binovc

I ran MSERT, when finished it reported no issues. I found msert.log, and it has a bunch of "scan errors." So not sure if it really gave me a clean bill of health or not... Log attached. msert.log

Ran a scan, zero detections or quarantines.

Hello Maurice, thanks for the reply. Today this no longer appears in the notification area of my taskbar. Do you think that we should continue and assume it has "gone into hiding"? Or do you think it removed itself? Unfortunately I didn't take a screenshot while it was present. I downloaded FRST64 but have not installed it, waiting on your suggestion. -Eric

This appeared on my desktop today, it's obviously malware. Can I get help to remove it? Latest scan using Malwarebytes does not detect it. WIN7 Professional. Thanks.

Ok, thanks. I just booted this one up after quite a wile of not using it because my "good" computer left me unable to boot ("load needed dlls for kernel"), and I haven't figured THAT one out yet. Maybe if I update the browsers that will fix me up... I really hate computers.

Could this be a virus? I use the "Cleanup!" utility from stevengould.org. However when I attempt to visit the website, my browser automatically changes "www.stevengould.org" to the following, and never completes loading (well after several moments I close the page because I'm worried about it). http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCAQFjAA&url=http%3A%2F%2Fwww.stevengould.org%2F&ei=ALxwVLv1JIyaNvXygZgO&usg=AFQjCNFj15BnuXXyAV59UeyhZO9rKgHkvw&bvm=bv.80185997,d.eXY Can you tell me what's going on? I ran a malwarebyres scan which detected nothing. I can easily reach the website from my tablet. The problem occurs on my hp desktop pc running XP SP3, and happens in both IE 8.0 and Firefox 11.0. Thanks.

The pc came with a version of windows installed, called "windows xp ultimate edition by johnny". However MBAM used to run just fine. Possibly something got tangled up during the previous malware removal, in which I was assisted by Mr Charlie. The steps we went through are here (http://forums.malwarebytes.org/index.php?showtopic=72192&st=0&p=371599entry371599). I thought that prior issue was resolved, until I discovered that MBAM would never finish running.

I hope I did what you asked. This pc has something called TugZip pre-installed. I think I zipped the startup folder. Untitled.zip

I downloaded and navigated to C\USERS\ADMINISTRATOR\START MENU\PROGRAMS\STARTUP\ (which is where MBAM seems to be hanging up at). It shows one item in the STARTUP folder, and it is called "desktop.ini".

no joy, same issue.

