Security Tool

I can't get my Malwarebytes to work as well as alot of my other programs that require a .exe on my computer. Please help I know nothing about computers and these types of problems please help. Step by step would be great!

Thanks in advance,
Cattielbullard

Hi
Welcome to the forums.

Please download exeHelper

• Double-click on exeHelper.com to run the fix.
  
• A black window should pop up, press any key to close once the fix is completed.
  
• Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
  

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==

If you can get Malwarebytes to work, please post a log to start out.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:03 PM, on 10/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080423
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080423
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Turbine Download Manager Tray Icon] "C:\Program Files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [01143716] C:\DOCUME~1\ALLUSE~1\APPLIC~1\01143716\01143716.exe
O4 - HKLM\..\Run: [75083326] C:\Documents and Settings\All Users\Application Data\75083326\75083326.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\usemedaily\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://games.bigfishgames.com/en_cooking-dash/online/CookingDashWeb.1.0.0.9.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://games.bigfishgames.com/en_burger-shop/online/GoBitGamesPlayer_v4.cab
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://clubgames.pogo.com/online2/pogo/zenerchi/ZenerchiWeb.1.0.0.10.cab
O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - http://absolutist.com/online/chocolatier2/Chocolatier2Web.1.0.0.10.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfrenzy/sis/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://pogoclub.oberon-media.com/online2/pogop/wedding_dash/WeddingDash.1.0.0.47.cab
O16 - DPF: {F4EBFE42-D82A-48EB-B70E-7499FFEAFF3F} (CPlayFirstDressShopHControl Object) - http://absolutist.com/online/dress_shop_hop/DressShopHopWeb.1.0.0.7.cab
O16 - DPF: {FCB28D51-A017-46B2-9FB3-F7BFD53B2E42} (CPlayFirstChocolatieControl Object) - http://absolutist.com/online/chocolatier-decadence-by-design/Chocolatier3Web.1.0.0.6.cab
O20 - AppInit_DLLs: kifabibu.dll
O22 - SharedTaskScheduler: mujuzedij - {8d857778-6ec2-4c6a-94c4-99dc52c8a74b} - (no file)
O22 - SharedTaskScheduler: jugezatag - {9149d14b-7624-4393-915e-8d23e7cd7239} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe
O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAwareR.exe
O23 - Service: Verizon Internet Security Suite SafeConnectAgent (RadialpointSafeConnectAgent) - Sana Security - C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Bin\SanaAgent.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 7476 bytes
this is from hijack this!

exeHelper by Raktor - 09
Build 20090925
Run at 20:27:13 on 10/10/09
Now searching...
Checking for numerical processes...
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\01143716
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor - 09
Build 20090925
Run at 20:36:35 on 10/10/09
Now searching...
Checking for numerical processes...
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\75083326
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor - 09
Build 20090925
Run at 20:36:57 on 10/10/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

I can get Malware to download it just wont run. It stops as soon as i try to scan with it.

Hi

Please download ComboFix from Here or Here

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective
  programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Do not mouse-click Combofix's window while it is running. That may cause it to stall.

