System Checkpoint
RP652: 21/01/2011 6:11:08 PM -

System Checkpoint
RP653: 23/01/2011 7:05:47 PM -

System Checkpoint
RP654: 25/01/2011 9:22:36 AM -

System Checkpoint
RP655: 26/01/2011 2:05:38 PM -

System Checkpoint
RP656: 27/01/2011 2:49:36 PM -

System Checkpoint
RP657: 28/01/2011 2:56:41 PM -

System Checkpoint
RP658: 29/01/2011 3:01:38 PM -

System Checkpoint
RP659: 30/01/2011 6:20:19 PM -

System Checkpoint
RP660: 31/01/2011 6:20:54 PM -

System Checkpoint
RP661: 1/02/2011 9:03:11 PM -

System Checkpoint
RP662: 2/02/2011 11:06:33 PM -

System Checkpoint
RP663: 5/02/2011 10:52:54 AM -

System Checkpoint
RP664: 6/02/2011 7:57:15 PM -

System Checkpoint
RP665: 8/02/2011 9:06:58 AM -

System Checkpoint
RP666: 9/02/2011 2:19:51 PM -

System Checkpoint
RP667: 12/02/2011 11:19:14 AM -

System Checkpoint
RP668: 13/02/2011 6:39:36 PM -

System Checkpoint
RP669: 16/02/2011 9:10:51 AM -

System Checkpoint
RP670: 17/02/2011 9:29:31 PM -

System Checkpoint
RP671: 19/02/2011 11:35:59 AM -

System Checkpoint
RP672: 20/02/2011 1:12:12 PM -

System Checkpoint
RP673: 21/02/2011 4:32:06 PM -

System Checkpoint
RP674: 21/02/2011 11:44:52 PM -

Software Distribution Service 3.0
RP675: 23/02/2011 8:23:55 AM -

System Checkpoint
RP676: 23/02/2011 1:24:57 PM -

Installed iTunes
RP677: 24/02/2011 7:05:57 PM -

Software Distribution Service 3.0
RP678: 24/02/2011 10:00:05 PM -

Software Distribution Service 3.0
RP679: 26/02/2011 9:52:57 AM -

System Checkpoint
RP680: 28/02/2011 8:52:34 AM -

System Checkpoint
RP681: 1/03/2011 11:26:59 AM -

System Checkpoint
RP682: 5/03/2011 9:54:27 PM -

System Checkpoint
RP683: 7/03/2011 7:24:35 AM -

System Checkpoint
RP684: 8/03/2011 11:38:25 AM -

System Checkpoint
RP685: 9/03/2011 11:32:00 PM -

Software Distribution Service 3.0
RP686: 11/03/2011 12:32:02 AM -

System Checkpoint
RP687: 12/03/2011 10:40:45 AM -

System Checkpoint
RP688: 13/03/2011 10:46:47 AM -

System Checkpoint
RP689: 14/03/2011 4:27:38 PM -

System Checkpoint
RP690: 15/03/2011 4:58:34 PM -

System Checkpoint
RP691: 16/03/2011 9:41:04 PM -

System Checkpoint
RP692: 17/03/2011 9:47:32 PM -

System Checkpoint
RP693: 18/03/2011 10:05:59 PM -

System Checkpoint
RP694: 19/03/2011 10:33:55 PM -

System Checkpoint
RP695: 21/03/2011 12:11:17 AM -

System Checkpoint
RP696: 23/03/2011 12:55:08 PM -

System Checkpoint
RP697: 24/03/2011 1:36:52 PM -

System Checkpoint
RP698: 24/03/2011 10:16:58 PM -

Software Distribution Service 3.0
RP699: 25/03/2011 3:00:14 AM -

Software Distribution Service 3.0
RP700: 26/03/2011 10:00:19 AM -

System Checkpoint
RP701: 26/03/2011 3:36:08 PM -

Software Distribution Service 3.0
RP702: 26/03/2011 11:19:27 PM -

Software Distribution Service 3.0
RP703: 27/03/2011 7:46:54 AM -

Software Distribution Service 3.0
.
==== Installed Programs

======================
.
µTorrent
3100
3100_3200_3300_Help
3100_3200_3300trb
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 6.0.1
AiO_Scan_CDA
AiOSoftwareNPI
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
AutoUpdate
BigPond Broadband ADSL
blinkx Remote Toolbar
Bonjour
BufferChm
CCScore
Compatibility Pack for the 2007

Office system
Conduit Engine
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
Crawler Toolbar with Web Security

Guard
CueTour
CustomerResearchQFolder
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DocProc
DocumentViewer
DocumentViewerQFolder
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
eSupportQFolder
Fax_CDA
FullDPAppQFolder
GameSpy Arcade
Google Earth
Google Update Helper
HLPPDOCK
Hotfix for Microsoft .NET

Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET

Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP

(KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP Document Viewer 5.3
HP Extended Capabilities 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.A
HP Software Update
HP Solution Center & Imaging

Support Tools 5.3
HPProductAssistant
InstantShareDevices
InterActual Player
iTunes
IWON
Java™ 6 Update 21
Junk Mail filter update
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
LiveUpdate
Malwarebytes' Anti-Malware
MarketResearch
Marvell Miniport Driver
McAfee Security Scan Plus
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1

Security Update (KB2416447)
Microsoft .NET Framework 1.1

Security Update (KB979906)
Microsoft .NET Framework 2.0

Service Pack 2
Microsoft .NET Framework 3.0

Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error

Reporting
Microsoft Choice Guard
Microsoft Internationalized

Domain Names Mitigation APIs
Microsoft National Language

Support Downlevel APIs
Microsoft Office Live Add-in 1.3
Microsoft Office XP Professional

with FrontPage
Microsoft Publisher 2002
Microsoft Silverlight
Microsoft SQL Server 2005 Compact

