I see its very busy here. If anyone has time to help me out I would greatly appreciate it.

Symptoms: Browser Redirection, System Freezes or Crashes often

Here are my logs
----------------------------------------

Malwarebytes' Anti-Malware 1.39
Database version: 2512
Windows 5.1.2600 Service Pack 3

7/27/2009 12:02:34 PM
mbam-log-2009-07-27 (12-02-34).txt

Scan type: Quick Scan
Objects scanned: 112337
Time elapsed: 6 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\autorun.inf (Worm.Agent.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:03 PM, on 7/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-ca9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.a...&tbid=60327
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-ca9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-ca9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-ca9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-ca9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Ask && Record Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BHR] C:\Program Files\Browser Hijack Retaliator 4.5\BHR.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: services.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132870533937
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 9501 bytes

Hi takethembowling and Welcome to Malwarebytes!

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Did you or your network Admin..put these restrictions in place?




Download the HostsXpert 4.2 - Hosts File Manager.

• Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
• Run HostsXpert 4.2 - Hosts File Manager from its new home
• Click on "File Handling".
• Click on "Restore MS Hosts File".
• Click OK on the Confirmation box.
• Click on "Make Read Only?"
• Click the X to exit the program.
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Next

Please download ATF Cleaner by Atribune.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

Click Exit on the Main menu to close the program.


Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:

• Open HijackThis, click Config, click Misc Tools
• Click "Open Uninstall Manager"
• Click "Save List" (generates uninstall_list.txt)
• Click Save, copy and paste the results in your next post.

Hi, thanks for the reply. I completed both steps in your post but I'm not sure about the IE restrictions. I should say that IE is part of the problem though. I currently use firefox, but recently I have seen iexplorer running in task manager even though its not on the task bar. Sometimes I will hear clicking sounds or even music playing Sorry for not putting that in my original post.

Here is my add/remove program list from Hijack this.

7-Zip 4.57
AC3Filter (remove only)
ACDSee for PENTAX 3.0
Acoustica Beatcraft
Acoustica Effects Pack
Acoustica Mixcraft
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
Adobe Shockwave Player
Anvil Studio
Anvil Studio
Apple Mobile Device Support
Apple Software Update
ArcSoft ShowBiz 2
Ares 2.0.3
Ask & Record Toolbar 4.01
Ask Toolbar
AudibleManager
AudioConverter Studio 5.9
AVG Free 8.5
AVI to MPEG Converter
Bonjour
CCleaner (remove only)
Choice Guard
Creative System Information
Creative ZEN
DH Driver Cleaner Professional Edition
Digital Media Converter 2.74
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DreamStation DXi2
EA Network Play System
Enhanced Multimedia Keyboard Solution
Eusing Free Registry Cleaner
EZ Vinyl Converter 2.0.0 by MixMeister
FixTunes (remove only)
Fraps
Free iPod Video Converter 1.26
Free YouTube to Mp3 Converter version 3.1
FreeRIP v2.945
Google Toolbar for Firefox
Google Video Player
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
HP Customer Participation Program 7.0
HP Deskjet Preloaded Printer Drivers
HP Imaging Device Functions 7.0
HP Instant Support
HP Organize
HP Photo and Imaging 2.0 - Photosmart Cameras
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Premier Software 6.5
HP Solution Center 7.0
HP Update
Image Resizer Powertoy for Windows XP
InFlac 1.1.1
Intel® Extreme Graphics Driver
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
iriver Music Manager
iRiver Updater
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Java™ 6 Update 11
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Malwarebytes' Anti-Malware
MediaMonkey 3.1
Memories Disc Creator 2.0
MicroAdobe Free ASF Player (Free)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Office Excel Viewer 2003
Microsoft Office PowerPoint Viewer 2003
Microsoft Plus! Digital Media Edition
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Works 7.0
Mozilla Firefox (3.0.12)
MSVCRT
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML4 Parser
Multimedia Card Reader
neroxml
Network Magic
Norton AntiVirus 2003
NVIDIA Drivers
OmniPass
Photosmart 140,240,7200,7600,7700,7900 Series
Project64 1.6
Python 2.2 combined Win32 extensions
Python 2.2.1
QMusic 2.5
Quicken 2003 New User Edition
QuickTime
Realtek AC'97 Audio
RecordNow!
Replay Media Catcher 3.02
S3Display
S3Gamma2
S3Info2
S3Overlay
Safari
Segoe UI
Shotstone
Skype™ 3.2
SpamSubtract
toolkit
TrackMania Sunrise Extreme 1.5.0
TuneUp Utilities 2009
Uninstall 1.0.0.1
Updates from HP
UseNeXT
VC80CRTRedist - 8.0.50727.762
Vista Transformation Pack 4.0
Weblink
Windows Genuine Advantage v1.3.0254.0
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
XG Forceware Select 91.31e
XTreme-G 92.91
Xvid 1.1.2 final uninstall
ZEN Media Explorer

