Greetings all. First time poster, and sorry that it is not under better circumstances.

I was infected a few days ago with a nasty virus that brought my computer to it's knees, but with the help of malwarebytes, I am back to a point where I have been able to back up all of my files.

HOWEVER, I keep running Malwarebytes just to be sure that the system is clean, and almost every time, it finds a new virus or trojan horse. I instruct mwb to remove it, which it does, but a few hours later, something new shows up. My infected machine has been disconnected from the network for days.

Here is the first MWB log from my very first scan:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 6.0.6001 Service Pack 1 (Safe Mode)

9/27/2009 4:20:30 PM
mbam-log-2009-09-27 (16-20-30).txt

Scan type: Quick Scan
Objects scanned: 85425
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 14
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{59006ffb-69cc-4263-b2da-d7a545faa510} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hazelemus (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19181894 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{59006ffb-69cc-4263-b2da-d7a545faa510} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\norafilav (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\meridewa.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\meridewa.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\ProgramData\19181894 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Files Infected:
c:\Windows\System32\meridewa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\ProgramData\19181894\19181894 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\19181894\19181894.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\ProgramData\19181894\pc19181894ins (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Windows\System32\BtwSrv.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\sofatnet.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\wiwow64.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\wmdtc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\nabukeyu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.




Here is the log from a scan I did tonight:
Malwarebytes' Anti-Malware 1.41
Database version: 2867
Windows 6.0.6002 Service Pack 2

10/1/2009 2:12:46 AM
mbam-log-2009-10-01 (02-12-46).txt

Scan type: Quick Scan
Objects scanned: 90375
Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.





Here is my hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:45 AM, on 10/1/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Portrait Displays\Pivot Software\wpCtrl.exe
C:\Program Files\Portrait Displays\HP My Display\dthtml.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
C:\Windows\system32\jusched.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\Windows\system32\rundll32.exe C:\Windows\TEMP\492534xxx.dll,DllMain (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\Windows\system32\rundll32.exe C:\Windows\TEMP\492534xxx.dll,DllMain (User 'Default user')
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MotionSD STUDIO - SD Browser auto start -.lnk = C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} (Photo Upload Plugin Class) - http://www.costcophotocenter.com/upload/ac...veX_Control.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://webvpn.jpmorganchase.com/dana-cache...SetupClient.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - AppInit_DLLs: hojayefe.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\Windows\System32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11744 bytes





Any advice would be greatly appreciated! thanks!

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Thanks for your time, and the new instructions. Prior to reading your response, I ran Malwarebytes again, and it found another trojan. So they are still popping up! I can post the log for that if you are interested.

Here is the ComboFix log...

ComboFix 09-10-04.01 - Matt Munson 10/05/2009 17:42.1.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3071.1979 [GMT -4:00]
Running from: c:\users\Matt Munson\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1229 [VPS 091004-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1229 [VPS 091004-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2367982984-1444817323-3124917685-500
c:\$recycle.bin\S-1-5-21-84770381-3685546523-247238146-500
c:\$recycle.bin\S-1-5-21-909821549-444324555-4134441507-1000
c:\users\Matt Munson\AppData\Roaming\inst.exe
c:\windows\run.log
c:\windows\system32\Install.txt
c:\windows\system32\lsprst7.dll
c:\windows\system32\ssprs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MDTDISK
-------\Service_mdtdisk


((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))
.