Edition [ENU]
Microsoft Visual C++ 2005 ATL

Update kb973923 - x86

8.0.50727.4053
Microsoft Visual C++ 2005

Redistributable
Microsoft WSE 3.0 Runtime
Mozilla Firefox (3.6.16)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Neffy 1,3,29,0
NewCopy_CDA
Norton 2000 1.0
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Pando Media Booster
PanoStandAlone
PhotoGallery
PriceGong 2.1.0
ProductContextNPI
QuickTime
RandMap
Readme
Realtek AC'97 Audio
Roblox for Zack & Colleen
SAMSUNG Mobile Composite Device

Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver

Software
SAMSUNG Mobile USB Modem 1.0

Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Samsung PC Studio 3 USB Driver

Installer
Scan
ScannerCopy
Security Update for CAPICOM

(KB931906)
Security Update for Microsoft

.NET Framework 3.5 SP1

(KB2416473)
Security Update for Windows

Internet Explorer 7 (KB2360131)
Security Update for Windows

Internet Explorer 7 (KB2416400)
Security Update for Windows

Internet Explorer 7 (KB2482017)
Security Update for Windows

Internet Explorer 7 (KB938127-v2)
Security Update for Windows

Internet Explorer 7 (KB982381)
Security Update for Windows Media

Player (KB2378111)
Security Update for Windows Media

Player (KB952069)
Security Update for Windows Media

Player (KB954155)
Security Update for Windows Media

Player (KB973540)
Security Update for Windows Media

Player (KB975558)
Security Update for Windows Media

Player (KB978695)
Security Update for Windows Media

Player (KB979402)
Security Update for Windows XP

(KB2079403)
Security Update for Windows XP

(KB2115168)
Security Update for Windows XP

(KB2121546)
Security Update for Windows XP

(KB2229593)
Security Update for Windows XP

(KB2259922)
Security Update for Windows XP

(KB2279986)
Security Update for Windows XP

(KB2286198)
Security Update for Windows XP

(KB2296011)
Security Update for Windows XP

(KB2296199)
Security Update for Windows XP

(KB2347290)
Security Update for Windows XP

(KB2360131)
Security Update for Windows XP

(KB2360937)
Security Update for Windows XP

(KB2387149)
Security Update for Windows XP

(KB2393802)
Security Update for Windows XP

(KB2419632)
Security Update for Windows XP

(KB2423089)
Security Update for Windows XP

(KB2436673)
Security Update for Windows XP

(KB2440591)
Security Update for Windows XP

(KB2443105)
Security Update for Windows XP

(KB2476687)
Security Update for Windows XP

(KB2478960)
Security Update for Windows XP

(KB2478971)
Security Update for Windows XP

(KB2479628)
Security Update for Windows XP

(KB2479943)
Security Update for Windows XP

(KB2481109)
Security Update for Windows XP

(KB2483185)
Security Update for Windows XP

(KB2485376)
Security Update for Windows XP

(KB2524375)
Security Update for Windows XP

(KB946648)
Security Update for Windows XP

(KB950760)
Security Update for Windows XP

(KB950762)
Security Update for Windows XP

(KB950974)
Security Update for Windows XP

(KB951376-v2)
Security Update for Windows XP

(KB951748)
Security Update for Windows XP

(KB952004)
Security Update for Windows XP

(KB952954)
Security Update for Windows XP

(KB955069)
Security Update for Windows XP

(KB956572)
Security Update for Windows XP

(KB956744)
Security Update for Windows XP

(KB956802)
Security Update for Windows XP

(KB956803)
Security Update for Windows XP

(KB956844)
Security Update for Windows XP

(KB958644)
Security Update for Windows XP

(KB958869)
Security Update for Windows XP

(KB959426)
Security Update for Windows XP

(KB960225)
Security Update for Windows XP

(KB960803)
Security Update for Windows XP

(KB960859)
Security Update for Windows XP

(KB961501)
Security Update for Windows XP

(KB969059)
Security Update for Windows XP

(KB970238)
Security Update for Windows XP

(KB970430)
Security Update for Windows XP

(KB971468)
Security Update for Windows XP

(KB971657)
Security Update for Windows XP

(KB971961)
Security Update for Windows XP

(KB972270)
Security Update for Windows XP

(KB973507)
Security Update for Windows XP

(KB973869)
Security Update for Windows XP

(KB973904)
Security Update for Windows XP

(KB974112)
Security Update for Windows XP

(KB974318)
Security Update for Windows XP

(KB974392)
Security Update for Windows XP

(KB974571)
Security Update for Windows XP

(KB975025)
Security Update for Windows XP

(KB975467)
Security Update for Windows XP

(KB975560)
Security Update for Windows XP

(KB975561)
Security Update for Windows XP

(KB975562)
Security Update for Windows XP

(KB975713)
Security Update for Windows XP

(KB977816)
Security Update for Windows XP

(KB977914)
Security Update for Windows XP

(KB978037)
Security Update for Windows XP

(KB978338)
Security Update for Windows XP

(KB978542)
Security Update for Windows XP

(KB978601)
Security Update for Windows XP

(KB979309)
Security Update for Windows XP

(KB979482)
Security Update for Windows XP

(KB979559)
Security Update for Windows XP

(KB979683)
Security Update for Windows XP

(KB979687)
Security Update for Windows XP

(KB980195)
Security Update for Windows XP

(KB980218)
Security Update for Windows XP

(KB980232)
Security Update for Windows XP

(KB980436)
Security Update for Windows XP

(KB981322)
Security Update for Windows XP

(KB981349)
Security Update for Windows XP

(KB981852)
Security Update for Windows XP

(KB981957)
Security Update for Windows XP

(KB981997)
Security Update for Windows XP

(KB982132)
Security Update for Windows XP

(KB982214)
Security Update for Windows XP

(KB982381)
Security Update for Windows XP

(KB982665)
Segoe UI
SFR
SHASTA
SKIN0001
SkinsHP1
SKINXSDK
SolutionCenter
Sonic_PrimoSDK
Sony Picture Utility
staticcr
Status
Telstra Turbo Connection Manager
TrayApp
Unity Web Player
Unload
Update for Microsoft .NET

Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
uTorrentBar Toolbar
Vegas Movie Studio Platinum 9.0
VideoLAN VLC media player 0.8.6h
VPRINTOL
WebFldrs XP
WebReg
Windows Driver Package - Atheros

(arusb(Atheros)) Net (09/23/2008

3.0.0.131)
Windows Driver Package -

MobileTop (sshpmdm) Modem

(02/23/2007 2.5.0.0)
Windows Driver Package -

MobileTop (sshpusb) USB

(02/23/2007 2.5.0.0)
Windows Driver Package - NETGEAR

(W8335XP) Net (02/22/2005

3.1.1.7)
Windows Driver Package - NETGEAR

Inc. (RTLWUSB) Net (02/07/2007

5.1283.0207.2007)
Windows Driver Package - Thomson

(USB_RNDIS) Net (02/16/2004

1.0.0.3)
Windows Genuine Advantage

Notifications (KB905474)
Windows Imaging Component
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications

Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows XP Service Pack 3
WinZip 14.5
WIRELESS
.
==== Event Viewer Messages From

Past Week ========
.
27/03/2011 9:58:27 AM, error:

Service Control Manager [7034] -

The Google Update Service

(gupdate) service terminated

unexpectedly. It has done this 1

time(s).
27/03/2011 9:39:08 AM, error:

Service Control Manager [7031] -

The Apple Mobile Device service

terminated unexpectedly. It has

done this 13 time(s). The

following corrective action will

be taken in 60000 milliseconds:

Restart the service.
27/03/2011 9:38:07 AM, error:

Service Control Manager [7031] -

The Apple Mobile Device service

terminated unexpectedly. It has

done this 12 time(s). The

following corrective action will

be taken in 60000 milliseconds:

Restart the service.
27/03/2011 9:37:07 AM, error:

Service Control Manager [7031] -

The Apple Mobile Device service

terminated unexpectedly. It has

done this 11 time(s). The

following corrective action will

be taken in 60000 milliseconds:

Restart the service.
27/03/2011 9:36:07 AM, error:

Service Control Manager [7031] -

The Apple Mobile Device service

terminated unexpectedly. It has

done this 10 time(s). The

following corrective action will

be taken in 60000 milliseconds:

Restart the service.
27/03/2011 9:35:07 AM, error:

Service Control Manager [7031] -

The Apple Mobile Device service

terminated unexpectedly. It has

done this 9 time(s). The

following corrective action will

be taken in 60000 milliseconds:

Restart the service.
27/03/2011 9:34:07 AM, error:

Service Control Manager [7031] -

The Apple Mobile Device service

terminated unexpectedly. It has

done this 8 time(s). The

following corrective action will

be taken in 60000 milliseconds:

Restart the service.
27/03/2011 9:33:07 AM, error:

Service Control Manager [7031] -

The Apple Mobile Device service

terminated unexpectedly. It has

done this 7 time(s). The

following corrective action will

be taken in 60000 milliseconds:

Restart the service.
27/03/2011 9:32:06 AM, error:

Service Control Manager [7031] -

The Apple Mobile Device service

terminated unexpectedly. It has

done this 6 time(s). The

following corrective action will

be taken in 60000 milliseconds:

Restart the service.
27/03/2011 9:31:06 AM, error:

Service Control Manager [7031] -

The Apple Mobile Device service

terminated unexpectedly. It has

done this 5 time(s). The

following corrective action will

be taken in 60000 milliseconds:

Restart the service.
27/03/2011 9:30:06 AM, error:

Service Control Manager [7031] -

The Apple Mobile Device service

terminated unexpectedly. It has

done this 4 time(s). The

following corrective action will

be taken in 60000 milliseconds:

Restart the service.
27/03/2011 9:29:06 AM, error:

Service Control Manager [7031] -

The Apple Mobile Device service

terminated unexpectedly. It has

done this 3 time(s). The

following corrective action will

be taken in 60000 milliseconds:

Restart the service.
27/03/2011 9:28:06 AM, error:

Service Control Manager [7031] -

The Apple Mobile Device service

terminated unexpectedly. It has

done this 2 time(s). The

following corrective action will

be taken in 60000 milliseconds:

Restart the service.
27/03/2011 9:27:33 AM, error:

DCOM [10000] - Unable to start a

DCOM Server:

{54ECA872-DB2A-4C6B-BBB2-F3777C67

86CC}. The error: "%5" Happened

while starting this command:

C:\PROGRA~1\Crawler\CToolbar.exe

-Embedding
27/03/2011 9:11:36 AM, error:

Service Control Manager [7026] -

The following boot-start or

system-start driver(s) failed to

load: AFD Fips intelppm IPSec

MRxSmb NetBIOS NetBT RasAcd Rdbss

StarOpen Tcpip
27/03/2011 9:11:36 AM, error:

Service Control Manager [7001] -

The TCP/IP NetBIOS Helper service

depends on the AFD Networking

Support Environment service which

failed to start because of the

following error: A device

attached to the system is not

functioning.
27/03/2011 9:11:36 AM, error:

Service Control Manager [7001] -

The IPSEC Services service

depends on the IPSEC driver

service which failed to start

because of the following error:

A device attached to the system

is not functioning.
27/03/2011 9:11:36 AM, error:

Service Control Manager [7001] -

The DNS Client service depends on

the TCP/IP Protocol Driver

service which failed to start

because of the following error:

A device attached to the system

is not functioning.
27/03/2011 9:11:36 AM, error:

Service Control Manager [7001] -

The Bonjour Service service

depends on the TCP/IP Protocol

Driver service which failed to

start because of the following

error: A device attached to the

system is not functioning.
27/03/2011 9:11:36 AM, error:

Service Control Manager [7001] -

The Apple Mobile Device service

depends on the TCP/IP Protocol

Driver service which failed to

start because of the following

error: A device attached to the

system is not functioning.
27/03/2011 9:04:08 AM, error:

Service Control Manager [7009] -

Timeout (30000 milliseconds)

waiting for the Apple Mobile

Device service to connect.
27/03/2011 9:04:08 AM, error:

Service Control Manager [7000] -

The Apple Mobile Device service

failed to start due to the

following error: The service did

not respond to the start or

control request in a timely

fashion.
27/03/2011 9:03:08 AM, error:

Service Control Manager [7034] -

The Pml Driver HPZ12 service

terminated unexpectedly. It has

done this 1 time(s).
27/03/2011 9:03:08 AM, error:

Service Control Manager [7034] -

The Java Quick Starter service

terminated unexpectedly. It has

done this 1 time(s).
27/03/2011 9:03:08 AM, error:

Service Control Manager [7034] -

The IMAPI CD-Burning COM Service

service terminated unexpectedly.

It has done this 1 time(s).
27/03/2011 9:03:08 AM, error:

Service Control Manager [7034] -

The Ati HotKey Poller service

terminated unexpectedly. It has

done this 1 time(s).
27/03/2011 9:03:08 AM, error:

Service Control Manager [7031] -

The Apple Mobile Device service

terminated unexpectedly. It has

done this 1 time(s). The

following corrective action will

be taken in 60000 milliseconds:

Restart the service.
27/03/2011 8:17:17 AM, error:

Service Control Manager [7034] -

The Bonjour Service service

terminated unexpectedly. It has

done this 1 time(s).
27/03/2011 10:40:28 AM, error:

Service Control Manager [7026] -

The following boot-start or

system-start driver(s) failed to

load: Fips intelppm StarOpen
26/03/2011 9:33:53 PM, error:

Service Control Manager [7001] -

The fssfltr service depends on

the TCP/IP Protocol Driver

service which failed to start

because of the following error:

A device attached to the system

is not functioning.
26/03/2011 9:33:53 PM, error:

Service Control Manager [7001] -

The DHCP Client service depends

on the NetBios over Tcpip service

which failed to start because of

the following error: A device

attached to the system is not

functioning.
26/03/2011 9:33:04 PM, error:

DCOM [10005] - DCOM got error

"%1084" attempting to start the

service netman with arguments ""

in order to run the server:

{BA126AE5-2166-11D1-B1D0-00805FC1

270E}
26/03/2011 9:33:01 PM, error:

DCOM [10005] - DCOM got error

"%1084" attempting to start the

service EventSystem with

arguments "" in order to run the

server:

{1BE1F766-5536-11D1-B726-00C04FB9

26AF}
22/03/2011 10:36:17 AM, error:

ati2mtag [45062] - CRT invalid

display type
.
==== End Of File

===========================

[Coalza]

Sorry, I ran that DDS thing before I read your last post.

[Kenny94]

That's okay.... On my previous post. Download ComboFix in Safe Mode with Networking. Then post the ComboFix log.

[Coalza]

I'm sorry, it must be so frustrating working with an amateur.
I ran the ComboFix thing and it didn't get rid of it, I also didn't see a log to copy and paste.
I didn't disable any AntiVirus or AntiSpyware programs because there were none on the System Tray.
I looked through programs and I have Norton 2000, I don't know how to disable that.
I have McAfee Security Scan Plus which when opened only gives me options of 'Update Now' and 'Cancel'.. So I'm not sure if it needs to be disabled or not, but I'm not sure how.
Also, do I need to disable MBAM?

Again, I'm really sorry!

[Kenny94]

Yes disable MBAM. We can't remove this infection in one try but, we'll remove it.

Since you cannot access your infected computer, you will have to download the required tools from your clean computer and move them to the infected computer with some removable media, for example burn it to a CD or write it to an USB flash disk.

If you use an USB flash disk, I highly recommend you to immunize it first, to prevent malware using the usb flash drive for spreading itself.

Please download Flash_Disinfector by sUBs from here and save it to your desktop.

• Double-click Flash_Disinfector.exe to run the tool
  
• When requested, insert the USB flash disk(s) you want to to immunize/disinfect
  
• Hold down the Shift key when inserting the drive(s) until Windows detects the drive
  
• Click OK to start the disinfection process
  
• Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that you choose to disinfect. Do not delete that folder!

====================



You should have combofix.exe on your Desktop. Right. Okay, we are going to use a tool to help us run combofix in normal mode. Place this tool WiNlOgOn.exe or uSeRiNiT.exe on your infected PC desktop. Then we'll run ComboFix in normal mode. Ready.. Take your time, I'm not going anywhere.


Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 2 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not both of them.

• WiNlOgOn.exe
  
  
• uSeRiNiT.exe

Once you've gotten one of them to run then try to immediately run the following:

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  
  
  You can get help on disabling your protection programs here
  
  
• Double click on combofix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  
  Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  
  
  
  
  
  The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
  
  With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  
  Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
  
  ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
  
  Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
  
  The Recovery Console was successfully installed.
  