Did as suggested in posts 27 & 28, no joy. I attempted the quick scan after the suggestions on post 27 and again after 28. When I added C\USERS\ADMINISTRATOR\START MENU\PROGRAMS\STARTUP\Administrator to the MBAM ignore list, I could not browse past "STARTUP". There was no "Administrator" inside the STARTUP folder. So I added C\USERS\ADMINISTRATOR\START MENU\PROGRAMS\STARTUP to the ignore list. I ran DDS after this attempt. Combo and DDS logs below. ComboFix 11-04-09.01 - user 04/10/2011 11:43:33.8.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1566 [GMT -5:00] Running from: c:\users\user\Desktop\ComboFix.exe Command switches used :: c:\users\user\Desktop\CFScript.txt AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} * Created a new restore point . . ((((((((((((((((((((((((( Files Created from 2011-03-10 to 2011-04-10 ))))))))))))))))))))))))))))))) . . 2011-04-04 16:37 . 2011-04-04 16:37 -------- d-----w- c:\users\user\TurboTax 2011-04-04 16:37 . 2011-04-04 16:37 -------- d-----w- c:\users\\user\TurboTax 2011-04-04 16:31 . 2011-04-04 16:31 -------- d-----w- c:\users\user\Local Settings\Application Data\Intuit 2011-04-04 16:28 . 2011-04-04 16:28 -------- d-----w- c:\users\LocalService\Local Settings\Application Data\IsolatedStorage 2011-04-04 16:28 . 2011-04-04 16:28 -------- d-----w- c:\users\user\Application Data\Intuit 2011-04-04 16:24 . 2011-04-04 16:28 -------- d-----w- c:\program files\Common Files\Intuit 2011-04-04 16:24 . 2011-04-04 16:24 -------- d-----w- c:\program files\TurboTax 2011-04-04 16:23 . 2011-04-04 16:25 -------- d-----w- c:\users\All Users\Application Data\Intuit 2011-04-02 15:05 . 2011-04-02 15:05 -------- d-----w- c:\users\All Users\Application Data\McAfee 2011-04-02 15:04 . 2008-01-25 01:50 64232 ----a-w- c:\windows\system32\drivers\mfeapfk.sys 2011-04-02 15:04 . 2008-01-25 01:50 33960 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2011-04-02 15:04 . 2008-01-25 01:50 72936 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2011-04-02 15:04 . 2008-01-25 01:50 52104 ----a-w- c:\windows\system32\drivers\mfetdik.sys 2011-04-02 15:04 . 2008-01-25 01:50 171400 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2011-04-02 15:04 . 2011-04-02 15:05 -------- d-----w- c:\program files\McAfee 2011-04-02 15:04 . 2011-04-02 15:04 -------- d-----w- c:\program files\Common Files\McAfee 2011-03-28 23:57 . 2011-03-28 23:57 -------- d-----w- c:\users\user\Application Data\Malwarebytes 2011-03-28 23:55 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-28 23:55 . 2011-03-28 23:55 -------- d-----w- c:\users\All Users\Application Data\Malwarebytes 2011-03-28 23:55 . 2011-03-28 23:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-28 23:55 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-03 18:03 . 2011-02-03 03:12 507904 ----a-w- c:\windows\system32\winlogon.exe 2011-02-03 18:03 . 2011-02-03 03:09 135680 ----a-w- c:\windows\system32\taskmgr.exe 2011-02-03 18:03 . 2009-10-17 22:53 1033728 ----a-w- c:\windows\explorer.exe 2011-01-21 14:44 . 2009-10-17 22:53 439296 ----a-w- c:\windows\system32\shimgvw.dll . . ((((((((((((((((((((((((((((( SnapShot@2011-03-13_23.27.45 ))))))))))))))))))))))))))))))))))))))))) . + 2011-04-04 16:26 . 2011-04-04 16:26 45416 c:\windows\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_3.1.31.0_x-ww_46ee423f\Intuit.Spc.Esd.WinClient.Application.Update.exe + 2011-04-04 16:26 . 2011-04-04 16:26 40296 c:\windows\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_3.1.31.0_x-ww_8b778a47\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2.exe + 2011-02-08 01:04 . 2011-02-08 01:04 67584 c:\windows\Installer\7e403.msp + 2011-04-04 16:24 . 2011-04-04 16:24 25088 c:\windows\Installer\7e3e8.msi + 2011-04-04 16:29 . 2011-04-04 16:29 22016 c:\windows\assembly\NativeImages_v2.0.50727_32\TVM\c537b3608514883621dc0c49611333c2\TVM.ni.dll + 2011-04-04 16:26 . 2011-04-04 16:26 57344 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Oip.Messaging.Client.ExternalApi\2.1.2.4__540d4816ead86321\Intuit.Spc.Oip.Messaging.Client.ExternalApi.dll + 2011-04-04 16:26 . 2011-04-04 16:26 21864 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Map.SharedUIToolkit\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.SharedUIToolkit.dll + 2011-04-04 16:26 . 2011-04-04 16:26 49000 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Map.QuickBaseClient\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.QuickBaseClient.dll + 2011-04-04 16:26 . 2011-04-04 16:26 58728 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Map.Metrix.XmlSerializers\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Metrix.XmlSerializers.dll + 2011-04-04 16:26 . 2011-04-04 16:26 79208 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Map.Core\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Core.dll + 2011-04-04 16:26 . 2011-04-04 16:26 58728 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Map.3rdParty.MajesticHTMLParser\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.3rdParty.MajesticHTMLParser.dll + 2011-04-04 16:26 . 2011-04-04 16:26 45056 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Subsystem.RestServices\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Subsystem.RestServices.dll + 2011-04-04 16:26 . 2011-04-04 16:26 53248 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Subsystem.Repository\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Subsystem.Repository.dll + 2011-04-04 16:26 . 2011-04-04 16:26 69632 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Subsystem.OrchestrationUtil\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Subsystem.OrchestrationUtil.dll + 2011-04-04 16:26 . 2011-04-04 16:26 94208 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Subsystem.Orchestration\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Subsystem.Orchestration.dll + 2011-04-04 16:26 . 2011-04-04 16:26 45056 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Subsystem.Installer\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Subsystem.Installer.dll + 2011-04-04 16:26 . 2011-04-04 16:26 94208 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Subsystem.DataAccessUtil\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Subsystem.DataAccessUtil.dll + 2011-04-04 16:26 . 2011-04-04 16:26 53248 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Subsystem.ClientUtil\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Subsystem.ClientUtil.dll + 2011-04-04 16:26 . 2011-04-04 16:26 20480 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.dll + 2011-04-04 16:26 . 2011-04-04 16:26 45056 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.Xml\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.Xml.dll + 2011-04-04 16:26 . 2011-04-04 16:26 15360 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.VersionManager\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.VersionManager.dll + 2011-04-04 16:26 . 2011-04-04 16:26 65536 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.Serialization\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.Serialization.dll + 2011-04-04 16:26 . 2011-04-04 16:26 45056 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.Logging\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.Logging.dll + 2011-04-04 16:26 . 2011-04-04 16:26 65536 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.ExceptionHandling\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.ExceptionHandling.dll + 2011-04-04 16:26 . 2011-04-04 16:26 73728 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.Config\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.Config.dll + 2011-04-04 16:26 . 2011-04-04 16:26 10752 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.PortabilitySpecific30\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.PortabilitySpecific30.dll + 2011-04-04 16:26 . 2011-04-04 16:26 18792 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll + 2011-04-04 16:26 . 2011-04-04 16:26 46952 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll + 2011-04-04 16:26 . 2011-04-04 16:26 23912 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateService\1.0.0.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateService.dll + 2011-04-04 16:26 . 2011-04-04 16:26 12136 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract\1.0.0.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract.dll + 2011-04-04 16:26 . 2011-04-04 16:26 45416 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.Update.exe + 2011-04-04 16:26 . 2011-04-04 16:26 40296 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2.exe + 2011-04-04 16:26 . 2011-04-04 16:26 54632 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.DataAccess.XmlSerializers\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.DataAccess.XmlSerializers.dll + 2011-04-04 16:26 . 