2009-10-01 08:55 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-01 08:46 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-01 08:45 . 2009-10-01 08:46 -------- d-----w- c:\programdata\Lavasoft
2009-10-01 08:45 . 2009-10-01 08:45 -------- d-----w- c:\program files\Lavasoft
2009-10-01 06:30 . 2009-10-01 06:30 -------- d-----w- c:\program files\Trend Micro
2009-10-01 06:25 . 2009-10-01 08:45 -------- dc-h--w- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\ca-ES
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\eu-ES
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\vi-VN
2009-09-28 15:36 . 2009-09-28 15:36 -------- d-----w- c:\windows\system32\EventProviders
2009-09-28 03:22 . 2009-09-28 03:22 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-09-28 02:24 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-09-28 01:54 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-09-28 01:52 . 2009-09-28 01:52 -------- d-----w- c:\program files\CONEXANT
2009-09-28 01:51 . 2009-08-14 16:27 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-28 01:51 . 2009-08-14 13:48 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-09-28 01:51 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-28 01:51 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-28 01:51 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-28 01:51 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-28 01:51 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-28 01:51 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-28 01:51 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-28 01:51 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-28 01:51 . 2009-08-14 15:53 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-28 01:49 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-09-28 01:49 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-09-28 01:49 . 2009-07-15 12:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-28 01:49 . 2009-06-04 12:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-09-28 01:49 . 2009-04-11 06:28 53248 ----a-w- c:\windows\system32\tsgqec.dll
2009-09-28 01:49 . 2009-04-11 06:28 136192 ----a-w- c:\windows\system32\aaclient.dll
2009-09-28 01:49 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2009-09-28 01:49 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-09-28 01:49 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-09-28 01:48 . 2009-04-11 06:28 1696768 ----a-w- c:\windows\system32\gameux.dll
2009-09-28 01:48 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-28 01:48 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Malwarebytes
2009-09-27 20:12 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\programdata\Malwarebytes
2009-09-27 20:12 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-27 15:39 . 2009-09-27 15:39 -------- d-----w- C:\337b6016532e636ec66197a2
2009-09-27 15:38 . 2009-09-27 15:39 -------- d-----w- C:\9b2c6f260054f90a96323606
2009-09-25 11:55 . 2009-09-25 11:55 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Logs
2009-09-09 01:09 . 2009-09-09 01:09 -------- d-----w- c:\program files\Comical
2009-09-08 14:06 . 2009-09-08 14:44 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\ICAClient
2009-09-08 14:03 . 2009-09-25 23:40 -------- d-----w- c:\program files\Citrix
2009-09-08 13:52 . 2009-09-08 13:52 -------- d-----w- c:\program files\Juniper Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-30 02:15 . 2008-09-12 10:52 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\uTorrent
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-28 21:38 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-28 00:58 . 2008-08-21 11:51 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Vso
2009-09-09 00:59 . 2008-09-23 20:02 -------- d-----w- c:\programdata\WebEx
2009-09-08 23:14 . 2009-03-03 03:10 -------- d-----w- c:\programdata\VMware
2009-09-08 23:08 . 2007-11-27 18:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-08 13:52 . 2009-08-13 19:22 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Juniper Networks
2009-08-17 17:24 . 2009-08-17 17:12 -------- d-----w- c:\program files\ACE Mega CoDecS Pack
2009-08-17 17:13 . 2008-08-02 00:30 -------- d-----w- c:\program files\QuickTime
2009-08-17 17:11 . 2008-10-25 10:41 -------- d-----w- c:\program files\DivX
2009-08-17 00:06 . 2009-08-17 00:06 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\AVS4YOU
2009-08-17 00:06 . 2009-08-17 00:06 -------- d-----w- c:\programdata\AVS4YOU
2009-08-17 00:04 . 2009-08-17 00:04 -------- d-----w- c:\program files\AVS4YOU
2009-08-17 00:04 . 2009-08-17 00:04 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-13 19:21 . 2009-08-13 19:21 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\WholeSecurity
2009-08-08 20:36 . 2009-08-08 20:36 -------- d-----w- c:\programdata\Steinberg
2009-08-08 20:36 . 2008-08-01 07:13 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Steinberg
2009-08-08 20:34 . 2009-08-08 20:27 -------- d-----w- c:\program files\Syncrosoft
2009-08-08 20:24 . 2008-08-01 07:04 -------- d-----w- c:\program files\Steinberg
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-21 21:52 . 2009-09-28 02:20 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-09-28 02:20 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-09-28 02:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-09-28 02:20 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-15 12:39 . 2009-09-28 01:50 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 19:01 . 2009-09-28 01:50 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:01 . 2009-09-28 01:50 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:01 . 2009-09-28 01:50 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:01 . 2009-09-28 01:50 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-07-11 17:03 . 2009-09-28 01:50 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2008-07-31 22:49 . 2008-07-31 22:49 22 --sha-w- c:\windows\SMINST\HPCD.sys
2007-11-27 18:30 . 2007-11-27 18:25 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-09-20 455968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-13 178712]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 280064]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"NexusServer"="c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-27 389120]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-08-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-27 8473120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-3 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MotionSD STUDIO - SD Browser auto start -.lnk - c:\program files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe [2009-2-16 66952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:7d,40,26,b8,84,40,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2367982984-1444817323-3124917685-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FB1AB64A-2731-4528-BD01-9CDEFC4B540E}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{CEC64574-D0EA-4F55-AD99-0A333B0A2448}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D308FC1C-6AC1-4D39-AB2F-31B4D8AD38C0}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8EB3973D-7F1D-4B3B-A2FC-53719028B29D}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B03AB320-29E8-4B5B-903F-169D71C869DA}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AE0E68C1-3842-4908-B185-591EA83F4343}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{31DD8186-E214-435B-B382-CBBD7EB3AC9D}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E0FBF8EC-409E-413F-849E-275A92D2AFA5}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{7625F928-2BDA-4C6F-99E7-DDB1375A25C7}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{DEBE9411-6532-469D-A4C0-F139A8911083}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{CA63FBC4-9AF8-4758-814A-7CF4D7B24293}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{5ADAB633-6375-4F88-9B69-8F9B8572581C}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{CC865BB5-4384-4D14-A045-0D85F3DE17B9}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{8F8FAA07-B036-4E98-9746-FE6135BACD57}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{107BEAD5-41B6-4EC7-B761-2AECA61294A6}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D0A9C181-05FF-475D-8911-74BE456FA06E}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9BC07D3E-F5BA-41F5-85A4-B6215E603FB3}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{4C0658F9-6605-4539-BC69-4CE3CF249C51}c:\\program files\\adobe\\adobe flash cs3\\flash.exe"= UDP:c:\program files\adobe\adobe flash cs3\flash.exe:Adobe Flash CS3
"UDP Query User{20042665-9111-447E-B1F6-F78A19DD848A}c:\\program files\\adobe\\adobe flash cs3\\flash.exe"= TCP:c:\program files\adobe\adobe flash cs3\flash.exe:Adobe Flash CS3
"TCP Query User{6E40606E-3925-4178-8C77-55EBD672E17D}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{329E8F33-245D-4CF7-BA9D-046EE1962CCC}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{E6C209A8-50DD-497C-BC60-D9652F492392}"= UDP:c:\windows\explorer.exe:explorer
"{9EF6F52F-BA4B-4936-B414-E858C3AA5DE6}"= TCP:c:\windows\explorer.exe:explorer
"{FE336DCD-A50E-4939-85EE-C95426509586}"= UDP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{D35AD1B9-189D-491F-AEBE-61F71C9937F6}"= TCP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{27D8BC5B-4593-4B96-A4FF-0B9EDCF1DBA6}"= UDP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{CAAE318B-3D6D-4680-8855-D0821E9848BE}"= TCP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{3A210E33-45EE-4690-86CD-66CA3FE9DFB4}"= UDP:c:\windows\System32\wininit.exe:wininit
"{942F891F-65AD-4B05-9124-303F834756EC}"= TCP:c:\windows\System32\wininit.exe:wininit
"{75BC712E-A22A-4ECF-A4C1-631C94614ADE}"= UDP:c:\windows\System32\wininit.exe:wininit
"{0B5EBA88-31B6-4EB8-9EE5-AF22202FBF32}"= TCP:c:\windows\System32\wininit.exe:wininit
"{FD9A974C-D7A8-416A-9F11-8EE1BA216F64}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{06AB9CF2-2DF4-4EF9-A346-8B296DDEE738}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{F3ADBBD2-65AE-49B4-B9B8-0A41F473CF96}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{515B2C5D-8241-442C-A902-C21B8A14CD9A}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{A41FB50E-F69B-4C4F-92FD-F85BCD2FFBA5}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{B17F811A-B470-48D1-B865-EC6C53A7947E}"= TCP:c:\windows\System32\winlogon.exe:winlogon

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [10/1/2009 4:46 AM 64160]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [9/12/2008 6:31 AM 78416]
R1 NEOFLTR_630_13971;Juniper Networks TDI Filter Driver (NEOFLTR_630_13971);c:\windows\System32\drivers\NEOFLTR_630_13971.sys [2/18/2009 5:58 AM 64480]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [9/12/2008 6:31 AM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [9/12/2008 6:31 AM 51280]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1028432]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\System32\drivers\HCW85BDA.sys [11/27/2007 3:01 PM 1129344]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [8/6/2008 3:51 AM 815104]
S3 SynasUSB;SynasUSB;c:\windows\System32\drivers\synasUSB.sys [8/8/2009 4:27 PM 23288]
S3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [9/19/2008 7:33 PM 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [9/19/2008 7:33 PM 251904]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\System32\drivers\wdcsam.sys [4/16/2008 12:27 PM 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 08:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://webvpn.jpmorganchase.com/dana-cached/sc/JuniperSetupClient.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
AddRemove-Steinberg Cubase SX v2.01 - c:\progra~1\STEINB~1\CUBASE~1\UNWISE.EXE