  
  
  Click on Yes, to continue scanning for malware.
  
  
• Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  
  
• When finished, it shall produce a log for you. Post that log in your next reply
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

[Kenny94]

By the way, if you can't disable Norton 2000. Just run combofix anyways.

[Coalza]

ComboFix 11-03-26.01 - Zack & Colleen 27/03/2011 12:22:21.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.706 [GMT 11:00]
Running from: c:\documents and settings\Zack & Colleen\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\oMkDdBdOaMn06504
c:\documents and settings\All Users\Application Data\oMkDdBdOaMn06504\oMkDdBdOaMn06504
c:\documents and settings\All Users\Application Data\oMkDdBdOaMn06504\oMkDdBdOaMn06504.exe
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Zack & Colleen\My Documents\Desktop_.ini
c:\program files\blinkx Remote Toolbar\thE_blinkx_bho.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-27 to 2011-03-27 )))))))))))))))))))))))))))))))
.
.
2011-03-26 23:52 . 2011-03-27 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-26 09:06 . 2011-03-26 09:06 -------- d-----w- C:\f5fcc391bb7e702f4be258223716
2011-03-26 09:06 . 2011-03-26 09:06 -------- d-----w- C:\bcc42e3541eb221b28f80cdeab
2011-03-26 08:58 . 2011-03-26 08:58 -------- d-----w- C:\6f437a5fc8a0b1a93ffb81d741524752
2011-03-26 08:57 . 2011-03-26 08:57 -------- d-----w- C:\25bec85c0760eaec3b0db21d5f4c
2011-03-26 08:00 . 2011-03-26 08:00 -------- d-----w- C:\90b445b9c714707fd4
2011-03-26 07:45 . 2011-03-26 07:45 -------- d-----w- C:\97e4faf146464322cc34156f2734135f
2011-03-26 07:44 . 2011-03-26 07:44 -------- d-----w- C:\c48df6810fe8389704ee4a4fa6
2011-03-13 12:14 . 2011-03-13 12:44 -------- d-----w- c:\documents and settings\Zack & Colleen\Local Settings\Application Data\Roblox
2011-03-12 06:23 . 2011-03-12 06:24 -------- d-----w- c:\documents and settings\Zack & Colleen\NearRealityCachev111
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2002-08-28 17:41 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2002-08-28 17:40 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 07:53 . 2011-02-03 07:53 1409 ----a-w- c:\windows\QTFont.for
2011-02-02 07:58 . 2008-06-27 03:42 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-06-27 03:42 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2002-08-28 17:41 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-21 10:40 . 2009-11-13 04:45 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2011-01-07 14:09 . 2001-08-23 02:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2002-08-28 16:14 1854976 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo1.dll" [2011-03-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}]
2010-03-28 19:47 353656 ----a-w- c:\program files\PriceGong\2.1.0\PriceGongIE.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-03-09 23:19 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngin0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2011-03-09 23:19 3911776 ----a-w- c:\program files\uTorrentBar\tbuTo1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo1.dll" [2011-03-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngin0.dll" [2011-03-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\tbuTo1.dll" [2011-03-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"blinkx_toolbar"="c:\program files\blinkx Remote Toolbar\the_blinkx_toolbar.exe" [2009-09-16 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 577536]
"autodetect"="c:\windows\system32\SupportAppXL\AutoDect.exe" [2008-08-07 91648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Zack & Colleen\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-12-23 385024]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-4-5 494920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56385:TCP"= 56385:TCP:Pando Media Booster
"56385:UDP"= 56385:UDP:Pando Media Booster
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2010 9:28 AM 136176]
S2 IWONGService;IWON Service;c:\progra~1\IWONG\bar\1.bin\9ubarsvc.exe [7/10/2010 10:26 AM 28766]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [29/01/2010 10:10 AM 7680]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 11:49 PM 227232]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]
.
2011-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 22:28]
.
2011-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 22:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.crawler.com/homepage.aspx?tbid=60475
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\ctbr.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Zack & Colleen\Application Data\Mozilla\Firefox\Profiles\oa2j6eys.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - ALOT Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZVxdm140YYAU&ptb=13ABCC14-2691-4C62-9658-758ECBBD2079&psa=&ind=2010100621&ptnrS=ZVxdm140YYAU&si=gua182401&st=kwd&n=77cfb38d&searchfor=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: IWON: 9uffxtbr@IWONG.com - c:\program files\IWONG\bar\1.bin
FF - Ext: Crawler Toolbar: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - c:\program files\Crawler\firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ALOT Toolbar: toolbar@alot.com - %profile%\extensions\toolbar@alot.com
FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF - Ext: PriceGong: {8A9386B4-E958-4c4c-ADF4-8F26DB3E4829} - c:\program files\PriceGong\2.1.0\FF
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-SimParkDemov1.0 - c:\maxis\ParkDemo\DeIsL1.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-27 12:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-03-27 12:33:12
ComboFix-quarantined-files.txt 2011-03-27 01:33
.
Pre-Run: 66,148,859,904 bytes free
Post-Run: 71,694,073,856 bytes free
.
- - End Of File - - 911D746732659E4178EEC1789BE35C18

[Kenny94]

Nice Job!! Okay, we need to run ComboFix again, but a little different.

• Close any open browsers.
  