First of all, you should not have more than one anti-virus program installed as they will conflict and cause problems. You have two so you need to uninstall one of them. Of the two, I would recommend keeping AVG Free 8.5 and remove Norton AntiVirus Toolbar. Unless you just purchase it?

The uninstall list contains no Security Updates for Windows XP? Before we move on, run MGA Diagnostic Tool... Lets do the following for now.

Please remove these entries from Add/Remove Programs in the Control Panel


Ask Toolbar
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.1_02
Java™ 6 Update 11
LiveReg (Symantec Corporation) <----unless you purchaseSymantec
LiveUpdate 1.80 (Symantec Corporation) <----unless you purchase Symantec


Run HijackThis, click on "Scan" and check the boxes next to all these items.


O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll <----unless you purchase Symantec
O3 - Toolbar: Ask && Record Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Now close all windows other than HiJackThis, then click Fix Checked.

NEXT STEP
Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 14.

• Go to http://java.sun.com/javase/downloads/index.jsp
• Go to Java Runtime Environment (JRE) 6 Update 14 about half way down the page and click on the Download button.
• In Platform box choose Windows.
• Check the box to Accept License Agreement and click Continue.
• Click on Windows Offline Installation, click on the link under it which says jre-6u14-windows-i586.exe and save the downloaded file to your desktop.
• Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
• Uncheck the Toolbar button (unless you want the toolbar)
• Reboot your computer

Next

Please run the MGA Diagnostic Tool and post back the report it creates:

• Download MGADiag to your desktop.
• Double-click on MGADiag.exe to launch the program
• Click "Continue"
• Ensure that the "Windows" tab is selected (it should be by default).
• Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
• Paste the MGA Diagnostic Report back here in your next reply.

In your next reply, please include these log(s):

* MGA Diagnostic Report
* HijackThis log (new)

Thanks again for the help. I uninstalled Norton Anti-virus. It came with my PC years ago (2003) and I never use it so forgot all about it.


Diagnostic Report (1.9.0011.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0

Cached Validation Code: N/A
Windows Product Key: *****-*****-BRVBB-38MQ9-3PMFT
Windows Product Key Hash: 2V2VyxlfhiaCt/JkDzYQfiNOHMA=
Windows Product ID: 55277-OEM-2111907-00106
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.3.0.hom
ID: {615F4AD0-86B0-4DC5-97FF-5F9748DF7AE8}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.7.18.5
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{615F4AD0-86B0-4DC5-97FF-5F9748DF7AE8}</UGUID><Version>1.9.0011.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-3PMFT</PKey><PID>55277-OEM-2111907-00106</PID><PIDType>2</PIDType><SID>S-1-5-21-1598320945-1261319154-3162106693</SID><SYSTEM><Manufacturer>HP Pavilion 061</Manufacturer><Model>DM168A-ABA A320N</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>3.14 </Version><SMBIOSVersion major="2" minor="3"/><Date>20030917000000.000000+000</Date><SLPBIOS>HP PAVILION</SLPBIOS></BIOS><HWID>A03435870184AE5F</HWID><UserLCID>1009</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Hewlett-Packard</name><model>Pavilion</model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.7.18.5"/><File Name="WgaLogon.dll" Version="1.7.18.5"/></GANotification></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 104EA:Hewlett-Packard Company
Marker string from OEMBIOS.DAT: HP PAVILION