ComboFix 09-10-10.02 - Cattie Bullard 10/10/2009 21:00.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1982.1491 [GMT -5:00]
Running from: c:\documents and settings\Cattie Bullard\Desktop\ComboFix.exe
AV: Verizon Internet Security Suite Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Verizon Internet Security Suite Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\govured._sy
c:\documents and settings\All Users\Application Data\hetose.sys
c:\documents and settings\All Users\Application Data\itanudyno.lib
c:\documents and settings\All Users\Application Data\mive.com
c:\documents and settings\All Users\Application Data\wasatar.lib
c:\documents and settings\All Users\Application Data\ykuzuxafih.scr
c:\documents and settings\All Users\Application Data\zotakyry.bin
c:\documents and settings\All Users\Application Data\zubo.scr
c:\documents and settings\All Users\Documents\jobyg.com
c:\documents and settings\All Users\Documents\qawiraw.sys
c:\documents and settings\All Users\Documents\ybal._dl
c:\documents and settings\All Users\Documents\zecuxesily.vbs
c:\documents and settings\Cattie Bullard\Application Data\buguwase.lib
c:\documents and settings\Cattie Bullard\Application Data\esobe.pif
c:\documents and settings\Cattie Bullard\Application Data\keqe.com
c:\documents and settings\Cattie Bullard\Cookies\lavoli.reg
c:\documents and settings\Cattie Bullard\Local Settings\Application Data\azyraqoja.vbs
c:\documents and settings\Cattie Bullard\Local Settings\Application Data\ejas._sy
c:\documents and settings\Cattie Bullard\Local Settings\Application Data\lekas.dll
c:\documents and settings\Cattie Bullard\Local Settings\Application Data\tycymuq.dl
c:\documents and settings\Cattie Bullard\Local Settings\Temporary Internet Files\apunos.lib
c:\documents and settings\Cattie Bullard\Local Settings\Temporary Internet Files\dejotax.sys
c:\documents and settings\Cattie Bullard\Local Settings\Temporary Internet Files\eqelaxa.dat
c:\documents and settings\Cattie Bullard\Local Settings\Temporary Internet Files\himof.ban
c:\documents and settings\Cattie Bullard\Local Settings\Temporary Internet Files\iwemujo.com
c:\documents and settings\Cattie Bullard\Local Settings\Temporary Internet Files\lehar.com
c:\documents and settings\Cattie Bullard\Local Settings\Temporary Internet Files\nuhidape.dl
c:\documents and settings\Cattie Bullard\Local Settings\Temporary Internet Files\nyvahone.ban
c:\documents and settings\Cattie Bullard\Local Settings\Temporary Internet Files\vasegiqi._sy
c:\documents and settings\Cattie Bullard\Local Settings\Temporary Internet Files\ynaronul.db
c:\program files\Common Files\aroge.vbs
c:\program files\Common Files\egacywur.bin
c:\windows\atykyhixas.exe
c:\windows\cudozabys.reg
c:\windows\cyfakan.dll
c:\windows\eseqinuno.dl
c:\windows\jusitax._dl
c:\windows\niperuwe.ban
c:\windows\oqowyce._sy
c:\windows\system32\AutoRun.inf
c:\windows\system32\idyqe.dl
c:\windows\system32\kifabibu.dll
c:\windows\system32\lymomutiz.bin
c:\windows\system32\petatusa.dll
c:\windows\system32\pupakijug.dll
c:\windows\system32\ukiki.pif
c:\windows\system32\wbem\proquota.exe
c:\windows\udagugax.bat
c:\windows\ulyny._sy
c:\windows\usyj.ban
c:\windows\ysyhynalek.vbs

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2009-09-11 to 2009-10-11 )))))))))))))))))))))))))))))))
.