• Open Notepad by click start
  
• Click Run
  
• Type notepad into the box and click enter
  
• Notepad will open
  
• Copy and Paste everything from the Code box into Notepad:

KILLALL::
Folder::
c:\documents and settings\All Users\Application Data\MFAData
C:\f5fcc391bb7e702f4be258223716
C:\bcc42e3541eb221b28f80cdeab
C:\6f437a5fc8a0b1a93ffb81d741524752
C:\25bec85c0760eaec3b0db21d5f4c
C:\90b445b9c714707fd4
C:\97e4faf146464322cc34156f2734135f
C:\c48df6810fe8389704ee4a4fa6

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56385:TCP"=-
"56385:UDP"=-

Reglock:: 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Save the file to your desktop and name it CFScript.txt


Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

[Coalza]

ComboFix 11-03-26.01 - Zack & Colleen 27/03/2011 13:09:11.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.641 [GMT 11:00]
Running from: c:\documents and settings\Zack & Colleen\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Zack & Colleen\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\25bec85c0760eaec3b0db21d5f4c
c:\25bec85c0760eaec3b0db21d5f4c\compappscontent.dll
c:\25bec85c0760eaec3b0db21d5f4c\en-us\amhelp.chm
c:\25bec85c0760eaec3b0db21d5f4c\en-us\epploc.cab
c:\25bec85c0760eaec3b0db21d5f4c\epplauncher.exe
c:\25bec85c0760eaec3b0db21d5f4c\eppmanifest.dll
c:\25bec85c0760eaec3b0db21d5f4c\setup.ini
c:\25bec85c0760eaec3b0db21d5f4c\setupres.dll
C:\6f437a5fc8a0b1a93ffb81d741524752
c:\6f437a5fc8a0b1a93ffb81d741524752\dw20shared.msi
c:\6f437a5fc8a0b1a93ffb81d741524752\legitlib.dll
c:\6f437a5fc8a0b1a93ffb81d741524752\mp_ambits.msi
c:\6f437a5fc8a0b1a93ffb81d741524752\msse.msi
c:\6f437a5fc8a0b1a93ffb81d741524752\setup.exe
c:\6f437a5fc8a0b1a93ffb81d741524752\setup.ini
c:\6f437a5fc8a0b1a93ffb81d741524752\setupres.dll
c:\6f437a5fc8a0b1a93ffb81d741524752\windowsxp-kb914882-x86.exe
C:\90b445b9c714707fd4
C:\97e4faf146464322cc34156f2734135f
C:\bcc42e3541eb221b28f80cdeab
c:\bcc42e3541eb221b28f80cdeab\mrt.exe
c:\bcc42e3541eb221b28f80cdeab\mrtstub.exe
C:\c48df6810fe8389704ee4a4fa6
c:\documents and settings\All Users\Application Data\MFAData
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110326-235233.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110327-002311.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110327-002311.log
c:\documents and settings\All Users\Application Data\MFAData\mfaurlconf.ini
c:\documents and settings\All Users\Application Data\MFAData\pack\avg10infoavi.ctf
c:\documents and settings\All Users\Application Data\MFAData\pack\avg10infooi.ctf
c:\documents and settings\All Users\Application Data\MFAData\pack\avg10infowin.ctf
c:\documents and settings\All Users\Application Data\MFAData\pack\Avgx86.msi
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\poi10free_lic8gq.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\poi10free_mis15el.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10avgx1204bl.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\free_mis.mdf
c:\documents and settings\All Users\Application Data\MFAData\pack\lic.mdf
C:\f5fcc391bb7e702f4be258223716
c:\f5fcc391bb7e702f4be258223716\compappscontent.dll
c:\f5fcc391bb7e702f4be258223716\en-us\amhelp.chm
c:\f5fcc391bb7e702f4be258223716\en-us\epploc.cab
c:\f5fcc391bb7e702f4be258223716\en-us\epploc_x86.msi
c:\f5fcc391bb7e702f4be258223716\en-us\eula.rtf
c:\f5fcc391bb7e702f4be258223716\en-us\setupres.dll.mui
c:\f5fcc391bb7e702f4be258223716\epplauncher.exe
c:\f5fcc391bb7e702f4be258223716\eppmanifest.dll
c:\f5fcc391bb7e702f4be258223716\setup.ini
c:\f5fcc391bb7e702f4be258223716\setupres.dll
c:\f5fcc391bb7e702f4be258223716\x86\dw20shared.msi
c:\f5fcc391bb7e702f4be258223716\x86\epp.msi
c:\f5fcc391bb7e702f4be258223716\x86\legitlib.dll
c:\f5fcc391bb7e702f4be258223716\x86\setup.exe
c:\f5fcc391bb7e702f4be258223716\x86\sqmapi.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-27 to 2011-03-27 )))))))))))))))))))))))))))))))
.
.
2011-03-13 12:14 . 2011-03-13 12:44 -------- d-----w- c:\documents and settings\Zack & Colleen\Local Settings\Application Data\Roblox
2011-03-12 06:23 . 2011-03-12 06:24 -------- d-----w- c:\documents and settings\Zack & Colleen\NearRealityCachev111
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2002-08-28 17:41 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2002-08-28 17:40 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 07:53 . 2011-02-03 07:53 1409 ----a-w- c:\windows\QTFont.for
2011-02-02 07:58 . 2008-06-27 03:42 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-06-27 03:42 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2002-08-28 17:41 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-21 10:40 . 2009-11-13 04:45 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2011-01-07 14:09 . 2001-08-23 02:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2002-08-28 16:14 1854976 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-27_01.30.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-27 02:15 . 2011-03-27 02:15 16384 c:\windows\temp\Perflib_Perfdata_79c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo1.dll" [2011-03-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}]
2010-03-28 19:47 353656 ----a-w- c:\program files\PriceGong\2.1.0\PriceGongIE.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-03-09 23:19 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngin0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2011-03-09 23:19 3911776 ----a-w- c:\program files\uTorrentBar\tbuTo1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo1.dll" [2011-03-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngin0.dll" [2011-03-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\tbuTo1.dll" [2011-03-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"blinkx_toolbar"="c:\program files\blinkx Remote Toolbar\the_blinkx_toolbar.exe" [2009-09-16 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 577536]
"autodetect"="c:\windows\system32\SupportAppXL\AutoDect.exe" [2008-08-07 91648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Zack & Colleen\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-12-23 385024]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-4-5 494920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2010 9:28 AM 136176]
S2 IWONGService;IWON Service;c:\progra~1\IWONG\bar\1.bin\9ubarsvc.exe [7/10/2010 10:26 AM 28766]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [29/01/2010 10:10 AM 7680]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 11:49 PM 227232]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]
.
2011-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 22:28]
.
2011-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 22:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.alot.com/?client_id=64B70DA001CB7A5801E6C25A&src_id=11649&camp_id=1500&tb_version=2.5.15000.521
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Zack & Colleen\Application Data\Mozilla\Firefox\Profiles\oa2j6eys.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - ALOT Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11649&client_id=9846788c29f85ca76478c4a4&camp_id=1500&install_time=2010-10-31T12:50Z&tb_version=2.4.4000%28F%29&pr=auto&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: IWON: 9uffxtbr@IWONG.com - c:\program files\IWONG\bar\1.bin
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ALOT Toolbar: toolbar@alot.com - %profile%\extensions\toolbar@alot.com
FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF - Ext: PriceGong: {8A9386B4-E958-4c4c-ADF4-8F26DB3E4829} - c:\program files\PriceGong\2.1.0\FF
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-27 13:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3264)
c:\windows\system32\WININET.dll
c:\docume~1\ZACK&C~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\WgaTray.exe
c:\windows\SOUNDMAN.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2011-03-27 13:20:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-27 02:20
ComboFix2.txt 2011-03-27 01:33
.
Pre-Run: 71,722,422,272 bytes free
Post-Run: 71,649,361,920 bytes free
.
- - End Of File - - F71F635A3132E0A75C5136BA46A17F57