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2367982984-1444817323-3124917685-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:50,19,e2,a4,be,ef,3b,d0,e9,4c,ed,5c,9e,7e,77,98,0d,12,34,6d,7a,a0,a0,
94,e3,65,55,63,ad,e1,78,d7,3c,ec,14,c8,a9,cd,48,35,69,39,e7,c6,b8,9e,95,b1,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e8,c6,93,54,48,fc,f0,1a,94,21,c9,6c,00,43,bf,78,24,3d,b0,97,59,
cf,88,84,dc,cb,1d,1b,2c,df,99,25,09,32,6b,fe,cb,dc,99,59,cd,25,15,40,95,3f,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e8,c6,93,54,48,fc,f0,1a,94,21,c9,6c,00,43,bf,78,24,3d,b0,97,59,
cf,88,84,dc,cb,1d,1b,2c,df,99,25,09,32,6b,fe,cb,dc,99,59,cd,25,15,40,95,3f,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&17752677&0&UID256\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&17752677&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Device Parameters\MODES]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4360)
c:\program files\Portrait Displays\Pivot Software\winphook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\System32\schtasks.exe
c:\windows\System32\jusched.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXKERNL.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-10-05 17:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-05 21:57

Pre-Run: 189,437,235,200 bytes free
Post-Run: 191,483,330,560 bytes free

349 --- E O F --- 2009-10-05 21:05




Thanks again for your time and expertise. I really appreciate it.
m

Hi,

First of all, please update MalwareBytes...

• Start MalwareBytes and click the Update tab. There click "Check for updates"
• Once the updates are downloaded, perform a quick scan again.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

The infected PC is not connected to the internet, so I downloaded the MBAM update from this URL
http://www.malwarebytes.org/mbam/database/mbam-rules.exe
and installed it. Here is the log from the run:

Malwarebytes' Anti-Malware 1.41
Database version: 2896
Windows 6.0.6002 Service Pack 2

10/6/2009 12:35:59 PM
mbam-log-2009-10-06 (12-35-59).txt

Scan type: Quick Scan
Objects scanned: 92338
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mdtdisk (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\mdtdisk.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Windows\System32\lsm32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.





Still bad stuff showing up! That PC has been disconnected from the internet for days now, by the way.

Here is the hijack this log I ran immediately after the MBAM restart:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:10 PM, on 10/6/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\KbdStub.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Portrait Displays\Pivot Software\wpCtrl.exe
C:\Program Files\Portrait Displays\HP My Display\dthtml.exe
C:\Windows\system32\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MotionSD STUDIO - SD Browser auto start -.lnk = C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} (Photo Upload Plugin Class) - http://www.costcophotocenter.com/upload/ac...veX_Control.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://webvpn.jpmorganchase.com/dana-cache...SetupClient.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\Windows\System32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10775 bytes







Thanks again for all of the assistance.

Hi,

Please reconnect with the internet and download latest updates via mbam itself, then scan and post the latest log in ypur next reply.

Ok, new log with MBAM updates downloaded directly from the tool:

Malwarebytes' Anti-Malware 1.41
Database version: 2916
Windows 6.0.6002 Service Pack 2

10/6/2009 5:40:45 PM
mbam-log-2009-10-06 (17-40-45).txt

Scan type: Quick Scan
Objects scanned: 92967
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

Hi,

This looks Ok again.

How are things now?

I am still getting the occasional weird pop up from windows that I never got prior to infection. I don't have the text handy, but it was something about stopping a process. I also get pop ups that have no bodies, just a title bar. Really weird. I will screen capture one the next time it shows up.

Ok, JUST got one. It says "Host process for windows services stopped working and was closed. A problem caused the application to stop working correctly. Windows will notify you if a solution is available".

I NEVER got those prior to infection, now I get them all the time. Not sure if this is caused by some damage a virus may have done, or if it's the OS responding to a virus. Or some third thing.

Hi,

This could indeed be damage by the malware you were dealing with previously. After all, your pc was severly infected, so with a manual cleanup on such severly infected pc, it's always possible that errors may still appear. Fixing this isn't always easy since it will be searching for a needle in a haystack. After all, malware damages a lot.
Please see here: http://www.online-tech-tips.com/computer-t...topped-working/
Let me know what EXACT errors are displayed there (matching the latest date ofcourse)

Also, can you redownload Combofix, run it and post the new log?

Miekiemoes, working on responding to your last two posts. Will get back to you on those shortly. Prior to reading those, I downloaded today's update for MBAM and re-ran it, finding one more certstore.dat trojan. Here is the log...


Malwarebytes' Anti-Malware 1.41
Database version: 2917
Windows 6.0.6002 Service Pack 2

10/7/2009 9:25:22 AM
mbam-log-2009-10-07 (09-25-22).txt

Scan type: Quick Scan
Objects scanned: 93122
Time elapsed: 2 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

That certstore.dat reminds me of Virut infection. I really hope this isn't the case here as it would also explain those errors. The malware you were dealing with comes in 80% of the cases with Virut, so I really hope I am wrong here, because Virut means a format and reinstall unfortunately.

Also, did malwarebytes reboot afterwards? Because your Windows defender may interfere here with the cleanup script.
Can you navigate to the file C:\Windows\System32\certstore.dat and delete it manually? Is it getting recreated again?

Latest ComboFix log from new download:




ComboFix 09-10-06.04 - Matt Munson 10/07/2009 9:39.2.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3071.2028 [GMT -4:00]
Running from: c:\users\Matt Munson\Desktop\ComboFixs.exe
AV: avast! antivirus 4.8.1229 [VPS 091006-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1229 [VPS 091006-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MDTDISK


((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.