2009-10-11 02:06 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-11 02:06 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-11 01:38 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-11 01:38 . 2009-10-11 01:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-11 01:38 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-11 01:05 . 2009-10-11 01:05 1152 ----a-w- c:\windows\system32\windrv.sys
2009-10-11 01:05 . 2009-10-11 01:10 -------- d-----w- c:\program files\SpyNoMore
2009-10-11 01:05 . 2009-10-11 01:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo
2009-10-11 00:51 . 2009-10-11 00:51 -------- d-----w- c:\program files\Trend Micro
2009-10-11 00:37 . 2009-10-11 00:40 -------- d-----w- c:\program files\myapp
2009-10-11 00:30 . 2009-10-11 00:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-10 23:12 . 2009-10-10 23:12 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-10 21:34 . 2009-10-10 21:34 137 ----a-w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\fusioncache.dat
2009-10-10 21:34 . 2009-10-10 21:34 -------- d-----w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\Turbine
2009-10-10 20:20 . 2009-10-10 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\75083326
2009-10-01 19:15 . 2009-10-06 19:40 -------- d-----w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\WeatherBug
2009-10-01 19:15 . 2009-10-01 19:15 -------- d-----w- c:\program files\AWS
2009-10-01 19:15 . 2009-10-01 19:15 -------- d-----w- c:\documents and settings\Cattie Bullard\Application Data\WeatherBug
2009-09-28 13:59 . 2009-09-28 13:59 -------- d-----w- c:\program files\Perfect World Entertainment
2009-09-28 12:32 . 2009-09-28 13:47 -------- d-----w- c:\documents and settings\Cattie Bullard\Application Data\GetRightToGo
2009-09-28 10:13 . 2009-09-28 10:13 -------- d-----w- c:\documents and settings\Cattie Bullard\Application Data\Malwarebytes
2009-09-28 10:13 . 2009-09-28 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-28 09:14 . 2009-09-28 09:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Verizon
2009-09-28 09:09 . 2009-09-28 09:09 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-28 08:15 . 2009-09-28 08:15 18261 ----a-w- c:\windows\womydiqika.dat
2009-09-28 08:15 . 2009-09-28 08:15 12870 ----a-w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\yvupo.dat
2009-09-28 08:15 . 2009-09-28 08:15 12762 ----a-w- c:\program files\Common Files\adixe.dat
2009-09-26 23:16 . 2009-09-26 23:16 -------- d-----w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\Turbine,_Inc
2009-09-26 23:14 . 2009-09-26 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Turbine
2009-09-26 23:14 . 2009-10-10 21:23 -------- d-----w- c:\program files\Turbine
2009-09-26 22:42 . 2009-09-28 08:13 -------- d-----w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\PMB Files
2009-09-26 22:41 . 2009-10-10 22:43 -------- d-----w- c:\program files\Pando Networks
2009-09-15 12:41 . 2009-10-08 03:18 45 ----a-w- c:\documents and settings\Cattie Bullard\jagex_runescape_preferences2.dat
2009-09-15 04:54 . 2009-09-15 04:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-09-15 04:42 . 2009-09-15 04:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-09-15 04:41 . 2009-09-15 04:48 -------- d-----w- c:\program files\DivX
2009-09-14 19:54 . 2009-09-14 19:55 -------- d-----w- c:\documents and settings\Cattie Bullard\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 02:08 . 2009-07-11 20:31 500256 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-10-11 02:08 . 2009-07-11 20:31 46700 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-10-11 02:08 . 2009-07-11 20:31 333788 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-11 02:08 . 2009-07-11 20:31 27082528 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-08 04:01 . 2008-07-28 08:47 38 -c--a-w- c:\documents and settings\Cattie Bullard\jagex_runescape_preferences.dat
2009-10-02 11:35 . 2008-06-19 17:31 -------- d-----w- c:\program files\World of Warcraft
2009-09-28 09:01 . 2009-09-10 12:28 120 ----a-w- c:\windows\Mgogabamomigob.dat
2009-09-28 08:15 . 2009-09-28 08:15 12224 ----a-w- c:\program files\Common Files\cevobefet.db
2009-09-15 04:54 . 2008-04-23 21:29 -------- d-----w- c:\program files\Google
2009-09-15 04:32 . 2009-08-04 02:15 -------- d-----w- c:\program files\Oberon Media
2009-09-15 04:30 . 2009-07-03 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-08-31 02:33 . 2009-08-25 17:50 -------- d-----w- c:\program files\World of Warcraft Public Test
2009-08-28 01:30 . 2008-06-19 17:31 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-08-25 06:10 . 2009-03-28 08:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-25 05:53 . 2009-08-25 04:49 -------- d-----w- c:\documents and settings\Cattie Bullard\Application Data\Gamelab
2009-08-22 15:28 . 2008-06-13 18:09 35552 ----a-w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-20 13:00 . 2009-08-19 16:22 -------- d-----w- c:\program files\Microsoft Games
2009-08-19 23:57 . 2009-08-19 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-18 19:43 . 2009-08-18 19:43 -------- d-----w- c:\program files\Hidden Expedition Titanic
2009-08-18 18:32 . 2009-08-18 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-08-18 18:32 . 2009-08-18 18:32 -------- d-----w- c:\program files\BFG
2009-08-15 08:07 . 2009-08-15 08:07 -------- d-----w- c:\program files\MSBuild
2009-08-15 08:07 . 2009-08-15 08:07 -------- d-----w- c:\program files\Reference Assemblies
2009-08-09 09:11 . 2009-08-09 09:11 17411 ----a-w- c:\documents and settings\All Users\Application Data\agijudo.dat
2009-08-09 09:11 . 2009-08-09 09:11 17041 ----a-w- c:\windows\uvoh.bin
2009-08-09 09:11 . 2009-08-09 09:11 16232 ----a-w- c:\windows\cazufanu.bin
2009-08-05 09:11 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 07:18 . 2004-08-10 17:51 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 08:19 . 2009-07-10 08:19 88576 --sha-w- c:\windows\system32\danipowu.dll
2009-07-10 05:33 . 2009-07-10 05:33 116224 --sha-w- c:\windows\system32\gufavudu.dll
2009-07-10 20:20 . 2009-07-10 20:20 51200 --sha-w- c:\windows\system32\hajifagu.dll
2009-07-10 20:19 . 2009-07-10 20:19 1011609 --sha-w- c:\windows\system32\kufoluru.exe
2009-07-10 05:33 . 2009-07-10 05:33 116224 --sha-w- c:\windows\system32\mivajuyi.dll
2009-07-10 20:19 . 2009-07-10 20:19 51200 --sha-w- c:\windows\system32\pujosove.dll
2009-07-10 20:19 . 2009-07-10 20:19 88576 --sha-w- c:\windows\system32\rigitaza.dll
2009-07-10 08:19 . 2009-07-10 08:19 69120 --sha-w- c:\windows\system32\vufewuta.dll
2009-07-10 08:19 . 2009-07-10 08:19 1011343 --sha-w- c:\windows\system32\zupejaku.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04d8cda3-e187-4eec-af8f-c14587672208}]
2009-07-10 20:20 51200 --sha-w- c:\windows\system32\hajifagu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-07 8466432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-04-23 98304]
"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe" [2009-10-10 472568]
"SNM"="c:\program files\SpyNoMore\SNM.exe" [2009-10-11 1067472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Raxco\\PerfectDisk2008\\PD91Agent.exe"=
"c:\\Program Files\\Raxco\\PerfectDisk2008\\PD91Engine.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineMessageService.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineNetworkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:blizzard downloader
"3724:TCP"= 3724:TCP:blizzard downloader
"57991:TCP"= 57991:TCP:Pando Media Booster
"57991:UDP"= 57991:UDP:Pando Media Booster