[Kenny94]

Smile we are getting closer....


Update Run Malwarebytes

• Launch Malwarebytes' Anti-Malware
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[Coalza]

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6179

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

27/03/2011 1:39:39 PM
mbam-log-2011-03-27 (13-39-39).txt

Scan type: Quick scan
Objects scanned: 151995
Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\z2010MegawildAdverpopper.DLL (Adware.PlayMP3z.Gen) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\zack & colleen\my documents\downloads\VLCSetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\zack & colleen\my documents\downloads\xvidsetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\zack & colleen\my documents\downloads\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

[Kenny94]

Looking good! How is your PC doing Coalza?

Let me check your Security, so this will not happen again. By the way, you should remove uTorrent. P2P (peer-to-peer) using P2P software is very risky, because it makes you very susceptible to infection, attack, exposure of personal or company information. But this is up to you to remove uTorrent

Download Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

[Coalza]

Yeah, it's running like a dream now! Thank you!

After I did the security check, the checkup document was empty.
The security check box says "The system cannot find the path specified."

[Kenny94]

The reason is you have no anti-virus program. So, lets add one to your PC.


Anti-virus software are programs that detect cleans and erase harmful virus files on a computer
Web server or network. Unchecked virus files can unintentionally be forwarded to others including trading partners and thereby spreading infection. Because new viruses regularly emerge anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present and will clean delete (or quarantine) infected files or directories.

Here's the one I use below and it's free.

• Avira AntiVir Personal - Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

[Coalza]

Avira AntiVir Personal
Report file date: Sunday, 27 March 2011 14:36

Scanning for 2533833 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : Zack & Colleen
Computer name : ZC-S2VCX35UWDY0