OEM Activation 2.0 Data-->
N/A

--------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:12 PM, on 7/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-ca9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.a...&tbid=60327
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-ca9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-ca9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-ca9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-ca9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BHR] C:\Program Files\Browser Hijack Retaliator 4.5\BHR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: services.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132870533937
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 8613 bytes

I don't want to use ComboFix or any tools unless we need to. But MBAM pick up a "Rootkit.Trace" and Redirection items and it was removed by Malwarebytes.... Lets do this:


Download RootRepeal:
http://rootrepeal.googlepages.com/RootRepeal.zip

• Extract the archive to a folder you create such as C:\RootRepeal
• Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
• Click the "File" tab (located at the bottom of the RootRepeal screen)
• Click the "Scan" button
• In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
• Click OK and the file scan will begin
• When the scan is done, there will be files listed, but most if not all of them will be legitimate
• Click the "Save Report" Button
• Save the log file to your Documents folder
• Post the content of the RootRepeal file scan log in your next reply.

Next

• Launch Malwarebytes' Anti-Malware
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Hmmmm... it seems there are recurring problems in the malware scan. I assumed that it had fixed that and maybe the problem was something it didn't detect. I ran a scan and found 2 problems (there was no D:\autorun.inf Worm.Agent.H) . I tried using malwarebytes in safe mode and got the same result. When I scanned again on reboot. (the most current log, that I posted here) there were 3 again (D:\autorun.inf Worm.Agent.H had returned).

If it helps, the other two infections - HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) and C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) were found when mbam performed the "extra and heuristics scan" at the end of the quick scan.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/28 16:13
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 00000047
Image Path: \Driver\00000047
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: 1394BUS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\1394BUS.SYS
Address: 0xF851F000 Size: 57344 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF8361000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: aec.sys
Image Path: C:\WINDOWS\system32\drivers\aec.sys
Address: 0xB99F0000 Size: 142592 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF4FC0000 Size: 138496 File Visible: - Signed: -
Status: -

Name: AFS2K.SYS
Image Path: C:\WINDOWS\System32\Drivers\AFS2K.SYS
Address: 0xF861F000 Size: 35840 File Visible: - Signed: -
Status: -

Name: agp440.sys
Image Path: agp440.sys
Address: 0xF852F000 Size: 42368 File Visible: - Signed: -
Status: -

Name: ALCXWDM.SYS
Image Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xF7994000 Size: 2279424 File Visible: - Signed: -
Status: -

Name: amdk7.sys
Image Path: C:\WINDOWS\System32\DRIVERS\amdk7.sys
Address: 0xF85CF000 Size: 37760 File Visible: - Signed: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\System32\DRIVERS\arp1394.sys
Address: 0xF7C79000 Size: 60800 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF8319000 Size: 98304 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0x00000000 Size: 0 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF8B88000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgldx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgldx86.sys
Address: 0xF4EAC000 Size: 329088 File Visible: - Signed: -
Status: -

Name: avgmfx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Address: 0xF87BF000 Size: 21120 File Visible: - Signed: -
Status: -

Name: avgtdix.sys
Image Path: C:\WINDOWS\System32\Drivers\avgtdix.sys
Address: 0xF5067000 Size: 101888 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF89DB000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF88AF000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xB9833000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF862F000 Size: 62976 File Visible: - Signed: -
Status: -

Name: cinemsup.sys
Image Path: C:\WINDOWS\system32\drivers\cinemsup.sys
Address: 0xF87B7000 Size: 24576 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF84DF000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF84CF000 Size: 36352 File Visible: - Signed: -
Status: -

Name: DMusic.sys
Image Path: C:\WINDOWS\system32\drivers\DMusic.sys
Address: 0xB9D09000 Size: 52864 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF860F000 Size: 61440 File Visible: - Signed: -
Status: -

Name: drmkaud.sys
Image Path: C:\WINDOWS\system32\drivers\drmkaud.sys
Address: 0xF8BA0000 Size: 2944 File Visible: - Signed: -
Status: -