R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [9/22/2008 4:58 PM 693512]
R2 RadialpointSafeConnectAgent;Verizon Internet Security Suite SafeConnectAgent;c:\program files\Verizon\Verizon Internet Security Suite\SafeConnect\bin\SanaAgent.exe [11/14/2008 6:28 PM 4937752]
R3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [9/22/2008 4:58 PM 910600]
R3 Radialpoint Security Services;Verizon Internet Security Suite;c:\program files\Verizon\Verizon Internet Security Suite\RpsSecurityAwareR.exe [4/22/2009 10:38 AM 170736]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [11/14/2008 6:28 PM 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [11/14/2008 6:28 PM 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [11/14/2008 6:28 PM 27376]
S2 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [9/26/2009 6:14 PM 267760]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [9/26/2009 6:14 PM 218608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-10 c:\windows\Tasks\User_Feed_Synchronization-{34CD53BE-07A6-4108-B6CE-D8E418EA34BA}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://onlinecinema.org/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://games.bigfishgames.com/en_cooking-dash/online/CookingDashWeb.1.0.0.9.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://games.bigfishgames.com/en_burger-shop/online/GoBitGamesPlayer_v4.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://absolutist.com/online/chocolatier2/Chocolatier2Web.1.0.0.10.cab
DPF: {F4EBFE42-D82A-48EB-B70E-7499FFEAFF3F} - hxxp://absolutist.com/online/dress_shop_hop/DressShopHopWeb.1.0.0.7.cab
DPF: {FCB28D51-A017-46B2-9FB3-F7BFD53B2E42} - hxxp://absolutist.com/online/chocolatier-decadence-by-design/Chocolatier3Web.1.0.0.6.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
HKLM-Run-vavozuzaga - petatusa.dll
SharedTaskScheduler-{8d857778-6ec2-4c6a-94c4-99dc52c8a74b} - (no file)
SharedTaskScheduler-{9149d14b-7624-4393-915e-8d23e7cd7239} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-10 21:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2096645506-828190138-1039861506-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2368)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Verizon\Verizon Internet Security Suite\Fws.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Verizon\VSP\VerizonServicepoint.exe
.
**************************************************************************
.
Completion time: 2009-10-11 21:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-11 02:16

Pre-Run: 95,330,439,168 bytes free
Post-Run: 95,427,751,936 bytes free

275 --- E O F --- 2009-09-17 08:01

Hi

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   KillAll::
   
   Driver::
   MYWEBSEARCHSERVICE
   
   File::
   c:\windows\system32\windrv.sys
   c:\windows\womydiqika.dat
   c:\documents and settings\Cattie Bullard\Local Settings\Application Data\yvupo.dat
   c:\program files\Common Files\adixe.dat
   c:\program files\Common Files\cevobefet.db
   
   Folder::
   c:\program files\SpyNoMore
   c:\documents and settings\Administrator\Application Data\GetRightToGo
   c:\documents and settings\All Users\Application Data\75083326
   
   Registry::
   [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04d8cda3-e187-4eec-af8f-c14587672208}]
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

==

Please download RootRepeal from GooglePages.com.

• Extract the program file to your Desktop.
  
• Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the Desktop.
  
• Please copy/paste the contents of the report in your next reply.
  

Please remove any e-mail address in the RootRepeal report (if present).


==

Please post the ComboFix and RootRepeal logs in your next reply.

ComboFix 09-10-10.02 - Cattie Bullard 10/10/2009 22:43.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1982.1581 [GMT -5:00]
Running from: c:\documents and settings\Cattie Bullard\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cattie Bullard\Desktop\CFScript.txt
AV: Verizon Internet Security Suite Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Verizon Internet Security Suite Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