Version information:
BUILD.DAT : 10.0.0.635 31822 Bytes 3/7/2011 12:15:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 3/4/2011 03:36:52
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 01:57:04
LUKE.DLL : 10.0.3.2 104296 Bytes 3/4/2011 03:36:59
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/10/2010 12:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 22:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 03:37:07
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 03:37:08
VBASE003.VDF : 7.11.3.1 2048 Bytes 2/9/2011 03:37:08
VBASE004.VDF : 7.11.3.2 2048 Bytes 2/9/2011 03:37:08
VBASE005.VDF : 7.11.3.3 2048 Bytes 2/9/2011 03:37:08
VBASE006.VDF : 7.11.3.4 2048 Bytes 2/9/2011 03:37:08
VBASE007.VDF : 7.11.3.5 2048 Bytes 2/9/2011 03:37:08
VBASE008.VDF : 7.11.3.6 2048 Bytes 2/9/2011 03:37:08
VBASE009.VDF : 7.11.3.7 2048 Bytes 2/9/2011 03:37:08
VBASE010.VDF : 7.11.3.8 2048 Bytes 2/9/2011 03:37:08
VBASE011.VDF : 7.11.3.9 2048 Bytes 2/9/2011 03:37:09
VBASE012.VDF : 7.11.3.10 2048 Bytes 2/9/2011 03:37:09
VBASE013.VDF : 7.11.3.59 157184 Bytes 2/14/2011 03:37:09
VBASE014.VDF : 7.11.3.97 120320 Bytes 2/16/2011 03:37:09
VBASE015.VDF : 7.11.3.148 128000 Bytes 2/19/2011 03:37:09
VBASE016.VDF : 7.11.3.183 140288 Bytes 2/22/2011 03:37:09
VBASE017.VDF : 7.11.3.216 124416 Bytes 2/24/2011 07:02:23
VBASE018.VDF : 7.11.3.251 159232 Bytes 2/28/2011 05:08:03
VBASE019.VDF : 7.11.4.33 148992 Bytes 3/2/2011 07:30:49
VBASE020.VDF : 7.11.4.73 150016 Bytes 3/6/2011 05:14:47
VBASE021.VDF : 7.11.4.108 122880 Bytes 3/8/2011 03:34:41
VBASE022.VDF : 7.11.4.150 133120 Bytes 3/10/2011 03:34:44
VBASE023.VDF : 7.11.4.183 122368 Bytes 3/14/2011 03:34:46
VBASE024.VDF : 7.11.4.228 123392 Bytes 3/16/2011 03:34:48
VBASE025.VDF : 7.11.5.8 246272 Bytes 3/21/2011 03:34:50
VBASE026.VDF : 7.11.5.38 137216 Bytes 3/23/2011 03:34:52
VBASE027.VDF : 7.11.5.39 2048 Bytes 3/23/2011 03:34:52
VBASE028.VDF : 7.11.5.40 2048 Bytes 3/23/2011 03:34:52
VBASE029.VDF : 7.11.5.41 2048 Bytes 3/23/2011 03:34:53
VBASE030.VDF : 7.11.5.42 2048 Bytes 3/23/2011 03:34:53
VBASE031.VDF : 7.11.5.79 142848 Bytes 3/25/2011 03:34:54
Engineversion : 8.2.4.192
AEVDF.DLL : 8.1.2.1 106868 Bytes 3/4/2011 03:36:49
AESCRIPT.DLL : 8.1.3.57 1261947 Bytes 3/27/2011 03:35:24
AESCN.DLL : 8.1.7.2 127349 Bytes 3/4/2011 03:36:48
AESBX.DLL : 8.1.3.2 254324 Bytes 3/4/2011 03:36:48
AERDL.DLL : 8.1.9.9 639347 Bytes 3/27/2011 03:35:21
AEPACK.DLL : 8.2.4.13 524662 Bytes 3/27/2011 03:35:18
AEOFFICE.DLL : 8.1.1.18 205178 Bytes 3/27/2011 03:35:15
AEHEUR.DLL : 8.1.2.91 3387767 Bytes 3/27/2011 03:35:14
AEHELP.DLL : 8.1.16.1 246134 Bytes 3/4/2011 03:36:41
AEGEN.DLL : 8.1.5.3 397684 Bytes 3/27/2011 03:34:59
AEEMU.DLL : 8.1.3.0 393589 Bytes 3/4/2011 03:36:40
AECORE.DLL : 8.1.19.2 196983 Bytes 3/4/2011 03:36:40
AEBB.DLL : 8.1.1.0 53618 Bytes 3/4/2011 03:36:39
AVWINLL.DLL : 10.0.0.0 19304 Bytes 3/4/2011 03:36:53
AVPREF.DLL : 10.0.0.0 44904 Bytes 3/4/2011 03:36:52
AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 03:27:13
AVREG.DLL : 10.0.3.2 53096 Bytes 3/4/2011 03:36:52
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 3/4/2011 03:36:53
AVARKT.DLL : 10.0.22.6 231784 Bytes 3/4/2011 03:36:50
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 3/4/2011 03:36:51
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 03:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/4/2011 03:36:53
NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 03:27:21
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 3/4/2011 03:37:12
RCTEXT.DLL : 10.0.58.0 97128 Bytes 3/4/2011 03:37:12

Configuration settings for the scan:
Jobname.............................: Short system scan after installation
Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Sunday, 27 March 2011 14:36

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avconfig.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'setup.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'presetup.exe' - '1' Module(s) have been scanned
Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'hprblog.exe' - '1' Module(s) have been scanned
Scan process 'hpqSTE08.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'hpqimzone.exe' - '1' Module(s) have been scanned
Scan process 'SPUVolumeWatcher.exe' - '1' Module(s) have been scanned
Scan process 'WZQKPICK.EXE' - '1' Module(s) have been scanned
Scan process 'SSScheduler.exe' - '1' Module(s) have been scanned
Scan process 'Kodak Software Updater.exe' - '1' Module(s) have been scanned
Scan process 'EasyShare.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'the_blinkx_toolbar.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'QTTask.exe' - '1' Module(s) have been scanned
Scan process 'HPWuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'AutoDect.exe' - '1' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'WgaTray.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '1716' files ).



End of the scan: Sunday, 27 March 2011 14:36
Used time: 00:42 Minute(s)

The scan has been done completely.

0 Scanned directories
2198 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
2198 Files not concerned
5 Archives were scanned
0 Warnings
0 Notes

[Kenny94]

You really did a fantastic job Coalza!!!! We dropped a train on this malware!.....


Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  
• Accept any prompts.
  
• Open JavaRa.exe again and select Search For Updates.
  
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

To clear your Java Cache.

Click Start > Control Panel.
In the Control Panel, double-click the "Java" icon in the control panel. The Java Control Panel then appears.
Under the header "Temporary Internet Files", select the "Settings" button.



Don't change any of the settings, then click "Delete Files".



Next, the Delete Temporary Files dialog box appears.



Make sure both boxes are ticked, and hit the OK button.

=========================================================================

Your Computer is Clean



Some final items:


Follow these steps to uninstall Combofix and tools used in the removal of malware

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
  
  
• Please follow the prompts to uninstall Combofix.
  
• You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  
• From within Internet Explorer click on the Tools menu and then click on Options.
  
• Click once on the Security tab
  
• Click once on the Internet icon so it becomes highlighted.
  
• Click once on the Custom Level button.
  
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  
• Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial for Spywareblaster can be found here.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Auslogics Disc Defrag or JKDefrag - Two good disc defragmenters for you to choose from to help speed up your computer.

Visit My Blog for Malware and Spyware Tips