2009-10-07 13:52 . 2009-10-07 13:52 41631 ----a-w- c:\windows\system32\certstore.dat
2009-10-07 13:44 . 2009-10-07 13:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-07 13:44 . 2009-10-07 13:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-01 08:55 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-01 08:46 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-01 08:45 . 2009-10-01 08:46 -------- d-----w- c:\programdata\Lavasoft
2009-10-01 08:45 . 2009-10-01 08:45 -------- d-----w- c:\program files\Lavasoft
2009-10-01 06:30 . 2009-10-01 06:30 -------- d-----w- c:\program files\Trend Micro
2009-10-01 06:25 . 2009-10-01 08:45 -------- dc-h--w- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\ca-ES
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\eu-ES
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\vi-VN
2009-09-28 15:36 . 2009-09-28 15:36 -------- d-----w- c:\windows\system32\EventProviders
2009-09-28 03:22 . 2009-09-28 03:22 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-09-28 02:24 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-09-28 01:54 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-09-28 01:52 . 2009-09-28 01:52 -------- d-----w- c:\program files\CONEXANT
2009-09-28 01:51 . 2009-08-14 16:27 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-28 01:51 . 2009-08-14 13:48 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-09-28 01:51 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-28 01:51 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-28 01:51 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-28 01:51 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-28 01:51 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-28 01:51 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-28 01:51 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-28 01:51 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-28 01:51 . 2009-08-14 15:53 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-28 01:49 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-09-28 01:49 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-09-28 01:49 . 2009-07-15 12:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-28 01:49 . 2009-06-04 12:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-09-28 01:49 . 2009-04-11 06:28 53248 ----a-w- c:\windows\system32\tsgqec.dll
2009-09-28 01:49 . 2009-04-11 06:28 136192 ----a-w- c:\windows\system32\aaclient.dll
2009-09-28 01:49 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2009-09-28 01:49 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-09-28 01:49 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-09-28 01:48 . 2009-04-11 06:28 1696768 ----a-w- c:\windows\system32\gameux.dll
2009-09-28 01:48 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-28 01:48 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Malwarebytes
2009-09-27 20:12 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\programdata\Malwarebytes
2009-09-27 20:12 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-27 15:39 . 2009-09-27 15:39 -------- d-----w- C:\337b6016532e636ec66197a2
2009-09-27 15:38 . 2009-09-27 15:39 -------- d-----w- C:\9b2c6f260054f90a96323606
2009-09-25 11:55 . 2009-09-25 11:55 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Logs
2009-09-09 01:09 . 2009-09-09 01:09 -------- d-----w- c:\program files\Comical
2009-09-08 14:06 . 2009-09-08 14:44 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\ICAClient
2009-09-08 14:03 . 2009-09-25 23:40 -------- d-----w- c:\program files\Citrix
2009-09-08 13:52 . 2009-09-08 13:52 -------- d-----w- c:\program files\Juniper Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-07 12:47 . 2008-09-12 10:52 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\uTorrent
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-28 21:38 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-28 00:58 . 2008-08-21 11:51 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Vso
2009-09-09 00:59 . 2008-09-23 20:02 -------- d-----w- c:\programdata\WebEx
2009-09-08 23:14 . 2009-03-03 03:10 -------- d-----w- c:\programdata\VMware
2009-09-08 23:08 . 2007-11-27 18:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-08 13:52 . 2009-08-13 19:22 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Juniper Networks
2009-08-17 17:24 . 2009-08-17 17:12 -------- d-----w- c:\program files\ACE Mega CoDecS Pack
2009-08-17 17:13 . 2008-08-02 00:30 -------- d-----w- c:\program files\QuickTime
2009-08-17 17:11 . 2008-10-25 10:41 -------- d-----w- c:\program files\DivX
2009-08-17 00:06 . 2009-08-17 00:06 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\AVS4YOU
2009-08-17 00:06 . 2009-08-17 00:06 -------- d-----w- c:\programdata\AVS4YOU
2009-08-17 00:04 . 2009-08-17 00:04 -------- d-----w- c:\program files\AVS4YOU
2009-08-17 00:04 . 2009-08-17 00:04 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-13 19:21 . 2009-08-13 19:21 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\WholeSecurity
2009-08-08 20:36 . 2009-08-08 20:36 -------- d-----w- c:\programdata\Steinberg
2009-08-08 20:36 . 2008-08-01 07:13 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Steinberg
2009-08-08 20:34 . 2009-08-08 20:27 -------- d-----w- c:\program files\Syncrosoft
2009-08-08 20:24 . 2008-08-01 07:04 -------- d-----w- c:\program files\Steinberg
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-21 21:52 . 2009-09-28 02:20 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-09-28 02:20 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-09-28 02:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-09-28 02:20 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-15 12:39 . 2009-09-28 01:50 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 19:01 . 2009-09-28 01:50 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:01 . 2009-09-28 01:50 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:01 . 2009-09-28 01:50 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:01 . 2009-09-28 01:50 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-07-11 17:03 . 2009-09-28 01:50 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2008-07-31 22:49 . 2008-07-31 22:49 22 --sha-w- c:\windows\SMINST\HPCD.sys
2007-11-27 18:30 . 2007-11-27 18:25 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-10-05_21.54.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-27 18:52 . 2009-10-07 13:29 48836 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-07 13:29 75508 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-07-31 09:44 . 2009-10-05 21:54 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-31 09:44 . 2009-10-07 16:27 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-31 09:44 . 2009-10-07 16:27 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-07-31 09:44 . 2009-10-05 21:54 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-02 19:19 . 2009-10-05 22:41 4162 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-07-31 09:36 . 2009-10-07 13:29 8712 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2367982984-1444817323-3124917685-1000_UserData.bin
- 2009-10-05 21:49 . 2009-10-05 21:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-07 13:46 . 2009-10-07 13:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-10-05 21:49 . 2009-10-05 21:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-10-07 13:46 . 2009-10-07 13:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 10:33 . 2009-10-05 21:40 633850 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-10-07 13:51 633850 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-10-05 21:40 117038 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-10-07 13:51 117038 c:\windows\System32\perfc009.dat
+ 2009-09-28 02:39 . 2009-10-07 13:27 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-09-28 02:39 . 2009-09-28 22:33 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2008-07-31 09:44 . 2009-10-05 21:54 327680 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-31 09:44 . 2009-10-07 16:27 327680 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-09-20 455968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-13 178712]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 280064]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"NexusServer"="c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-27 389120]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-08-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-27 8473120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-3 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MotionSD STUDIO - SD Browser auto start -.lnk - c:\program files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe [2009-2-16 66952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:7d,40,26,b8,84,40,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2367982984-1444817323-3124917685-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FB1AB64A-2731-4528-BD01-9CDEFC4B540E}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{CEC64574-D0EA-4F55-AD99-0A333B0A2448}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D308FC1C-6AC1-4D39-AB2F-31B4D8AD38C0}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8EB3973D-7F1D-4B3B-A2FC-53719028B29D}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B03AB320-29E8-4B5B-903F-169D71C869DA}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AE0E68C1-3842-4908-B185-591EA83F4343}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{31DD8186-E214-435B-B382-CBBD7EB3AC9D}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E0FBF8EC-409E-413F-849E-275A92D2AFA5}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{7625F928-2BDA-4C6F-99E7-DDB1375A25C7}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{DEBE9411-6532-469D-A4C0-F139A8911083}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{CA63FBC4-9AF8-4758-814A-7CF4D7B24293}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{5ADAB633-6375-4F88-9B69-8F9B8572581C}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{CC865BB5-4384-4D14-A045-0D85F3DE17B9}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{8F8FAA07-B036-4E98-9746-FE6135BACD57}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{107BEAD5-41B6-4EC7-B761-2AECA61294A6}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D0A9C181-05FF-475D-8911-74BE456FA06E}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9BC07D3E-F5BA-41F5-85A4-B6215E603FB3}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{4C0658F9-6605-4539-BC69-4CE3CF249C51}c:\\program files\\adobe\\adobe flash cs3\\flash.exe"= UDP:c:\program files\adobe\adobe flash cs3\flash.exe:Adobe Flash CS3
"UDP Query User{20042665-9111-447E-B1F6-F78A19DD848A}c:\\program files\\adobe\\adobe flash cs3\\flash.exe"= TCP:c:\program files\adobe\adobe flash cs3\flash.exe:Adobe Flash CS3
"TCP Query User{6E40606E-3925-4178-8C77-55EBD672E17D}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{329E8F33-245D-4CF7-BA9D-046EE1962CCC}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{E6C209A8-50DD-497C-BC60-D9652F492392}"= UDP:c:\windows\explorer.exe:explorer
"{9EF6F52F-BA4B-4936-B414-E858C3AA5DE6}"= TCP:c:\windows\explorer.exe:explorer
"{FE336DCD-A50E-4939-85EE-C95426509586}"= UDP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{D35AD1B9-189D-491F-AEBE-61F71C9937F6}"= TCP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{27D8BC5B-4593-4B96-A4FF-0B9EDCF1DBA6}"= UDP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{CAAE318B-3D6D-4680-8855-D0821E9848BE}"= TCP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{3A210E33-45EE-4690-86CD-66CA3FE9DFB4}"= UDP:c:\windows\System32\wininit.exe:wininit
"{942F891F-65AD-4B05-9124-303F834756EC}"= TCP:c:\windows\System32\wininit.exe:wininit
"{75BC712E-A22A-4ECF-A4C1-631C94614ADE}"= UDP:c:\windows\System32\wininit.exe:wininit
"{0B5EBA88-31B6-4EB8-9EE5-AF22202FBF32}"= TCP:c:\windows\System32\wininit.exe:wininit
"{FD9A974C-D7A8-416A-9F11-8EE1BA216F64}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{06AB9CF2-2DF4-4EF9-A346-8B296DDEE738}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{F3ADBBD2-65AE-49B4-B9B8-0A41F473CF96}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{515B2C5D-8241-442C-A902-C21B8A14CD9A}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{A41FB50E-F69B-4C4F-92FD-F85BCD2FFBA5}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{B17F811A-B470-48D1-B865-EC6C53A7947E}"= TCP:c:\windows\System32\winlogon.exe:winlogon