2011-04-04 16:26 70504 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.Common\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.Common.dll + 2011-04-04 16:26 . 2011-04-04 16:26 32768 c:\windows\assembly\GAC_MSIL\Iesi.Collections\1.0.0.3__aa95f207798dfdb4\Iesi.Collections.dll + 2011-04-04 16:26 . 2011-04-04 16:26 77824 c:\windows\assembly\GAC_MSIL\Castle.DynamicProxy\1.1.5.0__407dd0808d44fbdc\Castle.DynamicProxy.dll + 2011-04-04 16:26 . 2011-04-04 16:26 10240 c:\windows\assembly\GAC_MSIL\BackgroundCopyManager\1.0.0.0__9e3a83f3f863854b\BackgroundCopyManager.dll + 2011-04-04 16:26 . 2011-04-04 16:26 28672 c:\windows\assembly\GAC\Common.Logging\1.2.0.0__af08829b84f0328e\Common.Logging.dll + 2009-10-17 22:53 . 2008-04-14 01:12 578560 c:\windows\system32\user32.dll + 2009-11-02 22:55 . 2008-04-14 01:12 295424 c:\windows\system32\termsrv.dll - 2009-11-02 22:55 . 2009-09-11 12:23 295424 c:\windows\system32\termsrv.dll - 2008-04-14 12:00 . 2008-04-14 12:00 135168 c:\windows\system32\shsvcs.dll + 2008-04-14 12:00 . 2009-07-27 23:17 135168 c:\windows\system32\shsvcs.dll + 2009-11-02 16:38 . 2011-04-04 21:46 149992 c:\windows\system32\FNTCACHE.DAT + 2009-10-17 22:53 . 2008-04-14 01:12 578560 c:\windows\system32\dllcache\user32.dll - 2011-02-16 16:36 . 2008-04-14 01:12 578560 c:\windows\system32\dllcache\user32.dll + 2009-11-02 22:55 . 2008-04-14 01:12 295424 c:\windows\system32\dllcache\termsrv.dll - 2011-02-16 16:36 . 2008-04-14 01:12 295424 c:\windows\system32\dllcache\termsrv.dll + 2008-04-14 12:00 . 2009-07-27 23:17 135168 c:\windows\system32\dllcache\shsvcs.dll - 2008-04-14 12:00 . 2008-04-14 12:00 135168 c:\windows\system32\dllcache\shsvcs.dll - 2011-02-16 16:36 . 2008-04-14 01:11 792064 c:\windows\system32\dllcache\comres.dll + 2009-10-17 22:53 . 2008-04-14 01:11 792064 c:\windows\system32\dllcache\comres.dll + 2011-03-27 15:43 . 2011-03-27 15:43 262144 c:\windows\system32\config\systemprofile\NTUSER.DAT + 2009-10-17 22:53 . 2008-04-14 01:11 792064 c:\windows\system32\comres.dll + 2011-04-04 16:28 . 2011-04-04 16:28 115712 c:\windows\Installer\7e3f5.msi + 2011-04-04 16:28 . 2011-04-04 16:28 113152 c:\windows\Installer\7e3f0.msi + 2010-12-02 02:56 . 2011-03-27 16:01 102400 c:\windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ARPPRODUCTICON.exe - 2010-12-02 02:56 . 2010-12-02 02:56 102400 c:\windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ARPPRODUCTICON.exe + 2011-04-04 16:29 . 2011-04-04 16:29 116736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Inte#\e27ee1609a02b13aab2614fc47084c3b\System.Windows.Interactivity.ni.dll + 2011-04-04 16:29 . 2011-04-04 16:29 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\a140e8da81b3af34c864ad851fe150fd\System.Runtime.Remoting.ni.dll + 2011-04-04 16:29 . 2011-04-04 16:29 940032 c:\windows\assembly\NativeImages_v2.0.50727_32\Intuit.Ctg.Wte.Serv#\296c0a372097dc6a42cd8cbaf0ef6e57\Intuit.Ctg.Wte.Service.Interface.ni.dll + 2011-04-04 16:26 . 2011-04-04 16:26 174080 c:\windows\assembly\GAC_MSIL\System.Data.SQLite.Linq\2.0.38.0__db937bc2d44ff139\System.Data.SQLite.Linq.dll + 2011-04-04 16:26 . 2011-04-04 16:26 602112 c:\windows\assembly\GAC_MSIL\Spring.Core\1.1.0.2__65e474d141e25e07\Spring.Core.dll + 2011-04-04 16:26 . 2011-04-04 16:26 143360 c:\windows\assembly\GAC_MSIL\Spring.Aop\1.1.0.2__65e474d141e25e07\Spring.Aop.dll + 2011-04-04 16:26 . 2011-04-04 16:26 884736 c:\windows\assembly\GAC_MSIL\Microsoft.Web.Services3\3.0.0.0__31bf3856ad364e35\Microsoft.Web.Services3.dll + 2011-04-04 16:26 . 2011-04-04 16:26 270336 c:\windows\assembly\GAC_MSIL\log4net\1.2.10.0__1b44e1d426115821\log4net.dll + 2011-04-04 16:26 . 2011-04-04 16:26 221184 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Oip.Messaging.Client.Protocol\2.1.2.4__540d4816ead86321\Intuit.Spc.Oip.Messaging.Client.Protocol.dll + 2011-04-04 16:26 . 2011-04-04 16:26 114688 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Oip.Messaging.Client.Core\2.1.2.4__540d4816ead86321\Intuit.Spc.Oip.Messaging.Client.Core.dll + 2011-04-04 16:26 . 2011-04-04 16:26 409960 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll + 2011-04-04 16:26 . 2011-04-04 16:26 114024 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Map.Search\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Search.dll + 2011-04-04 16:26 . 2011-04-04 16:26 476520 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll + 2011-04-04 16:26 . 2011-04-04 16:26 226664 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter.XmlSerializers\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.XmlSerializers.dll + 2011-04-04 16:26 . 2011-04-04 16:26 214376 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Map.QuickBaseClient.XmlSerializers\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.QuickBaseClient.XmlSerializers.dll + 2011-04-04 16:26 . 2011-04-04 16:26 122728 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Map.Metrix\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Metrix.dll + 2011-04-04 16:26 . 2011-04-04 16:26 181608 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Map.3rdParty.SharpZipLib\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.3rdParty.SharpZipLib.dll + 2011-04-04 16:26 . 2011-04-04 16:26 402792 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Map.3rdParty.Lucene\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.3rdParty.Lucene.dll + 2011-04-04 16:26 . 2011-04-04 16:26 106496 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Subsystem.Provider.PreferencesSpecific\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Subsystem.Provider.PreferencesSpecific.dll + 2011-04-04 16:26 . 2011-04-04 16:26 217088 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Subsystem.DataAccess\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Subsystem.DataAccess.dll + 2011-04-04 16:26 . 2011-04-04 16:26 651264 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Subsystem.DataAccess.Entity\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Subsystem.DataAccess.Entity.dll + 2011-04-04 16:26 . 2011-04-04 16:26 458752 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Portability\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Portability.dll + 2011-04-04 16:26 . 2011-04-04 16:26 106496 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Foundations.Component\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Component.dll + 2011-04-04 16:26 . 2011-04-04 16:26 357736 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UX\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UX.dll + 2011-04-04 16:26 . 2011-04-04 16:26 421224 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Api.Net\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Api.Net.dll + 2011-04-04 16:26 . 2011-04-04 16:26 269672 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Esd.Core\3.1.26.0__540d4816ead86321\Intuit.Spc.Esd.Core.dll + 2011-04-04 16:26 . 2011-04-04 16:26 206184 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Esd.Core.XmlSerializers\3.1.26.0__540d4816ead86321\Intuit.Spc.Esd.Core.XmlSerializers.dll + 2011-04-04 16:26 . 2011-04-04 16:26 120168 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.DataAccess\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.DataAccess.dll + 2011-04-04 16:26 . 2011-04-04 16:26 121704 c:\windows\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.BusinessLogic\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.BusinessLogic.dll + 2011-04-04 16:26 . 2011-04-04 16:26 106496 c:\windows\assembly\GAC_MSIL\antlr.runtime\2.7.6.2__65e474d141e25e07\antlr.runtime.dll + 2011-04-04 16:26 . 2011-04-04 16:26 854016 c:\windows\assembly\GAC_32\System.Data.SQLite\1.0.61.0__db937bc2d44ff139\System.Data.SQLite.DLL + 2010-11-02 19:52 . 2010-11-02 19:52 1716297 c:\windows\system32\InetClnt.dll + 2011-03-27 16:01 . 2011-03-27 16:01 2230272 c:\windows\Installer\eaa33.msi + 2011-03-22 05:48 . 2011-03-22 05:48 6420480 c:\windows\Installer\7ea76.msp + 2011-03-22 05:46 . 2011-03-22 05:46 8997888 c:\windows\Installer\7e9eb.msp + 2011-03-15 03:58 . 2011-03-15 03:58 1558016 c:\windows\Installer\7e428.msp + 2011-04-04 16:26 . 2011-04-04 16:26 3258368 c:\windows\Installer\7e3ec.msi + 2011-04-02 15:05 . 2011-04-02 15:05 7810048 c:\windows\Installer\370bde.msi + 2011-04-04 16:34 . 2011-04-04 16:34 1981760 c:\windows\Installer\{A525E00B-6609-442E-9DCD-64453C233E8D}\TurboTax.exe + 2011-04-04 16:29 . 2011-04-04 16:29 3353600 c:\windows\assembly\NativeImages_v2.0.50727_32\ttax\71db86c116fd7252c5e4cb29f841c0c4\ttax.ni.dll + 2011-04-04 16:29 . 2011-04-04 16:29 1115136 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\58202ed61096113d08815c0a78313b66\System.Data.OracleClient.ni.dll + 2011-04-04 16:29 . 