Name: dtscsi.sys
Image Path: C:\WINDOWS\System32\Drivers\dtscsi.sys
Address: 0xF748D000 Size: 303104 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF4E94000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF89FB000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF5149000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF8AF6000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xF50EC000 Size: 143744 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF8857000 Size: 27392 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF870F000 Size: 44544 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xF8767000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF82F9000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF89D9000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF8331000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xF864F000 Size: 40960 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 131840 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB9C30000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xF85DF000 Size: 52480 File Visible: - Signed: -
Status: -

Name: ifp700.sys
Image Path: ifp700.sys
Address: 0xF88B3000 Size: 13088 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xF865F000 Size: 42112 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xF50D9000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF849F000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF8867000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF899F000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB999D000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xF794D000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF82D0000 Size: 92288 File Visible: - Signed: -
Status: -

Name: ltmdmnt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys
Address: 0xF78B8000 Size: 606656 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF89DD000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF8887000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF886F000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF84AF000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xBA1EB000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xF4EFD000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF877F000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF869F000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF815C000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF81C4000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF8203000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF816C000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xBAD14000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF7439000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF86BF000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF86DF000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xF503F000 Size: 162816 File Visible: - Signed: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nic1394.sys
Address: 0xF856F000 Size: 61824 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF8787000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF8230000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF8A92000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF9D5000 Size: 4530176 File Visible: - Signed: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xF74EB000 Size: 3983680 File Visible: - Signed: -
Status: -

Name: nv_agp.sys
Image Path: nv_agp.sys
Address: 0xF873F000 Size: 18688 File Visible: - Signed: -
Status: -

Name: NVENET.sys
Image Path: C:\WINDOWS\System32\DRIVERS\NVENET.sys
Address: 0xF85FF000 Size: 54784 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF850F000 Size: 61696 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF7BE5000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF8727000 Size: 19712 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF8A1B000 Size: 6784 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF8350000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF8A67000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF871F000 Size: 28672 File Visible: - Signed: -
Status: -

Name: pfc.sys
Image Path: C:\WINDOWS\system32\drivers\pfc.sys
Address: 0xF8178000 Size: 9856 File Visible: - Signed: -
Status: -

Name: pnarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\pnarp.sys
Address: 0xF8817000 Size: 18560 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF7970000 Size: 147456 File Visible: - Signed: -
Status: -

Name: PS2.sys
Image Path: C:\WINDOWS\System32\DRIVERS\PS2.sys
Address: 0xF885F000 Size: 19072 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xF7428000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF8897000 Size: 17792 File Visible: - Signed: -
Status: -

Name: purendis.sys
Image Path: C:\WINDOWS\system32\DRIVERS\purendis.sys
Address: 0xF8827000 Size: 19840 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF84EF000 Size: 35712 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF8144000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF866F000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF867F000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF868F000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF889F000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xF4F95000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF89DF000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF863F000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB93C3000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xF838F000 Size: 98304 File Visible: - Signed: -
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\secdrv.sys
Address: 0xF730A000 Size: 40960 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xF817C000 Size: 15744 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xF85EF000 Size: 64512 File Visible: - Signed: -
Status: -

Name: sfdrv01.sys
Image Path: sfdrv01.sys
Address: 0xF81DE000 Size: 73728 File Visible: - Signed: -
Status: -

Name: sfhlp02.sys
Image Path: sfhlp02.sys
Address: 0xF8737000 Size: 32768 File Visible: - Signed: -
Status: -

Name: sfvfs02.sys
Image Path: sfvfs02.sys
Address: 0xF81F0000 Size: 77824 File Visible: - Signed: -
Status: -

Name: SISAGPX.sys
Image Path: SISAGPX.sys
Address: 0xF84FF000 Size: 36608 File Visible: - Signed: -
Status: -

Name: splitter.sys
Image Path: C:\WINDOWS\system32\drivers\splitter.sys
Address: 0xF8A1D000 Size: 6272 File Visible: - Signed: -
Status: -