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [10/1/2009 4:46 AM 64160]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [9/12/2008 6:31 AM 78416]
R1 NEOFLTR_630_13971;Juniper Networks TDI Filter Driver (NEOFLTR_630_13971);c:\windows\System32\drivers\NEOFLTR_630_13971.sys [2/18/2009 5:58 AM 64480]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [9/12/2008 6:31 AM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [9/12/2008 6:31 AM 51280]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1028432]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\System32\drivers\HCW85BDA.sys [11/27/2007 3:01 PM 1129344]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [8/6/2008 3:51 AM 815104]
S3 SynasUSB;SynasUSB;c:\windows\System32\drivers\synasUSB.sys [8/8/2009 4:27 PM 23288]
S3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [9/19/2008 7:33 PM 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [9/19/2008 7:33 PM 251904]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\System32\drivers\wdcsam.sys [4/16/2008 12:27 PM 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 08:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://webvpn.jpmorganchase.com/dana-cached/sc/JuniperSetupClient.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 12:27
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2367982984-1444817323-3124917685-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:50,19,e2,a4,be,ef,3b,d0,e9,4c,ed,5c,9e,7e,77,98,0d,12,34,6d,7a,a0,a0,
94,e3,65,55,63,ad,e1,78,d7,3c,ec,14,c8,a9,cd,48,35,69,39,e7,c6,b8,9e,95,b1,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e8,c6,93,54,48,fc,f0,1a,94,21,c9,6c,00,43,bf,78,24,3d,b0,97,59,
cf,88,84,dc,cb,1d,1b,2c,df,99,25,09,32,6b,fe,cb,dc,99,59,cd,25,15,40,95,3f,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e8,c6,93,54,48,fc,f0,1a,94,21,c9,6c,00,43,bf,78,24,3d,b0,97,59,
cf,88,84,dc,cb,1d,1b,2c,df,99,25,09,32,6b,fe,cb,dc,99,59,cd,25,15,40,95,3f,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&17752677&0&UID256\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&17752677&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Device Parameters\MODES]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(6004)
c:\program files\Portrait Displays\Pivot Software\winphook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\windows\System32\schtasks.exe
c:\windows\System32\jusched.exe
c:\program files\Portrait Displays\Pivot Software\Floater.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\System32\wermgr.exe
.
**************************************************************************
.
Completion time: 2009-10-07 12:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-07 16:32
ComboFix2.txt 2009-10-05 21:57

Pre-Run: 182,075,994,112 bytes free
Post-Run: 182,018,392,064 bytes free

367 --- E O F --- 2009-10-05 21:05






I will respond shortly to other questions.

Malware did reboot after the scan.

the certstore.dat file was created again.

I was able to navigate to it and delete it manually.

I did not see any instructions for disabling Windows Defender prior to running MBAM. If that is something you think I should do, please point me to directions on disabling.




I am almost prepared for a full reinstall if necessary. My system is quasi-stable as is, and I'm backing up personal data. So no matter what happens, I am already extremely grateful for your assistance so far. Ideally, I would be able to recover the system, but if that is off the table, I will survive

I followed the link you provided, and went through the steps described to open my event log. There were a few errors that occurred right around the time the "Host process for windows services stopped working and was closed" dialog was issued. Here are the messsages from those errors;


Error 10/7/2009 12:37:48 PM Application Error 1000 (100)
Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, faulting module svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, exception code 0xc0000005, fault offset 0x000019f8, process id 0xe8c, application start time 0x01ca476c8065c47e.