2011-04-04 16:29 1486336 c:\windows\assembly\NativeImages_v2.0.50727_32\Intuit.Ctg.Map\2e2e7d99a2d14e1c2474167f8e08c8de\Intuit.Ctg.Map.ni.dll + 2011-04-04 16:26 . 2011-04-04 16:26 1085440 c:\windows\assembly\GAC_MSIL\NHibernate\1.2.0.4000__aa95f207798dfdb4\NHibernate.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}] 2011-02-02 00:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt] @="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}" [HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}] 2008-06-10 18:29 97064 ----a-w- c:\program files\Nero\Nero8\InCD\NBHShx.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoRecentDocsNetHood"= 1 (0x1) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoRecentDocsNetHood"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,\ . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . [HKLM\~\startupfolder\C:^Users^All Users^Start Menu^Programs^Startup^hp instant support.lnk] path=c:\users\All Users\Start Menu\Programs\Startup\hp instant support.lnk backup=c:\windows\pss\hp instant support.lnkCommon Startup . [HKLM\~\startupfolder\C:^Users^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 1.lnk] path=c:\users\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 1.lnk backup=c:\windows\pss\HPAiODevice(hp officejet g series) - 1.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] 2008-06-10 18:29 1083176 ----a-w- c:\program files\Nero\Nero8\InCD\InCD.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] 2009-07-26 22:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCRemote] 2008-11-18 18:25 226576 ------w- c:\program files\Pinnacle\Shared Files\Programs\Remote\remoterm.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] 2005-09-22 19:36 14854144 ----a-w- c:\windows\RTHDCPL.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] 2009-02-04 04:21 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher] 2010-11-11 19:55 159472 ----a-w- c:\program files\Zune\ZuneLauncher.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMZuneComm"=3 (0x3) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Cessna NAVIII Trainer v9.03\\CDUSIMv2.exe"= "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= . R3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\drivers\OmniTV.sys [4/29/2008 5:21 PM 401280] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?] S3 ZD1211BU(Atheros);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(Atheros);c:\windows\system32\drivers\ZD1211BU.sys [2/12/2010 7:25 PM 500736] S4 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [6/10/2008 1:29 PM 53032] S4 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [11/11/2010 2:57 PM 268528] . Contents of the 'Scheduled Tasks' folder . 2011-04-08 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job - c:\program files\Ask.com\UpdateTask.exe [2011-02-02 00:17] . 2011-04-10 c:\windows\Tasks\User_Feed_Synchronization-{6A8336EE-08BC-4C82-B312-F27CDDED60F7}.job - c:\windows\system32\msfeedssync.exe [2009-10-17 10:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 Trusted Zone: intuit.com\ttlc FF - ProfilePath - c:\users\user\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\ FF - prefs.js: browser.search.selectedEngine - Bing FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q= FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com FF - user.js: yahoo.ytff.general.dontshowhpoffer - true . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-10 11:47 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(684) c:\windows\system32\SETUPAPI.dll c:\windows\system32\Ati2evxx.dll c:\windows\system32\cscui.dll . - - - - - - - > 'lsass.exe'(740) c:\windows\system32\setupapi.dll . - - - - - - - > 'explorer.exe'(1944) c:\windows\system32\WININET.dll c:\program files\Nero\Nero8\InCD\NBHShx.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\program files\Nero\Nero8\InCD\NBHStr.dll c:\program files\Common Files\Nero\Shared\NL3\AdvrCntr3.dll c:\windows\system32\SETUPAPI.dll c:\windows\System32\cscui.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\msi.dll c:\windows\system32\NETSHELL.dll c:\windows\system32\credui.dll c:\windows\system32\webcheck.dll c:\windows\system32\wpdshserviceobj.dll c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll . Completion time: 2011-04-10 11:49:10 ComboFix-quarantined-files.txt 2011-04-10 16:49 ComboFix2.txt 2011-03-18 13:40 ComboFix3.txt 2011-03-13 23:29 . Pre-Run: 52,571,672,576 bytes free Post-Run: 52,725,157,888 bytes free . - - End Of File - - 43285C068904C8FEEDC7A72D3BB94379 . DDS (Ver_11-03-05.01) - NTFSx86 Run by user at 13:26:06.95 on Sun 04/10/2011 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1411 [GMT -5:00] . AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\McAfee\Common Framework\McTray.exe svchost.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc c:\Program Files\Zune\ZuneBusEnum.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Users\user\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://google.com/ mWinlogon: UIHost=%SystemRoot%\System32\ultlogonui.exe BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll TB: QT TabBar: {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll TB: QT Tab Standard Buttons: {d2bf470e-ed1c-487f-a666-2bd8835eb6ce} - mscoree.dll TB: QT Breadcrumbs Address Bar: {af83e43c-dd2b-4787-826b-31b17dee52ed} - mscoree.dll TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey dRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1) dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL Trusted Zone: intuit.com\ttlc DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\users\user\applic~1\mozilla\firefox\profiles\altmiiaw.default\ FF - prefs.js: browser.search.selectedEngine - Bing FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q= FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com . ---- FIREFOX POLICIES ---- FF - user.js: yahoo.ytff.general.dontshowhpoffer - true . ============= SERVICES / DRIVERS =============== . R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-4-2 103744] R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-1-24 144704] R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-1-24 54608] R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2011-4-2 72936] R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2011-4-2 33960] R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2011-4-2 171400] R3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\drivers\OmniTV.sys [2008-4-29 401280] S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?] S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] S3 ZD1211BU(Atheros);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(Atheros);c:\windows\system32\drivers\ZD1211BU.sys [2010-2-12 500736] S4 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-6-10 53032] S4 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528] . =============== Created Last 30 ================ . 2011-04-04 16:37:31 -------- d-----w- c:\users\user\TurboTax 2011-04-04 16:31:25 -------- d-----w- c:\users\user\locals~1\applic~1\Intuit 2011-04-04 16:28:50 -------- d-----w- c:\users\user\applic~1\Intuit 2011-04-04 16:24:32 -------- d-----w- c:\program files\common files\Intuit 2011-04-04 16:24:00 -------- d-----w- c:\program files\TurboTax 2011-04-04 16:23:49 -------- d-----w- c:\users\alluse~1\applic~1\Intuit 2011-04-02 15:04:50 64232 ----a-w- c:\windows\system32\drivers\mfeapfk.sys 2011-04-02 15:04:50 33960 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2011-04-02 15:04:49 72936 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2011-04-02 15:04:49 52104 ----a-w- c:\windows\system32\drivers\mfetdik.sys 2011-04-02 15:04:48 171400 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2011-04-02 15:04:29 -------- d-----w- c:\program files\McAfee 2011-04-02 15:04:29 -------- d-----w- c:\program files\common files\McAfee 2011-03-28 23:57:40 -------- d-----w- c:\users\user\applic~1\Malwarebytes 2011-03-28 23:55:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-28 23:55:49 -------- d-----w- c:\users\alluse~1\applic~1\Malwarebytes 2011-03-28 23:55:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-03-28 23:55:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-13 23:22:54 98816 ----a-w- c:\windows\sed.exe 2011-03-13 23:22:54 89088 ----a-w- c:\windows\MBR.exe 2011-03-13 23:22:54 256512 ----a-w- c:\windows\PEV.exe 2011-03-13 23:22:54 161792 ----a-w- c:\windows\SWREG.exe . ==================== Find3M ==================== . 2011-02-03 18:03:46 507904 ----a-w- c:\windows\system32\winlogon.exe 2011-02-03 18:03:36 135680 ----a-w- c:\windows\system32\taskmgr.exe 2011-02-03 18:03:18 1033728 ----a-w- c:\windows\explorer.exe 2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll . ============= FINISH: 13:26:35.59 ===============