FILE ::
"c:\documents and settings\Cattie Bullard\Local Settings\Application Data\yvupo.dat"
"c:\program files\Common Files\adixe.dat"
"c:\program files\Common Files\cevobefet.db"
"c:\windows\system32\windrv.sys"
"c:\windows\womydiqika.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\GetRightToGo
c:\documents and settings\All Users\Application Data\75083326
c:\documents and settings\All Users\Application Data\75083326\REMOVE ME NOW.exe
c:\documents and settings\Cattie Bullard\Local Settings\Application Data\yvupo.dat
c:\program files\Common Files\adixe.dat
c:\program files\Common Files\cevobefet.db
c:\program files\SpyNoMore
c:\program files\SpyNoMore\DetectionLog.dtl
c:\program files\SpyNoMore\license.txt
c:\program files\SpyNoMore\RegAllowedKeys.cfg
c:\program files\SpyNoMore\RegBlockedKeys.cfg
c:\program files\SpyNoMore\Smart.db
c:\program files\SpyNoMore\SNM.chm
c:\program files\SpyNoMore\SNM.exe
c:\program files\SpyNoMore\snm.ico
c:\program files\SpyNoMore\snmExt.d01
c:\program files\SpyNoMore\snmExt.d02
c:\program files\SpyNoMore\snmExt.d03
c:\program files\SpyNoMore\snmExt.d04
c:\program files\SpyNoMore\snmIeGuard.dat
c:\program files\SpyNoMore\snmIeGuard.dll
c:\program files\SpyNoMore\SNMMain.da1
c:\program files\SpyNoMore\SNMMain.da2
c:\program files\SpyNoMore\SNMMain.da3
c:\program files\SpyNoMore\SNMMain.da4
c:\program files\SpyNoMore\SNMMain.da5
c:\program files\SpyNoMore\SNMMain.da6
c:\program files\SpyNoMore\SNMMain.dat
c:\program files\SpyNoMore\snmShield.dat
c:\program files\SpyNoMore\snmVaccinate.dat
c:\program files\SpyNoMore\SpyNoMore.url
c:\program files\SpyNoMore\uninst.exe
c:\windows\system32\windrv.sys
c:\windows\womydiqika.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-11 to 2009-10-11 )))))))))))))))))))))))))))))))
.