Name: sptd.sys
Image Path: sptd.sys
Address: 0xF83A7000 Size: 880640 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF82E7000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xBA0A9000 Size: 333952 File Visible: - Signed: -
Status: -

Name: srvkp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srvkp.sys
Address: 0xF518D000 Size: 10624 File Visible: - Signed: -
Status: -

Name: sunkfilt.sys
Image Path: C:\WINDOWS\System32\Drivers\sunkfilt.sys
Address: 0xF878F000 Size: 27488 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF89D5000 Size: 4352 File Visible: - Signed: -
Status: -

Name: swmidi.sys
Image Path: C:\WINDOWS\system32\drivers\swmidi.sys
Address: 0xF7C69000 Size: 56576 File Visible: - Signed: -
Status: -

Name: SYMEVENT.SYS
Image Path: C:\Program Files\Symantec\SYMEVENT.SYS
Address: 0xF4FE2000 Size: 117952 File Visible: - Signed: -
Status: -

Name: SYMTDI.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMTDI.SYS
Address: 0xF4FFF000 Size: 261536 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xBA019000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xF5080000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF888F000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF86AF000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF73A2000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\drivers\USBD.SYS
Address: 0xF89A3000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xF887F000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF86CF000 Size: 59520 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbohci.sys
Address: 0xF8877000 Size: 17152 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xF7BC1000 Size: 147456 File Visible: - Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Address: 0xF8797000 Size: 26368 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF8777000 Size: 20992 File Visible: - Signed: -
Status: -

Name: viaagp1.sys
Image Path: viaagp1.sys
Address: 0xF872F000 Size: 26880 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF74D7000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF84BF000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF7C89000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF87C7000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB9AB3000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS
Address: 0xF89A1000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: ws2ifsl.sys
Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xF5191000 Size: 12032 File Visible: - Signed: -
Status: -

Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xF82BD000 Size: 77568 File Visible: - Signed: -
Status: -

----------------------------------------------------

Malwarebytes' Anti-Malware 1.39
Database version: 2524
Windows 5.1.2600 Service Pack 3

7/28/2009 5:32:57 PM
mbam-log-2009-07-28 (17-32-57).txt

Scan type: Quick Scan
Objects scanned: 108686
Time elapsed: 8 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\autorun.inf (Worm.Agent.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Yeah, I was afraid of this takethembowling. That is why I wanted you to run Malwarebytes again. Well, lets see what ComboFix shows us...



Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named.


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

Please note once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.

• Drag the setup package onto ComboFix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

Note:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

I'm having trouble getting combofix to run. When I drag and drop the windows recovery setup onto the combofix icon a window appears saying "Open File - Security Warning, The publisher could not be verified are you sure you want to run this software? |Run| or |Cancel|" That is nothing unusual, it displays a similar warning when I run/install other programs. So I click run but then nothing happens. I tried in safe mode and the same thing. I turned off AVG and windows firewall. Did I miss something?

Also when I booted in safe mode I noticed iexplorer was running in taskmanager but I turned it off before trying combofix.

Lets rename ComboFix and skip the "install the Microsoft Windows Recovery Console" if you have done so already....


Delete the copy of ComboFix you have & download it again from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! RENAME ComboFix.exe to Commy.exe BEFORE you save it to your Desktop**

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  A guide to do this can be found here
• Double click on ComboFix.exe & follow the prompts
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

Here is the combofix log. It also asked me to write down several file names during the initial scan that had to do with rootkit activity so I have those if you need them.