When I entered MSConfig, the start-up entries were already re-enabled. I'm pretty sure I checked prior to running the previous quick scan that the start-up entries were dis-abled at that time however. The only entry that was present was Zune Windows Mobile Connectivity Service. I unchecked it, re-booted, and quick scan still ran 1+ hour before I aborted.

I "disabled all", rebooted, ran quick scan, aborted after 20+ minutes.

dds log. . DDS (Ver_11-03-05.01) - NTFSx86 Run by user at 8:05:49.93 on Sat 04/02/2011 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1577 [GMT -5:00] . . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Nero\Nero8\InCD\InCD.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe svchost.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc c:\Program Files\Zune\ZuneBusEnum.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Users\user\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://google.com/ mWinlogon: UIHost=%SystemRoot%\System32\ultlogonui.exe BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll TB: QT TabBar: {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll TB: QT Tab Standard Buttons: {d2bf470e-ed1c-487f-a666-2bd8835eb6ce} - mscoree.dll TB: QT Breadcrumbs Address Bar: {af83e43c-dd2b-4787-826b-31b17dee52ed} - mscoree.dll TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background uRun: [PMCRemote] c:\program files\pinnacle\shared files\programs\remote\Remoterm.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [inCD] c:\program files\nero\nero8\incd\InCD.exe mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe" dRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background StartupFolder: c:\users\alluse~1\startm~1\programs\startup\hpinst~1.lnk - c:\program files\hewlett-packard\aio\hpis\bin\matcli.exe StartupFolder: c:\users\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet g series\bin\hpoavn07.exe mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1) dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\users\user\applic~1\mozilla\firefox\profiles\altmiiaw.default\ FF - prefs.js: browser.search.selectedEngine - Bing FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q= FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com . ---- FIREFOX POLICIES ---- FF - user.js: yahoo.ytff.general.dontshowhpoffer - true . ============= SERVICES / DRIVERS =============== . R3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\drivers\OmniTV.sys [2008-4-29 401280] S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?] S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528] S3 ZD1211BU(Atheros);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(Atheros);c:\windows\system32\drivers\ZD1211BU.sys [2010-2-12 500736] S4 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-6-10 53032] . =============== Created Last 30 ================ . 2011-03-28 23:57:40 -------- d-----w- c:\users\user\applic~1\Malwarebytes 2011-03-28 23:55:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-28 23:55:49 -------- d-----w- c:\users\alluse~1\applic~1\Malwarebytes 2011-03-28 23:55:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-03-28 23:55:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-13 23:22:54 98816 ----a-w- c:\windows\sed.exe 2011-03-13 23:22:54 89088 ----a-w- c:\windows\MBR.exe 2011-03-13 23:22:54 256512 ----a-w- c:\windows\PEV.exe 2011-03-13 23:22:54 161792 ----a-w- c:\windows\SWREG.exe . ==================== Find3M ==================== . 2011-02-03 18:03:46 507904 ----a-w- c:\windows\system32\winlogon.exe 2011-02-03 18:03:36 135680 ----a-w- c:\windows\system32\taskmgr.exe 2011-02-03 18:03:18 1033728 ----a-w- c:\windows\explorer.exe 2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll . ============= FINISH: 8:06:25.03 ===============

I uninstalled Spybot, rebooted, same problem. Then uninstalled Adaware, rebooted, uninstalled MBAM (used mbam-clean), rebooted, re-installed MBAM, updated, rebooted, ran a quick scan, aborted after 9+ hours. Any idea why it's spending so much time scanning a folder (C:\USERS\ADMINISTRATOR\START MENU\) that has nothing in it (see post #15)? Or is the contents of that folder just blocked from me trying to open it? I am also feeling a bit vulnerable running my pc with absolutely no anti virus and anti malware. Might I go ahead and reinstall mcafee?

Done as directed, mbam ran over 30 minutes so I aborted. This machine also has Spybot and Adaware installed - possible conflict there? When I aborted the scan this time, I got an error message, "system settings protector has encountered a problem and needs to close", and was in reference to teatimer.exe, which apparently is spybot. Side note, my other PC has same mcafee virusscan installation. I just downloaded/updated/ran MBAM, and quick scan took 3 minutes (it is a freshly re-formatted machine with very few files however). I also noted on that machine that mcafee was alerted to access protection rules, which it reported as having been blocked - I think as a result of the MBAM download and update. It didn't seem to affect MBAM running it's scan however.

I am not using pro version. I performed the steps as outlined, and quick scan ran for 2 hours before I aborted (I really don't know how long I should be able to let it run before assuming it's been too long). But it seemed to be hanging up on C:\USERS\ADMINISTRATOR\START MENU\PROGRAMS\STARTUP\Administrator\Local Service\Local Service, and then seeming to switch up between a third \Local Service\... and a \Network Service\...

I have: C:\USERS\ADMINISTRATOR\START MENU, but the START MENU folder is not depicted with the normal "folder" icon, though under properties it is called a folder however). When I try to open it, I get "Visual Task Tips is already running, do you wish to stop it?" I also have folder C:\USERS\ALL USERS\START MENU\PROGRAMs\STARTUP\(it does open, and there are two HP printer files in there) ALSO C:\USERS\DEFAULT USER\START MENU\ (Then the same "Visual task tips" message when I try to open the folder) Also C:\USERS\USER\START MENU\ (THEN "Visual task tips" message when I try to open the folder) VirusScan Enterprise 8.5.0i, scan engine version 5400.1158.