Error 10/7/2009 12:33:06 PM Application Error 1000 (100)
Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, faulting module svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, exception code 0xc0000005, fault offset 0x000019f8, process id 0x14c4, application start time 0x01ca476bd86ab73e.

Error 10/7/2009 12:31:12 PM Application Error 1000 (100)
Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, faulting module svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, exception code 0xc0000005, fault offset 0x000019f8, process id 0x17ec, application start time 0x01ca476b945cc79e.



I also got a weird warning right after login:

Information 10/7/2009 12:31:09 PM Winlogon 1002 None
The shell stopped unexpectedly and Explorer.exe was restarted.







Please let me know what you think.

I have reviewed my windows defender settings, and it appears that it was indeed disabled for my last few scans of MBAM and Combofix.

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:



Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.
Then, please visit this site:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

I ran the script as instructed.

When I went to upload the file you requested, I did not find it in the directory you specified. There were four items in that directory:

C
Registry_backups
catchme.log
catchme.txt


The first two are folders. If there is somewhere else I should be browsing for that file, Please advise. There is a file in the qoobox directory named "CFScript_used_2009-10-07_13.29.04.txt", which is similar to what you were looking for. Is that the one??


Here is the combofix log after the script execution:



ComboFix 09-10-06.04 - Matt Munson 10/07/2009 13:29.3.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3071.1826 [GMT -4:00]
Running from: c:\users\Matt Munson\Desktop\ComboFixs.exe
Command switches used :: c:\users\Matt Munson\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1229 [VPS 091006-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1229 [VPS 091006-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\10b1b.msi

.
((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.