ComboFix 09-07-29.03 - Owner 07/29/2009 16:18.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.193 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\Commy.exe
Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.dat
c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.dat
c:\progra~1\COMMON~1\{3C44B~1
c:\progra~1\COMMON~1\{6C44B~1
c:\program files\Common Files\SLMSS
c:\recycler\S-1-5-21-1915603095-2777713432-2000865000-1003
c:\recycler\S-1-5-21-2795692431-2410440851-3507117092-1003
c:\windows\cdmxtras
c:\windows\Fonts\acrsec.fon
c:\windows\Install.txt
c:\windows\Installer\1018a3.msi
c:\windows\Installer\1018aa.msi
c:\windows\Installer\11691f.msi
c:\windows\Installer\128cb.msi
c:\windows\Installer\12b892.msi
c:\windows\Installer\14d23b.msi
c:\windows\Installer\14d243.msi
c:\windows\Installer\1fb14.msp
c:\windows\Installer\1fb52.msp
c:\windows\Installer\1fb8a.msi
c:\windows\Installer\233b13.msi
c:\windows\Installer\24eba88.msi
c:\windows\Installer\25c226.msi
c:\windows\Installer\2609df.msi
c:\windows\Installer\27d3a6.msi
c:\windows\Installer\2921ff.msi
c:\windows\Installer\39468e.msi
c:\windows\Installer\3b7567.msi
c:\windows\Installer\3dae14.msi
c:\windows\Installer\400615.msi
c:\windows\Installer\45a5ca.msi
c:\windows\Installer\47abcc.msi
c:\windows\Installer\47abd2.msi
c:\windows\Installer\486e09.msi
c:\windows\Installer\5efa5.msi
c:\windows\Installer\704aae.msi
c:\windows\Installer\704ab9.msi
c:\windows\Installer\786cc.msi
c:\windows\Installer\8333aa.msi
c:\windows\Installer\a28c8.msi
c:\windows\Installer\aaf779.msi
c:\windows\Installer\aaf77c.msi
c:\windows\Installer\b08855.msi
c:\windows\Installer\b4cf46.msi
c:\windows\Installer\b73b7b.msi
c:\windows\Installer\b73b81.msi
c:\windows\Installer\b73b87.msi
c:\windows\Installer\b73b8d.msi
c:\windows\Installer\b73b93.msi
c:\windows\Installer\b7e4a.msi
c:\windows\Installer\bb6df.msi
c:\windows\Installer\c1117c.msi
c:\windows\patch.exe
c:\windows\Readme.txt
c:\windows\smbols~1
c:\windows\system32\drivers\TDSSserv.sys
c:\windows\system32\drivers\UACqyisdhpbcbkssqcfr.sys
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\Install.txt
c:\windows\system32\skinboxer43.dll
c:\windows\system32\sklh.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjmjpjmpqdgwcndmgj.dll
c:\windows\system32\UACkjlwkktcvonyrudvq.dll
c:\windows\system32\UAClxbfpxvgbvfuvtmvr.dat
c:\windows\system32\UACmstsfvmydbawqibip.db
c:\windows\system32\UACpqjpibeexevnftiob.dll
c:\windows\system32\UACqiuoeuidrtkjtutub.dll
c:\windows\system32\UACvwauwbparrpiewmoe.dll
c:\windows\system32\vimc.exe
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://download.linksys.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV
-------\Service_UACd.sys
-------\Legacy_RPCTFTPD


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))
.