Quick scan still runs in excess of 9 hours before I aborted (after completing the previous steps). Here are the logs. Thanks. ComboFix 11-03-17.02 - user 03/18/2011 8:24.7.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1384 [GMT -5:00] Running from: c:\users\user\Desktop\ComboFix.exe Command switches used :: c:\users\user\Desktop\CFScript.txt AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\\All Users\ntuser.pol . . --------------- FCopy --------------- . c:\windows\system32\dllcache\comres.dll --> c:\windows\system32\comres.dll c:\windows\system32\dllcache\user32.dll --> c:\windows\system32\user32.dll c:\windows\system32\dllcache\termsrv.dll --> c:\windows\system32\termsrv.dll . ((((((((((((((((((((((((( Files Created from 2011-02-18 to 2011-03-18 ))))))))))))))))))))))))))))))) . . 2011-03-18 13:18 . 2011-03-18 13:18 -------- d-----w- c:\windows\LastGood.Tmp 2011-03-08 16:10 . 2011-03-08 16:10 -------- d-----w- c:\users\Administrator\Application Data\Malwarebytes 2011-03-05 15:21 . 2011-03-05 15:21 -------- d-----w- c:\users\user\Application Data\Malwarebytes 2011-03-05 15:21 . 2011-03-05 15:21 -------- d-----w- c:\users\All Users\Application Data\Malwarebytes 2011-03-05 15:21 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-05 15:20 . 2011-03-09 01:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-05 15:20 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-03 18:03 . 2011-02-03 03:12 507904 ----a-w- c:\windows\system32\winlogon.exe 2011-02-03 18:03 . 2011-02-03 03:09 135680 ----a-w- c:\windows\system32\taskmgr.exe 2011-02-03 18:03 . 2009-10-17 22:53 1033728 ----a-w- c:\windows\explorer.exe 2011-01-21 14:44 . 2009-10-17 22:53 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:14 . 2009-10-17 22:23 1864064 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:32 . 2009-10-17 22:23 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59 . 2009-10-17 22:19 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59 . 2009-10-17 22:19 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59 . 2009-10-17 22:19 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:24 . 2009-10-17 22:23 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55 . 2009-10-17 22:19 385024 ----a-w- c:\windows\system32\html.iec . . ((((((((((((((((((((((((((((( SnapShot@2011-03-13_23.27.45 ))))))))))))))))))))))))))))))))))))))))) . - 2011-02-16 16:36 . 2008-04-14 01:12 578560 c:\windows\system32\dllcache\user32.dll + 2009-10-17 22:53 . 2008-04-14 01:12 578560 c:\windows\system32\dllcache\user32.dll - 2011-02-16 16:36 . 2008-04-14 01:12 295424 c:\windows\system32\dllcache\termsrv.dll + 2009-11-02 22:55 . 2008-04-14 01:12 295424 c:\windows\system32\dllcache\termsrv.dll + 2009-10-17 22:53 . 2008-04-14 01:11 792064 c:\windows\system32\dllcache\comres.dll - 2011-02-16 16:36 . 2008-04-14 01:11 792064 c:\windows\system32\dllcache\comres.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt] @="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}" [HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}] 2008-06-10 18:29 97064 ----a-w- c:\program files\Nero\Nero8\InCD\NBHShx.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "PMCRemote"="c:\program files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" [2008-11-18 226576] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "InCD"="c:\program files\Nero\Nero8\InCD\InCD.exe" [2008-06-10 1083176] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-04 61440] "RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 112216] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768] "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 159472] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] . c:\users\All Users\Start Menu\Programs\Startup\ hp instant support.lnk - c:\program files\Hewlett-Packard\AiO\HPis\bin\matcli.exe [2010-2-14 208896] HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoRecentDocsNetHood"= 1 (0x1) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoRecentDocsNetHood"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,\ . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Cessna NAVIII Trainer v9.03\\CDUSIMv2.exe"= "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/29/2010 10:36 PM 64288] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1352832] R3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\drivers\OmniTV.sys [4/29/2008 5:21 PM 401280] S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [11/11/2010 2:57 PM 268528] S3 ZD1211BU(Atheros);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(Atheros);c:\windows\system32\drivers\ZD1211BU.sys [2/12/2010 7:25 PM 500736] S4 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [6/10/2008 1:29 PM 53032] . Contents of the 'Scheduled Tasks' folder . 2011-03-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:36] . 2011-03-15 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job - c:\program files\Ask.com\UpdateTask.exe [2010-09-29 04:44] . 2011-03-18 c:\windows\Tasks\User_Feed_Synchronization-{6A8336EE-08BC-4C82-B312-F27CDDED60F7}.job - c:\windows\system32\msfeedssync.exe [2009-10-17 10:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\users\user\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\ FF - prefs.js: browser.search.selectedEngine - Bing FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q= FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com FF - user.js: yahoo.ytff.general.dontshowhpoffer - true . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-03-18 08:36 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(700) c:\windows\system32\SETUPAPI.dll c:\windows\system32\Ati2evxx.dll c:\windows\system32\cscui.dll . - - - - - - - > 'lsass.exe'(756) c:\windows\system32\setupapi.dll . - - - - - - - > 'explorer.exe'(3428) c:\windows\system32\WININET.dll c:\program files\Nero\Nero8\InCD\NBHShx.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\program files\Nero\Nero8\InCD\NBHStr.dll c:\program files\Common Files\Nero\Shared\NL3\AdvrCntr3.dll c:\windows\system32\SETUPAPI.dll c:\windows\System32\cscui.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\msi.dll c:\windows\system32\webcheck.dll c:\windows\system32\wpdshserviceobj.dll c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll c:\windows\system32\NETSHELL.dll c:\windows\system32\credui.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Nero\Nero8\InCD\InCDsrv.exe c:\program files\McAfee\Common Framework\FrameworkService.exe c:\program files\McAfee\VirusScan Enterprise\mcshield.exe c:\windows\RTHDCPL.EXE c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\McAfee\Common Framework\McTray.exe c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe c:\progra~1\HEWLET~1\AiO\HPis\common\MOTIVE~1.EXE c:\program files\McAfee\Common Framework\naPrdMgr.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe c:\program files\Zune\ZuneBusEnum.exe c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe c:\windows\system32\dllhost.exe c:\windows\system32\wbem\unsecapp.exe . ************************************************************************** . Completion time: 2011-03-18 08:40:10 - machine was rebooted ComboFix-quarantined-files.txt 2011-03-18 13:40 ComboFix2.txt 2011-03-13 23:29 . Pre-Run: 53,430,657,024 bytes free Post-Run: 53,315,538,944 bytes free . - - End Of File - - 4BED45786A01BE117A95AF1B51F6C944 . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_11-03-05.01) . Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 11/2/2009 6:28:40 PM System Uptime: 3/18/2011 8:34:07 AM (0 hours ago) . Motherboard: Intel Corporation | | D915PGN Processor: Intel® Pentium® 4 CPU 3.20GHz | J2E1 | 3200/200mhz . ==== Disk Partitions ========================= . A: is Removable C: is FIXED (NTFS) - 75 GiB total, 49.689 GiB free. D: is CDROM () E: is CDROM () . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . RP1: 2/17/2011 10:24:38 PM - System Checkpoint RP2: 2/19/2011 4:27:34 PM - System Checkpoint RP3: 2/24/2011 5:15:06 PM - System Checkpoint RP4: 2/25/2011 6:14:34 PM - System Checkpoint RP5: 2/26/2011 6:20:54 PM - System Checkpoint RP6: 2/27/2011 7:19:57 PM - System Checkpoint RP7: 3/5/2011 9:43:05 AM - System Checkpoint RP8: 3/6/2011 12:18:39 PM - System Checkpoint RP9: 3/7/2011 6:08:24 PM - System Checkpoint RP10: 3/8/2011 3:00:17 AM - Software Distribution Service 3.0 RP11: 3/8/2011 5:24:18 PM - Software Distribution Service 3.0 RP12: 3/10/2011 5:16:44 PM - System Checkpoint RP13: 3/18/2011 8:23:41 AM - ComboFix created restore point . ==== Installed Programs ====================== . Ad-Aware Ad-Aware Email Scanner for Outlook Adobe Flash Player 10 ActiveX Adobe Reader 9.1 Alky for Applications (Windows XP) Ask Toolbar ATI - Software Uninstall Utility ATI AVIVO Codecs ATI Catalyst Control Center ATI Display Driver ATI Parental Control & Encoder ATI Problem Report Wizard AutoUpdate Catalyst Control Center - Branding Catalyst Control Center Core Implementation Catalyst Control Center Graphics Full Existing Catalyst Control Center Graphics Full New Catalyst Control Center Graphics Light Catalyst Control Center Graphics Previews Common Catalyst Control Center HydraVision Full Catalyst Control Center Localization All ccc-core-preinstall ccc-core-static ccc-utility CCC Help Chinese Standard CCC Help Chinese Traditional CCC Help Czech CCC Help Danish CCC Help Dutch CCC Help English CCC Help Finnish CCC Help French CCC Help German CCC Help Greek CCC Help Hungarian CCC Help Italian CCC Help Japanese CCC Help Korean CCC Help Norwegian CCC Help Polish CCC Help Portuguese CCC Help Russian CCC Help Spanish CCC Help Swedish CCC Help Thai CCC Help Turkish Cessna NAVIII Trainer v9.03 CleanUp! DivX Codec Gadget Installer Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Media Format 11 SDK (KB973442) Hotfix for Windows XP (KB2158563) Hotfix for Windows XP (KB2443685) Hotfix for Windows XP (KB932716-v2) Hotfix for Windows XP (KB942288-v3) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) Hotfix for Windows XP (KB981793) hp instant support hp officejet g series Intel® PRO Network Adapters and Drivers Java 6 Update 16 Junk Mail filter update Malwarebytes' Anti-Malware McAfee VirusScan Enterprise Microsoft .NET Framework (English) Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB2416447) Microsoft .NET Framework 1.1 Security Update (KB979906) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Application Error Reporting Microsoft Kernel-Mode Driver Framework Feature Pack 1.9 Microsoft Office Professional Edition 2003 Microsoft Silverlight Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft User-Mode Driver Framework Feature Pack 1.9 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft WinUsb 1.0 MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) MSXML 4.0 SP2 Parser and SDK Nero 8 neroxml Next Generation Visualisations PCI SoftV92 Modem PDFCreator Pinnacle PCTV MCE Realtek High Definition Audio Driver Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473) Security Update for Windows Internet Explorer 7 (KB938127-v2) Security Update for Windows Internet Explorer 7 (KB972260) Security Update for Windows Internet Explorer 8 (KB2183461) Security Update for Windows Internet Explorer 8 (KB2360131) Security Update for Windows Internet Explorer 8 (KB2416400) Security Update for Windows Internet Explorer 8 (KB2482017) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB974455) Security Update for Windows Internet Explorer 8 (KB978207) Security Update for Windows Internet Explorer 8 (KB981332) Security Update for Windows Internet Explorer 8 (KB982381) Security Update for Windows Media Player (KB2378111) Security Update for Windows Media Player (KB975558) Security Update for Windows Media Player (KB978695) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows XP (KB2079403) Security Update for Windows XP (KB2115168) Security Update for Windows XP (KB2121546) Security Update for Windows XP (KB2160329) Security Update for Windows XP (KB2229593) Security Update for Windows XP (KB2259922) Security Update for Windows XP (KB2279986) Security Update for Windows XP (KB2286198) Security Update for Windows XP (KB2296011) Security Update for Windows XP (KB2296199) Security Update for Windows XP (KB2347290) Security Update for Windows XP (KB2360937) Security Update for Windows XP (KB2387149) Security Update for Windows XP (KB2393802) Security Update for Windows XP (KB2419632) Security Update for Windows XP (KB2423089) Security Update for Windows XP (KB2436673) Security Update for Windows XP (KB2440591) Security Update for Windows XP (KB2443105) Security Update for Windows XP (KB2476687) Security Update for Windows XP (KB2478960) Security Update for Windows XP (KB2478971) Security Update for Windows XP (KB2479628) Security Update for Windows XP (KB2483185) Security Update for Windows XP (KB2485376) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975562) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977165) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978542) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB978706) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979482) Security Update for Windows XP (KB979559) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB979687) Security Update for Windows XP (KB980195) Security Update for Windows XP (KB980218) Security Update for Windows XP (KB980232) Security Update for Windows XP (KB980436) Security Update for Windows XP (KB981322) Security Update for Windows XP (KB981852) Security Update for Windows XP (KB981957) Security Update for Windows XP (KB981997) Security Update for Windows XP (KB982132) Security Update for Windows XP (KB982214) Security Update for Windows XP (KB982665) Security Update for Windows XP (KB982802) Skins Spybot - Search & Destroy Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Microsoft Windows (KB971513) Update for Windows Internet Explorer 8 (KB975364) Update for Windows Internet Explorer 8 (KB976662) Update for Windows Internet Explorer 8 (KB976749) Update for Windows Internet Explorer 8 (KB978506) Update for Windows Internet Explorer 8 (KB980182) Update for Windows XP (KB2141007) Update for Windows XP (KB2345886) Update for Windows XP (KB2467659) Update for Windows XP (KB898461) Update for Windows XP (KB955759) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update Rollup 2 for Windows XP Media Center Edition 2005 VCRedistSetup Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 WebFldrs XP Windows Internet Explorer 8 Windows Live Communications Platform Windows Live Mail Windows Live Messenger Windows Live Photo Gallery Windows Mobile Device Updater Component Windows XP Media Center Edition 2005 KB925766 Windows XP Media Center Edition 2005 KB973768 XML Paper Specification Shared Components Pack 1.0 Zune Zune Language Pack (DEU) Zune Language Pack (ESP) Zune Language Pack (FRA) Zune Language Pack (ITA) Zune Language Pack (NLD) Zune Language Pack (PTB) Zune Language Pack (PTG) . ==== Event Viewer Messages From Past Week ======== . 3/18/2011 8:24:53 AM, error: Service Control Manager [7034] - The InCD Helper service terminated unexpectedly. It has done this 1 time(s). 3/18/2011 8:24:52 AM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). 3/18/2011 8:24:52 AM, error: Service Control Manager [7034] - The McAfee Task Manager service terminated unexpectedly. It has done this 1 time(s). 3/18/2011 8:24:52 AM, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s). 3/18/2011 8:24:52 AM, error: Service Control Manager [7034] - The McAfee Framework Service service terminated unexpectedly. It has done this 1 time(s). 3/18/2011 8:24:52 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s). 3/18/2011 8:24:52 AM, error: Service Control Manager [7031] - The Zune Bus Enumerator service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service. 3/18/2011 8:24:52 AM, error: Service Control Manager [7031] - The Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. 3/18/2011 8:24:51 AM, error: Service Control Manager [7034] - The Media Center Scheduler Service service terminated unexpectedly. It has done this 1 time(s). 3/18/2011 8:24:51 AM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s). 3/18/2011 8:24:51 AM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service. . ==== End Of File =========================== . DDS (Ver_11-03-05.01) - NTFSx86 Run by user at 8:51:13.70 on Fri 03/18/2011 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1245 [GMT -5:00] . AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe C:\Program Files\Nero\Nero8\InCD\InCD.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe c:\Program Files\Zune\ZuneBusEnum.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\explorer.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Users\user\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://google.com/ mWinlogon: UIHost=%SystemRoot%\System32\ultlogonui.exe BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File TB: QT TabBar: {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll TB: QT Tab Standard Buttons: {d2bf470e-ed1c-487f-a666-2bd8835eb6ce} - mscoree.dll TB: QT Breadcrumbs Address Bar: {af83e43c-dd2b-4787-826b-31b17dee52ed} - mscoree.dll TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background uRun: [PMCRemote] c:\program files\pinnacle\shared files\programs\remote\Remoterm.exe uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [inCD] c:\program files\nero\nero8\incd\InCD.exe mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [RTHDCPL] RTHDCPL.EXE mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe" dRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background StartupFolder: c:\users\alluse~1\startm~1\programs\startup\hpinst~1.lnk - c:\program files\hewlett-packard\aio\hpis\bin\matcli.exe StartupFolder: c:\users\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet g series\bin\hpoavn07.exe mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1) dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\users\user\applic~1\mozilla\firefox\profiles\altmiiaw.default\ FF - prefs.js: browser.search.selectedEngine - Bing FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q= FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com . ---- FIREFOX POLICIES ---- FF - user.js: yahoo.ytff.general.dontshowhpoffer - true . ============= SERVICES / DRIVERS =============== . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-29 64288] R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832] R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2010-2-7 104000] R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2007-2-22 144960] R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2007-2-22 54872] R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2010-2-7 72264] R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2010-2-7 34152] R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2010-2-7 170408] R3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\drivers\OmniTV.sys [2008-4-29 401280] S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528] S3 ZD1211BU(Atheros);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(Atheros);c:\windows\system32\drivers\ZD1211BU.sys [2010-2-12 500736] S4 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-6-10 53032] . =============== Created Last 30 ================ . 2011-03-13 23:22:54 98816 ----a-w- c:\windows\sed.exe 2011-03-13 23:22:54 89088 ----a-w- c:\windows\MBR.exe 2011-03-13 23:22:54 256512 ----a-w- c:\windows\PEV.exe 2011-03-13 23:22:54 161792 ----a-w- c:\windows\SWREG.exe 2011-03-05 15:21:06 -------- d-----w- c:\users\user\applic~1\Malwarebytes 2011-03-05 15:21:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-05 15:21:01 -------- d-----w- c:\users\alluse~1\applic~1\Malwarebytes 2011-03-05 15:20:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-03-05 15:20:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware . ==================== Find3M ==================== . 2011-02-03 18:03:46 507904 ----a-w- c:\windows\system32\winlogon.exe 2011-02-03 18:03:36 135680 ----a-w- c:\windows\system32\taskmgr.exe 2011-02-03 18:03:18 1033728 ----a-w- c:\windows\explorer.exe 2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:14:45 1864064 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:32:24 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:24:18 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec . ============= FINISH: 8:51:39.78 ===============