2009-10-07 17:33 . 2009-10-07 17:33 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-07 17:33 . 2009-10-07 17:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-01 08:55 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-01 08:46 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-01 08:45 . 2009-10-01 08:46 -------- d-----w- c:\programdata\Lavasoft
2009-10-01 08:45 . 2009-10-01 08:45 -------- d-----w- c:\program files\Lavasoft
2009-10-01 06:30 . 2009-10-01 06:30 -------- d-----w- c:\program files\Trend Micro
2009-10-01 06:25 . 2009-10-01 08:45 -------- dc-h--w- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\ca-ES
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\eu-ES
2009-09-28 21:37 . 2009-09-28 21:38 -------- d-----w- c:\windows\system32\vi-VN
2009-09-28 15:36 . 2009-09-28 15:36 -------- d-----w- c:\windows\system32\EventProviders
2009-09-28 03:22 . 2009-09-28 03:22 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-09-28 02:24 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-09-28 01:54 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-09-28 01:51 . 2009-08-14 16:27 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-28 01:51 . 2009-08-14 13:48 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-09-28 01:51 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-28 01:51 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-28 01:51 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-28 01:51 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-28 01:51 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-28 01:51 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-28 01:51 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-28 01:51 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-28 01:51 . 2009-08-14 15:53 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-28 01:49 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-09-28 01:49 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-09-28 01:49 . 2009-07-15 12:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-28 01:49 . 2009-06-04 12:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-09-28 01:49 . 2009-04-11 06:28 53248 ----a-w- c:\windows\system32\tsgqec.dll
2009-09-28 01:49 . 2009-04-11 06:28 136192 ----a-w- c:\windows\system32\aaclient.dll
2009-09-28 01:49 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2009-09-28 01:49 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-09-28 01:49 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-09-28 01:48 . 2009-04-11 06:28 1696768 ----a-w- c:\windows\system32\gameux.dll
2009-09-28 01:48 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-28 01:48 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Malwarebytes
2009-09-27 20:12 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-27 20:12 . 2009-09-27 20:12 -------- d-----w- c:\programdata\Malwarebytes
2009-09-27 20:12 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-27 15:39 . 2009-09-27 15:39 -------- d-----w- C:\337b6016532e636ec66197a2
2009-09-27 15:38 . 2009-09-27 15:39 -------- d-----w- C:\9b2c6f260054f90a96323606
2009-09-25 11:55 . 2009-09-25 11:55 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Logs
2009-09-09 01:09 . 2009-09-09 01:09 -------- d-----w- c:\program files\Comical
2009-09-08 14:06 . 2009-09-08 14:44 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\ICAClient
2009-09-08 14:03 . 2009-09-25 23:40 -------- d-----w- c:\program files\Citrix
2009-09-08 13:52 . 2009-09-08 13:52 -------- d-----w- c:\program files\Juniper Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-07 17:08 . 2009-08-17 00:04 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-07 17:08 . 2009-08-17 00:04 -------- d-----w- c:\program files\AVS4YOU
2009-10-07 17:07 . 2007-11-27 18:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-07 17:06 . 2007-11-27 19:05 -------- d-----w- c:\program files\CyberLink
2009-10-07 16:53 . 2007-11-27 19:10 -------- d---a-w- c:\program files\Common Files\LightScribe
2009-10-07 12:47 . 2008-09-12 10:52 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\uTorrent
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-28 21:38 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-28 21:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-28 00:58 . 2008-08-21 11:51 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Vso
2009-09-09 00:59 . 2008-09-23 20:02 -------- d-----w- c:\programdata\WebEx
2009-09-08 23:14 . 2009-03-03 03:10 -------- d-----w- c:\programdata\VMware
2009-09-08 13:52 . 2009-08-13 19:22 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Juniper Networks
2009-08-17 17:24 . 2009-08-17 17:12 -------- d-----w- c:\program files\ACE Mega CoDecS Pack
2009-08-17 17:13 . 2008-08-02 00:30 -------- d-----w- c:\program files\QuickTime
2009-08-17 17:11 . 2008-10-25 10:41 -------- d-----w- c:\program files\DivX
2009-08-17 00:06 . 2009-08-17 00:06 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\AVS4YOU
2009-08-17 00:06 . 2009-08-17 00:06 -------- d-----w- c:\programdata\AVS4YOU
2009-08-13 19:21 . 2009-08-13 19:21 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\WholeSecurity
2009-08-08 20:36 . 2009-08-08 20:36 -------- d-----w- c:\programdata\Steinberg
2009-08-08 20:36 . 2008-08-01 07:13 -------- d-----w- c:\users\Matt Munson\AppData\Roaming\Steinberg
2009-08-08 20:34 . 2009-08-08 20:27 -------- d-----w- c:\program files\Syncrosoft
2009-08-08 20:24 . 2008-08-01 07:04 -------- d-----w- c:\program files\Steinberg
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-21 21:52 . 2009-09-28 02:20 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-09-28 02:20 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-09-28 02:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-09-28 02:20 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-15 12:39 . 2009-09-28 01:50 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 19:01 . 2009-09-28 01:50 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:01 . 2009-09-28 01:50 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:01 . 2009-09-28 01:50 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:01 . 2009-09-28 01:50 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-07-11 17:03 . 2009-09-28 01:50 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2008-07-31 22:49 . 2008-07-31 22:49 22 --sha-w- c:\windows\SMINST\HPCD.sys
2007-11-27 18:30 . 2007-11-27 18:25 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-10-05_21.54.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-27 18:52 . 2009-10-07 13:29 48836 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-07 13:29 75508 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-07-31 09:44 . 2009-10-07 17:28 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-31 09:44 . 2009-10-05 21:54 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-31 09:44 . 2009-10-05 21:54 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-31 09:44 . 2009-10-07 17:28 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 10:25 . 2009-09-28 21:42 51200 c:\windows\inf\infpub.dat
+ 2006-11-02 10:25 . 2009-10-07 17:07 51200 c:\windows\inf\infpub.dat
+ 2008-08-02 19:19 . 2009-10-05 22:41 4162 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-07-31 09:36 . 2009-10-07 13:29 8712 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2367982984-1444817323-3124917685-1000_UserData.bin
- 2009-10-05 21:49 . 2009-10-05 21:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-07 13:46 . 2009-10-07 13:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-10-05 21:49 . 2009-10-05 21:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-10-07 13:46 . 2009-10-07 13:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-10-07 13:51 633850 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-10-05 21:40 633850 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-10-07 13:51 117038 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-10-05 21:40 117038 c:\windows\System32\perfc009.dat
- 2009-09-28 02:39 . 2009-09-28 22:33 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-09-28 02:39 . 2009-10-07 13:27 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2008-07-31 09:44 . 2009-10-07 17:28 327680 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-31 09:44 . 2009-10-05 21:54 327680 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-15 01:00 . 2009-10-07 16:55 102400 c:\windows\Installer\{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}\iTunesIco.exe
- 2008-10-15 01:00 . 2008-10-15 01:00 102400 c:\windows\Installer\{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}\iTunesIco.exe
- 2006-11-02 10:25 . 2009-09-28 21:42 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-10-07 17:07 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-10-07 17:07 143360 c:\windows\inf\infstor.dat
- 2006-11-02 10:25 . 2009-09-28 21:42 143360 c:\windows\inf\infstor.dat
+ 2009-10-07 16:55 . 2009-10-07 16:55 3771904 c:\windows\Installer\aa9be1.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-13 178712]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 280064]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"NexusServer"="c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-27 389120]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-08-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-27 8473120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-3 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MotionSD STUDIO - SD Browser auto start -.lnk - c:\program files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe [2009-2-16 66952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:7d,40,26,b8,84,40,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2367982984-1444817323-3124917685-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FB1AB64A-2731-4528-BD01-9CDEFC4B540E}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{CEC64574-D0EA-4F55-AD99-0A333B0A2448}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D308FC1C-6AC1-4D39-AB2F-31B4D8AD38C0}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8EB3973D-7F1D-4B3B-A2FC-53719028B29D}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B03AB320-29E8-4B5B-903F-169D71C869DA}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AE0E68C1-3842-4908-B185-591EA83F4343}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{31DD8186-E214-435B-B382-CBBD7EB3AC9D}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E0FBF8EC-409E-413F-849E-275A92D2AFA5}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{7625F928-2BDA-4C6F-99E7-DDB1375A25C7}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{DEBE9411-6532-469D-A4C0-F139A8911083}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{CA63FBC4-9AF8-4758-814A-7CF4D7B24293}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{5ADAB633-6375-4F88-9B69-8F9B8572581C}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{CC865BB5-4384-4D14-A045-0D85F3DE17B9}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{8F8FAA07-B036-4E98-9746-FE6135BACD57}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{107BEAD5-41B6-4EC7-B761-2AECA61294A6}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D0A9C181-05FF-475D-8911-74BE456FA06E}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9BC07D3E-F5BA-41F5-85A4-B6215E603FB3}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{4C0658F9-6605-4539-BC69-4CE3CF249C51}c:\\program files\\adobe\\adobe flash cs3\\flash.exe"= UDP:c:\program files\adobe\adobe flash cs3\flash.exe:Adobe Flash CS3
"UDP Query User{20042665-9111-447E-B1F6-F78A19DD848A}c:\\program files\\adobe\\adobe flash cs3\\flash.exe"= TCP:c:\program files\adobe\adobe flash cs3\flash.exe:Adobe Flash CS3
"TCP Query User{6E40606E-3925-4178-8C77-55EBD672E17D}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{329E8F33-245D-4CF7-BA9D-046EE1962CCC}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{E6C209A8-50DD-497C-BC60-D9652F492392}"= UDP:c:\windows\explorer.exe:explorer
"{9EF6F52F-BA4B-4936-B414-E858C3AA5DE6}"= TCP:c:\windows\explorer.exe:explorer
"{FE336DCD-A50E-4939-85EE-C95426509586}"= UDP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{D35AD1B9-189D-491F-AEBE-61F71C9937F6}"= TCP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{27D8BC5B-4593-4B96-A4FF-0B9EDCF1DBA6}"= UDP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{CAAE318B-3D6D-4680-8855-D0821E9848BE}"= TCP:c:\program files\Alwil Software\Avast4\ashDisp.exe:ashDisp
"{3A210E33-45EE-4690-86CD-66CA3FE9DFB4}"= UDP:c:\windows\System32\wininit.exe:wininit
"{942F891F-65AD-4B05-9124-303F834756EC}"= TCP:c:\windows\System32\wininit.exe:wininit
"{75BC712E-A22A-4ECF-A4C1-631C94614ADE}"= UDP:c:\windows\System32\wininit.exe:wininit
"{0B5EBA88-31B6-4EB8-9EE5-AF22202FBF32}"= TCP:c:\windows\System32\wininit.exe:wininit
"{FD9A974C-D7A8-416A-9F11-8EE1BA216F64}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{06AB9CF2-2DF4-4EF9-A346-8B296DDEE738}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{F3ADBBD2-65AE-49B4-B9B8-0A41F473CF96}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{515B2C5D-8241-442C-A902-C21B8A14CD9A}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{A41FB50E-F69B-4C4F-92FD-F85BCD2FFBA5}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{B17F811A-B470-48D1-B865-EC6C53A7947E}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{A2B907C7-D647-4EBD-A57D-3C5C15CBDE24}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{D28DF65B-3936-4C88-A1C9-7B77D1023390}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [10/1/2009 4:46 AM 64160]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [9/12/2008 6:31 AM 78416]
R1 NEOFLTR_630_13971;Juniper Networks TDI Filter Driver (NEOFLTR_630_13971);c:\windows\System32\drivers\NEOFLTR_630_13971.sys [2/18/2009 5:58 AM 64480]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [9/12/2008 6:31 AM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [9/12/2008 6:31 AM 51280]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1028432]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\System32\drivers\HCW85BDA.sys [11/27/2007 3:01 PM 1129344]
R3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [9/19/2008 7:33 PM 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [9/19/2008 7:33 PM 251904]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [8/6/2008 3:51 AM 815104]
S3 SynasUSB;SynasUSB;c:\windows\System32\drivers\synasUSB.sys [8/8/2009 4:27 PM 23288]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\System32\drivers\wdcsam.sys [4/16/2008 12:27 PM 11520]