2009-07-28 23:04 . 2009-07-28 23:11 15 ----a-w- C:\settings.dat
2009-07-28 23:03 . 2009-07-28 16:14 471040 ----a-w- C:\RootRepeal.exe
2009-07-28 23:02 . 2009-07-28 23:02 463738 ----a-w- C:\RootRepeal.zip
2009-07-28 21:08 . 2009-07-28 21:08 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2009-07-28 18:00 . 2009-07-28 18:04 -------- d-----w- C:\HostsXpert
2009-07-28 17:59 . 2009-07-28 17:59 353485 ----a-w- C:\HostsXpert.zip
2009-07-27 19:08 . 2009-07-27 19:08 -------- d-----w- c:\program files\Trend Micro
2009-07-23 08:15 . 2009-07-23 08:15 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-07-23 07:46 . 2009-07-24 18:16 -------- d-----w- c:\program files\SpybotX - Search&Destroy
2009-07-22 20:55 . 2009-07-22 20:55 -------- d-----w- c:\documents and settings\Administrator.FAMILY-COMPUTER\Application Data\Malwarebytes
2009-07-22 06:09 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-22 06:09 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-22 06:09 . 2009-07-22 06:10 -------- d-----w- c:\program files\Kyle's Anti-Malware
2009-07-21 23:24 . 2009-07-21 23:24 -------- d-----w- c:\program files\CCleaner
2009-07-21 21:23 . 2009-07-21 21:23 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2009-07-21 21:23 . 2009-04-27 21:21 28928 ----a-w- c:\windows\system32\uxtuneup.dll
2009-07-21 21:23 . 2009-07-21 21:23 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-07-21 21:22 . 2009-07-21 21:24 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-07-21 21:22 . 2009-07-21 21:22 -------- d-sh--w- c:\docume~1\ALLUSE~1\APPLIC~1\{55A29068-F2CE-456C-9148-C869879E2357}
2009-07-10 05:20 . 2009-07-18 00:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\FLVService
2009-07-10 05:20 . 2009-07-10 05:20 -------- d-----w- c:\windows\Ask & Record Toolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-29 22:49 . 2009-05-14 04:12 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8
2009-07-28 20:59 . 2009-01-15 01:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-28 20:46 . 2003-08-29 03:15 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-28 20:29 . 2003-08-29 03:16 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Symantec
2009-07-28 20:26 . 2004-07-23 08:17 -------- d-----w- c:\program files\Common Files\Java
2009-07-28 20:26 . 2003-11-03 03:19 -------- d-----w- c:\program files\Java
2009-07-28 20:04 . 2008-04-17 02:44 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-07-28 18:36 . 2006-12-27 22:06 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-28 18:11 . 2007-01-28 05:53 -------- d-----w- c:\program files\eMulePlus
2009-07-24 18:16 . 2003-12-20 22:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-23 17:36 . 2003-12-20 22:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-21 22:15 . 2008-11-11 04:12 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-17 18:44 . 2009-05-14 04:12 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-10 06:27 . 2009-04-20 07:29 -------- d-----w- c:\program files\Media Catcher
2009-07-10 06:24 . 2009-04-20 07:30 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2009-06-28 22:38 . 2009-06-28 15:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVG Security Toolbar
2009-06-28 15:42 . 2009-06-28 15:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-28 15:42 . 2009-05-14 04:12 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-28 15:42 . 2009-05-14 04:12 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-26 16:50 . 2005-06-18 07:49 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-25 21:02 . 2008-08-24 05:01 -------- d-----w- c:\program files\MediaMonkey
2009-06-16 14:36 . 2003-08-08 16:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2003-08-08 15:35 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-06 19:39 . 2009-04-18 00:23 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-06 19:11 . 2006-07-23 17:57 -------- d-----w- c:\program files\DivX
2009-06-06 04:54 . 2003-12-06 04:44 -------- d-----w- c:\program files\Roms
2009-06-03 19:09 . 2005-08-30 17:14 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-21 22:25 . 2009-04-20 07:31 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2009-05-21 22:25 . 2009-04-20 07:31 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2009-05-14 04:12 . 2009-05-14 04:12 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2003-08-08 16:23 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2004-10-20 03:30 . 2004-10-20 03:23 8603976 ----a-w- c:\program files\gcsp20.exe
2004-08-20 02:56 . 2004-08-20 05:20 4918 ----a-w- c:\program files\DoomConfig.cfg
2002-03-23 01:50 . 2004-11-17 05:36 2061 -c--a-w- c:\program files\readme.txt
1997-04-09 00:41 . 2004-09-11 20:28 3934 -c--a-w- c:\program files\LICINFO.TXT
2009-07-22 03:04 . 2008-08-27 19:16 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 17:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-24 7696384]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-22 451896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-24 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-28 148888]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
AutoTBar.exe [2003-6-18 53248]
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