2009-10-11 02:06 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-11 02:06 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-11 01:38 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-11 01:38 . 2009-10-11 01:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-11 01:38 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-11 00:51 . 2009-10-11 00:51 -------- d-----w- c:\program files\Trend Micro
2009-10-11 00:37 . 2009-10-11 00:40 -------- d-----w- c:\program files\myapp
2009-10-11 00:30 . 2009-10-11 00:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-10 23:12 . 2009-10-10 23:12 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-10 21:34 . 2009-10-10 21:34 137 ----a-w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\fusioncache.dat
2009-10-10 21:34 . 2009-10-10 21:34 -------- d-----w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\Turbine
2009-10-01 19:15 . 2009-10-06 19:40 -------- d-----w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\WeatherBug
2009-10-01 19:15 . 2009-10-01 19:15 -------- d-----w- c:\program files\AWS
2009-10-01 19:15 . 2009-10-01 19:15 -------- d-----w- c:\documents and settings\Cattie Bullard\Application Data\WeatherBug
2009-09-28 13:59 . 2009-09-28 13:59 -------- d-----w- c:\program files\Perfect World Entertainment
2009-09-28 12:32 . 2009-09-28 13:47 -------- d-----w- c:\documents and settings\Cattie Bullard\Application Data\GetRightToGo
2009-09-28 10:13 . 2009-09-28 10:13 -------- d-----w- c:\documents and settings\Cattie Bullard\Application Data\Malwarebytes
2009-09-28 10:13 . 2009-09-28 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-28 09:14 . 2009-09-28 09:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Verizon
2009-09-28 09:09 . 2009-09-28 09:09 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-26 23:16 . 2009-09-26 23:16 -------- d-----w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\Turbine,_Inc
2009-09-26 23:14 . 2009-09-26 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Turbine
2009-09-26 23:14 . 2009-10-10 21:23 -------- d-----w- c:\program files\Turbine
2009-09-26 22:42 . 2009-09-28 08:13 -------- d-----w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\PMB Files
2009-09-26 22:41 . 2009-10-10 22:43 -------- d-----w- c:\program files\Pando Networks
2009-09-15 12:41 . 2009-10-08 03:18 45 ----a-w- c:\documents and settings\Cattie Bullard\jagex_runescape_preferences2.dat
2009-09-15 04:54 . 2009-09-15 04:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-09-15 04:42 . 2009-09-15 04:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-09-15 04:41 . 2009-09-15 04:48 -------- d-----w- c:\program files\DivX
2009-09-14 19:54 . 2009-09-14 19:55 -------- d-----w- c:\documents and settings\Cattie Bullard\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 03:49 . 2009-07-11 20:31 500256 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-10-11 03:49 . 2009-07-11 20:31 47156 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-10-11 03:49 . 2009-07-11 20:31 335756 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-11 03:49 . 2009-07-11 20:31 27082528 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-08 04:01 . 2008-07-28 08:47 38 -c--a-w- c:\documents and settings\Cattie Bullard\jagex_runescape_preferences.dat
2009-10-02 11:35 . 2008-06-19 17:31 -------- d-----w- c:\program files\World of Warcraft
2009-09-28 09:01 . 2009-09-10 12:28 120 ----a-w- c:\windows\Mgogabamomigob.dat
2009-09-15 04:54 . 2008-04-23 21:29 -------- d-----w- c:\program files\Google
2009-09-15 04:32 . 2009-08-04 02:15 -------- d-----w- c:\program files\Oberon Media
2009-09-15 04:30 . 2009-07-03 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-08-31 02:33 . 2009-08-25 17:50 -------- d-----w- c:\program files\World of Warcraft Public Test
2009-08-28 01:30 . 2008-06-19 17:31 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-08-25 06:10 . 2009-03-28 08:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-25 05:53 . 2009-08-25 04:49 -------- d-----w- c:\documents and settings\Cattie Bullard\Application Data\Gamelab
2009-08-22 15:28 . 2008-06-13 18:09 35552 ----a-w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-20 13:00 . 2009-08-19 16:22 -------- d-----w- c:\program files\Microsoft Games
2009-08-19 23:57 . 2009-08-19 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-18 19:43 . 2009-08-18 19:43 -------- d-----w- c:\program files\Hidden Expedition Titanic
2009-08-18 18:32 . 2009-08-18 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-08-18 18:32 . 2009-08-18 18:32 -------- d-----w- c:\program files\BFG
2009-08-15 08:07 . 2009-08-15 08:07 -------- d-----w- c:\program files\MSBuild
2009-08-15 08:07 . 2009-08-15 08:07 -------- d-----w- c:\program files\Reference Assemblies
2009-08-09 09:11 . 2009-08-09 09:11 17411 ----a-w- c:\documents and settings\All Users\Application Data\agijudo.dat
2009-08-09 09:11 . 2009-08-09 09:11 17041 ----a-w- c:\windows\uvoh.bin
2009-08-09 09:11 . 2009-08-09 09:11 16232 ----a-w- c:\windows\cazufanu.bin
2009-08-05 09:11 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 07:18 . 2004-08-10 17:51 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 08:19 . 2009-07-10 08:19 88576 --sha-w- c:\windows\system32\danipowu.dll
2009-07-10 05:33 . 2009-07-10 05:33 116224 --sha-w- c:\windows\system32\gufavudu.dll
2009-07-10 20:20 . 2009-07-10 20:20 51200 --sha-w- c:\windows\system32\hajifagu.dll
2009-07-10 20:19 . 2009-07-10 20:19 1011609 --sha-w- c:\windows\system32\kufoluru.exe
2009-07-10 05:33 . 2009-07-10 05:33 116224 --sha-w- c:\windows\system32\mivajuyi.dll
2009-07-10 20:19 . 2009-07-10 20:19 51200 --sha-w- c:\windows\system32\pujosove.dll
2009-07-10 20:19 . 2009-07-10 20:19 88576 --sha-w- c:\windows\system32\rigitaza.dll
2009-07-10 08:19 . 2009-07-10 08:19 69120 --sha-w- c:\windows\system32\vufewuta.dll
2009-07-10 08:19 . 2009-07-10 08:19 1011343 --sha-w- c:\windows\system32\zupejaku.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-11_02.09.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-11 03:51 . 2009-10-11 03:51 16384 c:\windows\temp\Perflib_Perfdata_5f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-07 8466432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-04-23 98304]
"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe" [2009-10-10 472568]
"vavozuzaga"="petatusa.dll" [BU]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Raxco\\PerfectDisk2008\\PD91Agent.exe"=
"c:\\Program Files\\Raxco\\PerfectDisk2008\\PD91Engine.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineMessageService.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineNetworkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:blizzard downloader
"3724:TCP"= 3724:TCP:blizzard downloader
"57991:TCP"= 57991:TCP:Pando Media Booster
"57991:UDP"= 57991:UDP:Pando Media Booster

R2 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [9/26/2009 6:14 PM 267760]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [9/22/2008 4:58 PM 693512]
R2 RadialpointSafeConnectAgent;Verizon Internet Security Suite SafeConnectAgent;c:\program files\Verizon\Verizon Internet Security Suite\SafeConnect\bin\SanaAgent.exe [11/14/2008 6:28 PM 4937752]
R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [9/26/2009 6:14 PM 218608]
R3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [9/22/2008 4:58 PM 910600]
R3 Radialpoint Security Services;Verizon Internet Security Suite;c:\program files\Verizon\Verizon Internet Security Suite\RpsSecurityAwareR.exe [4/22/2009 10:38 AM 170736]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [11/14/2008 6:28 PM 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [11/14/2008 6:28 PM 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [11/14/2008 6:28 PM 27376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-10 c:\windows\Tasks\User_Feed_Synchronization-{34CD53BE-07A6-4108-B6CE-D8E418EA34BA}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://onlinecinema.org/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://games.bigfishgames.com/en_cooking-dash/online/CookingDashWeb.1.0.0.9.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://games.bigfishgames.com/en_burger-shop/online/GoBitGamesPlayer_v4.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://absolutist.com/online/chocolatier2/Chocolatier2Web.1.0.0.10.cab
DPF: {F4EBFE42-D82A-48EB-B70E-7499FFEAFF3F} - hxxp://absolutist.com/online/dress_shop_hop/DressShopHopWeb.1.0.0.7.cab
DPF: {FCB28D51-A017-46B2-9FB3-F7BFD53B2E42} - hxxp://absolutist.com/online/chocolatier-decadence-by-design/Chocolatier3Web.1.0.0.6.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
AddRemove-SpyNoMore - c:\program files\SpyNoMore\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-10 22:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2096645506-828190138-1039861506-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3328)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Verizon\Verizon Internet Security Suite\Fws.exe
c:\program files\Verizon\Verizon Internet Security Suite\RPS.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Verizon\VSP\VerizonServicepoint.exe
.
**************************************************************************
.
Completion time: 2009-10-11 22:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-11 03:56
ComboFix2.txt 2009-10-11 02:17