--- Other Services/Drivers In Memory ---

*Deregistered* - XAudio

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 08:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://webvpn.jpmorganchase.com/dana-cached/sc/JuniperSetupClient.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 13:33
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2367982984-1444817323-3124917685-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:50,19,e2,a4,be,ef,3b,d0,e9,4c,ed,5c,9e,7e,77,98,0d,12,34,6d,7a,a0,a0,
94,e3,65,55,63,ad,e1,78,d7,3c,ec,14,c8,a9,cd,48,35,69,39,e7,c6,b8,9e,95,b1,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e8,c6,93,54,48,fc,f0,1a,94,21,c9,6c,00,43,bf,78,24,3d,b0,97,59,
cf,88,84,dc,cb,1d,1b,2c,df,99,25,09,32,6b,fe,cb,dc,99,59,cd,25,15,40,95,3f,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e8,c6,93,54,48,fc,f0,1a,94,21,c9,6c,00,43,bf,78,24,3d,b0,97,59,
cf,88,84,dc,cb,1d,1b,2c,df,99,25,09,32,6b,fe,cb,dc,99,59,cd,25,15,40,95,3f,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&17752677&0&UID256\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&17752677&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Device Parameters\MODES]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&17752677&0&UID273\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)
.
Completion time: 2009-10-07 13:35
ComboFix-quarantined-files.txt 2009-10-07 17:35
ComboFix2.txt 2009-10-07 16:32
ComboFix3.txt 2009-10-05 21:57

Pre-Run: 179,572,355,072 bytes free
Post-Run: 179,539,976,192 bytes free

339 --- E O F --- 2009-10-05 21:05

Hi,

This is because the file was not present anymore, since you actually already deleted it before. I guess that the previous combofix log was from before you deleted that file.

Also, since you could delete it manually and it didn't return anymore (as I see in this log).

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Totally lame question, but I do not see a "run" option off my start menu. I launched a cmd window, but apparently ComboFix is not in the path for it. Am I missing something? running windows vista. Is there a different way I can execute this command?

In Vista it should work via the search below in your start menu.
Or via a command prompt (cmd): "c:\users\Matt Munson\Desktop\ComboFixs.exe" /u

All going well so far. Combofix removed, and Kaspersky scan complete. Here is the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, October 8, 2009
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, October 07, 2009 23:18:54
Records in database: 2931287
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
H:\
I:\
J:\
K:\

Scan statistics:
Objects scanned: 327251
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 03:01:30

No threats found. Scanned area is clean.

Selected area has been scanned.

Good. So how are things now?

I'm still getting the certstore.dat trojan when I run MBAM. Here's a log from the recent run, which includes most recent updates:


Malwarebytes' Anti-Malware 1.41
Database version: 2925
Windows 6.0.6002 Service Pack 2

10/8/2009 9:08:21 AM
mbam-log-2009-10-08 (09-08-21).txt

Scan type: Quick Scan
Objects scanned: 94016
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

Not that sure if that file is malicious though... However, as I said before, I've seen this file a lot when Virut was present since it stored data to Virut related sites in there. I really hope this is not the case, because it doesn't mean that, since online scanners don't detect anything anymore that Virut isn't present. After all, this one is still not very well detected and new variants create everyday.
Also, I see a lot of folders and files modified within a short period op time, so this may also show the presence of a File infector.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\Windows\System32\certstore.dat

Select it and click ok:
Then click the Send File button below.

Currently not seeing a certstore.dat file. Will play around for a couple hours and see if it shows up again.

The files and folders activity is probably due to me. I'm organizing a ton of files and off loading them to an external drive in case I need to wipe and reinstall.

Ok, let me know

Ok, back to it! Ran MBAM today and found a new certstore.dat file. I have uploaded it to the link you indicated a couple posts up. Here is the MBAM log from today's run:

Malwarebytes' Anti-Malware 1.41
Database version: 2925
Windows 6.0.6002 Service Pack 2

10/9/2009 2:47:23 PM
mbam-log-2009-10-09 (14-47-23).txt

Scan type: Quick Scan
Objects scanned: 94471
Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.




I'm still getting those windows pop up dialogs about services being shut down. I also get a pop up dialog with no body AT ALL, just the title bar. That's kinda weird.

Hi,

Thanks for the file.
To be honest, as you said before:

Since you're system was so severly infected and still probably is since it really smells like a file infector is present here (certstore.dat gets recreated all the time, comes in most cases with Virut as you can see here ), I suggest that the best way is a format and reinstall. As you also state, you're getting many errors, services are shutting down, so damage has been done as well.
You have your backups already anyway, so imho a format and reinstall is the fastest and especially the safest solution.
If I was dealing with the malware you are dealing with, I wouldn't even bother to clean this up manually, but perform a format and reinstall instead as this is the only guarantee that you can trust your PC afterwards again and everything will work properly again as well. After all, malware damages a lot, especially the "family" you are dealing with.

Also, keep in mind to change ALL your passwords afterwards since they may be known.

Cool deal. I will go ahead with the reformat and reinstall. Thanks again for all of the assistance. Without your help, I would not have gotten my system stable enough to back up all of my personal data, which I have managed to do successfully.

So thanks a million, and I will see you around! Consider this case closed

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

oooh, and don't forget to change your passwords afterwards

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.