c:\documents and settings\Administrator.FAMILY-COMPUTER\Start Menu\Programs\Startup\
AutoTBar.exe [2003-6-18 53248]
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-6-18 53248]
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoVisualStyleChoice"= 0 (0x0)
"NoColorChoice"= 0 (0x0)
"NoSizeChoice"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"NoRecycleFiles"= 0 (0x0)
"ForceRecycleBinSize"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoCustomizeThisFolder"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
"NoPublishingWizard"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoSMBalloonTips"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoThumbnailCache"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoThemesTab"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"DisallowRun"= 0 (0x0)
"NoRecycleFiles"= 0 (0x0)
"ForceRecycleBinSize"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoCustomizeThisFolder"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
"NoPublishingWizard"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoSMBalloonTips"= 0 (0x0)
"HideClock"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoThumbnailCache"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-28 15:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^msmsgs.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]
backup=c:\windows\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
backup=c:\windows\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=3 (0x3)
"BITS"=2 (0x2)
"Fax"=3 (0x3)
"SNDSrvc"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"iPodService"=3 (0x3)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"VSS"=3 (0x3)
"Schedule"=2 (0x2)
"IDriverT"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"TUWinStylerThemeSvc"=3 (0x3)
"CachemanXPService"=3 (0x3)
"iPod Service"=3 (0x3)
"AresChatServer"=3 (0x3)
"usnjsvc"=3 (0x3)
"Client IP-IPX"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Bonjour Service"=2 (0x2)
"PnkBstrA"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"navapsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /install

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Video Player\\GoogleVideoPlayer.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TrackMania Sunrise\\TmSunrise.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgui.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Media Catcher\\MediaCatcher.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule
"4672:UDP"= 4672:UDP:eMule
"4663:TCP"= 4663:TCP:eMule2
"4673:UDP"= 4673:UDP:eMule22
"67:UDP"= 67:UDP:DHCP Discovery Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/13/2009 9:12 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/13/2009 9:12 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/13/2009 9:12 PM 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/13/2009 9:12 PM 298776]
S2 mrtRate;mrtRate; [x]
S3 pohci13F;pohci13F;\??\c:\docume~1\Owner\LOCALS~1\Temp\pohci13F.sys --> c:\docume~1\Owner\LOCALS~1\Temp\pohci13F.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BHR - c:\program files\Browser Hijack Retaliator 4.5\BHR.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netscape.com/
uDefault_Search_URL = hxxp://srch-ca9.hpwis.com/
mStart Page = hxxp://ca9.hpwis.com/
mSearch Bar = hxxp://srch-ca9.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
LSP: SpSubLSP.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\oxkf16ee.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.netscape.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - .

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-29 16:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\program files\Softex\OmniPass\opxpgina.dll

- - - - - - - > 'lsass.exe'(844)
c:\windows\system32\SpSubLSP.dll

- - - - - - - > 'explorer.exe'(2200)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Softex\OmniPass\omniServ.exe
c:\windows\system32\TUProgSt.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-07-29 16:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-29 23:43

Pre-Run: 3,607,453,696 bytes free
Post-Run: 3,441,811,456 bytes free

468 --- E O F --- 2009-07-28 20:41

WOW! I wish all users would take there time and write down stuff.... I see them thanks!

• Launch Malwarebytes' Anti-Malware
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Also, please let me know how things are running now?

I ran malwarebytes quick scan and nothing was found. I don't seen iexplorer running in the background anymore, my computer hasn't frozen or crashed since using combofix (i would know by now, it was like every 10min) and everything seems to be running smoothly. Thanks for all the help and guiding me through this process.

Malwarebytes' Anti-Malware 1.39
Database version: 2524
Windows 5.1.2600 Service Pack 3

7/29/2009 6:51:41 PM
mbam-log-2009-07-29 (18-51-41).txt

Scan type: Quick Scan
Objects scanned: 108164
Time elapsed: 9 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Some final items:


Follow these steps to uninstall Combofix and all of its files and components.

• Click START then RUN
• Now type ComboFix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.



Here is some useful information on keeping your computer clean:

1. Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
2. Here are two great Preventive programs

:

1. SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
2. Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.

1. Red for Warning
2. Yellow for Use Caution
3. Green for Safe
4. Grey for Unknown

Here are the link to install SiteAdisor in Internet Explorer and Firefox



Now you should Clean up your PC


Here are some additional links for you to check out to help you with your computer security.

How did I get infected in the first place.

Secunia software inspector & update checker

It was nice working with you takethembowling....

Kenny