Pre-Run: 95,343,153,152 bytes free
Post-Run: 95,367,892,992 bytes free

253 --- E O F --- 2009-09-17 08:01

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/10 23:13
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xBA3C0000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xBA108000 Size: 60416 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB536B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA61E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB3B93000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xba3e18b0

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb6118930

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb6118aa0

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb6119540

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb6119190

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb6119e20

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb6118d60

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb61172a0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xba3e18e0

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb6119370

#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb6119ad0

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb6119dd0

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb611a150

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb611a770

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb611e160

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb6115ec0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb6119d80

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb6117600

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xba3e1990

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xba3e1a30

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xba3e1ad0

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb61174d0

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb6116e70

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xba3e1450

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xba3e13c0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xba3e1400

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb6116d70

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb611a550

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb6116e20

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb6116300

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xba3e1340

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb611a5a0

==EOF==

Ok got Malwarebytes to work but other things will not connect or work. Such as Jade Dynasty, Weatherbug. How do I allow them to connect now? This thing over with should I just redownload or is there more that I need to do?

Hi

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   File::
   c:\windows\Mgogabamomigob.dat
   
   FileLook::
   petatusa.dll
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

==

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

==

Please post the ComboFix and GMER logs in your next reply. There are a couple of hȋdden files to get rid of, then your computer should be able to connect to everything.

ComboFix 09-10-11.01 - Cattie Bullard 10/11/2009 22:48.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1982.1565 [GMT -5:00]
Running from: c:\documents and settings\Cattie Bullard\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cattie Bullard\Desktop\CFScript.txt
AV: Verizon Internet Security Suite Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Verizon Internet Security Suite Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

FILE ::
"c:\windows\Mgogabamomigob.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Mgogabamomigob.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-12 to 2009-10-12 )))))))))))))))))))))))))))))))
.