Logs attached. combofix log 13mar11_1854.txt DDS 13mar11_1830.txt Attach 13mar11_1830.txt

DDS logs attached. Attach.txt DDS.txt

I went to the Mcafee Enterprise console, and noticed that the Access Protection module was not enabled (so I did not use MBAM Clean, then reinstall). I also did not register or enable MBAM Protection Module, as apparently this is only for a paid version. I went into the Enterprise Access Protection and added the recommended exclusions, and then enabled it. I let the quick scan run all night, and it was still chugging along this morning. Before I aborted, it was scanning C\USERS\\ADMINISTRATOR\START MENU\PROGRAMS\STARTUP\LocalService\LocalService\NetworkService, then flipping by too fast to really tell what was going on below this - but seemed to be going to \AllUsers\AllUsers, and other places. To me it seemed like I was seeing it come back to the same locations (like \AllUsers\AllUsers) multiple times. Hard to tell for sure though. Entered safe mode to run a quick scan, and it ran aprx 8 minutes. It found 7 threats, and selected 3 for removal. Rebooted to normal mode. Running quick scan for 1hr 18min and counting. Seems to be spending alot of time at: C\USERS\\ADMINISTRATOR\START MENU\PROGRAMS\STARTUP\Administrator|DefaultUser\DefaultUser\User...(too fast to read).

I downloaded and ran mbam-clean.exe, and rebooted. I disabled Mcafee and Spybot and Adaware, downloaded MBAM again, updated it, rebooted. Don't know of any file exclusions, but I went to the provided link and did not recognize any issues (looks like freezing would be the only issue, since I'm running Mcafee Enterprise, and I'm not experiencing that). The only issue I am seeing is that MBAM is apparently taking forever to run the quick scan. It's been going now for 3 1/2 hours, and I don't expect it to ever finish based on previous scan attempts.

Just some additional info, I realize someone will attend to my issue when you get to it. I did run a dfrag, I do run MBAM on a dedicated pc, I have about 2gb music and 3gb pictures (no other large-ish file folders). I also attempted to uninstall/reinstall MBAM, and saw this error message "MBAM_ERROR_EXPANDING_VARIABLES (0,453)". However it seemed to install and update and run, but I still had to abort after 5 hours of scanning.

I'm trying to keep my system clean, but when I run MBAM, it never gets done scanning. A previous run went 25 hours before I aborted. Most recent scan past 17 hours (11.5 million objects scanned) before I aborted. A scan I performed the other day went about 4 hours before I aborted, and it found 3 registry keys infected (2 removed successfully, 1 not selected for removal). These are all "quick scans" by the way. I'd like to figure out why the scan never stops. Thanks.