2009-10-11 05:24 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-11 05:24 . 2009-10-11 05:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-11 05:24 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-11 02:06 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-11 02:06 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-11 00:51 . 2009-10-11 00:51 -------- d-----w- c:\program files\Trend Micro
2009-10-11 00:37 . 2009-10-11 00:40 -------- d-----w- c:\program files\myapp
2009-10-11 00:30 . 2009-10-11 00:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-10 23:12 . 2009-10-10 23:12 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-10 21:34 . 2009-10-10 21:34 137 ----a-w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\fusioncache.dat
2009-10-10 21:34 . 2009-10-10 21:34 -------- d-----w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\Turbine
2009-10-01 19:15 . 2009-10-06 19:40 -------- d-----w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\WeatherBug
2009-10-01 19:15 . 2009-10-01 19:15 -------- d-----w- c:\program files\AWS
2009-10-01 19:15 . 2009-10-01 19:15 -------- d-----w- c:\documents and settings\Cattie Bullard\Application Data\WeatherBug
2009-09-28 13:59 . 2009-10-11 06:23 -------- d-----w- c:\program files\Perfect World Entertainment
2009-09-28 12:32 . 2009-10-11 06:19 -------- d-----w- c:\documents and settings\Cattie Bullard\Application Data\GetRightToGo
2009-09-28 10:13 . 2009-09-28 10:13 -------- d-----w- c:\documents and settings\Cattie Bullard\Application Data\Malwarebytes
2009-09-28 10:13 . 2009-09-28 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-28 09:14 . 2009-09-28 09:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Verizon
2009-09-28 09:09 . 2009-09-28 09:09 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-26 23:16 . 2009-09-26 23:16 -------- d-----w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\Turbine,_Inc
2009-09-26 23:14 . 2009-09-26 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Turbine
2009-09-26 23:14 . 2009-10-10 21:23 -------- d-----w- c:\program files\Turbine
2009-09-26 22:42 . 2009-09-28 08:13 -------- d-----w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\PMB Files
2009-09-26 22:41 . 2009-10-10 22:43 -------- d-----w- c:\program files\Pando Networks
2009-09-15 12:41 . 2009-10-08 03:18 45 ----a-w- c:\documents and settings\Cattie Bullard\jagex_runescape_preferences2.dat
2009-09-15 04:54 . 2009-09-15 04:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-09-15 04:42 . 2009-09-15 04:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-09-15 04:41 . 2009-09-15 04:48 -------- d-----w- c:\program files\DivX
2009-09-14 19:54 . 2009-09-14 19:55 -------- d-----w- c:\documents and settings\Cattie Bullard\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 03:54 . 2009-07-11 20:31 504352 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-10-11 05:28 . 2009-07-11 20:31 47468 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-10-11 05:28 . 2009-07-11 20:31 337364 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-11 05:28 . 2009-07-11 20:31 27082528 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-08 04:01 . 2008-07-28 08:47 38 -c--a-w- c:\documents and settings\Cattie Bullard\jagex_runescape_preferences.dat
2009-10-02 11:35 . 2008-06-19 17:31 -------- d-----w- c:\program files\World of Warcraft
2009-09-15 04:54 . 2008-04-23 21:29 -------- d-----w- c:\program files\Google
2009-09-15 04:32 . 2009-08-04 02:15 -------- d-----w- c:\program files\Oberon Media
2009-09-15 04:30 . 2009-07-03 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-08-31 02:33 . 2009-08-25 17:50 -------- d-----w- c:\program files\World of Warcraft Public Test
2009-08-28 01:30 . 2008-06-19 17:31 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-08-25 06:10 . 2009-03-28 08:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-25 05:53 . 2009-08-25 04:49 -------- d-----w- c:\documents and settings\Cattie Bullard\Application Data\Gamelab
2009-08-22 15:28 . 2008-06-13 18:09 35552 ----a-w- c:\documents and settings\Cattie Bullard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-20 13:00 . 2009-08-19 16:22 -------- d-----w- c:\program files\Microsoft Games
2009-08-19 23:57 . 2009-08-19 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-18 19:43 . 2009-08-18 19:43 -------- d-----w- c:\program files\Hidden Expedition Titanic
2009-08-18 18:32 . 2009-08-18 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-08-18 18:32 . 2009-08-18 18:32 -------- d-----w- c:\program files\BFG
2009-08-15 08:07 . 2009-08-15 08:07 -------- d-----w- c:\program files\MSBuild
2009-08-15 08:07 . 2009-08-15 08:07 -------- d-----w- c:\program files\Reference Assemblies
2009-08-09 09:11 . 2009-08-09 09:11 17411 ----a-w- c:\documents and settings\All Users\Application Data\agijudo.dat
2009-08-09 09:11 . 2009-08-09 09:11 17041 ----a-w- c:\windows\uvoh.bin
2009-08-09 09:11 . 2009-08-09 09:11 16232 ----a-w- c:\windows\cazufanu.bin
2009-08-05 09:11 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-10 05:33 . 2009-07-10 05:33 116224 --sha-w- c:\windows\system32\gufavudu.dll
2009-07-10 20:20 . 2009-07-10 20:20 51200 --sha-w- c:\windows\system32\hajifagu.dll
2009-07-10 05:33 . 2009-07-10 05:33 116224 --sha-w- c:\windows\system32\mivajuyi.dll
2009-07-10 20:19 . 2009-07-10 20:19 88576 --sha-w- c:\windows\system32\rigitaza.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-07 8466432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-04-23 98304]
"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe" [2009-10-10 472568]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Raxco\\PerfectDisk2008\\PD91Agent.exe"=
"c:\\Program Files\\Raxco\\PerfectDisk2008\\PD91Engine.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineMessageService.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineNetworkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:blizzard downloader
"3724:TCP"= 3724:TCP:blizzard downloader
"57991:TCP"= 57991:TCP:Pando Media Booster
"57991:UDP"= 57991:UDP:Pando Media Booster

R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [9/22/2008 4:58 PM 693512]
R2 RadialpointSafeConnectAgent;Verizon Internet Security Suite SafeConnectAgent;c:\program files\Verizon\Verizon Internet Security Suite\SafeConnect\bin\SanaAgent.exe [11/14/2008 6:28 PM 4937752]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [11/14/2008 6:28 PM 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [11/14/2008 6:28 PM 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [11/14/2008 6:28 PM 27376]
S2 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [9/26/2009 6:14 PM 267760]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [9/26/2009 6:14 PM 218608]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [9/22/2008 4:58 PM 910600]
S3 Radialpoint Security Services;Verizon Internet Security Suite;c:\program files\Verizon\Verizon Internet Security Suite\RpsSecurityAwareR.exe [4/22/2009 10:38 AM 170736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-11 c:\windows\Tasks\User_Feed_Synchronization-{34CD53BE-07A6-4108-B6CE-D8E418EA34BA}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://onlinecinema.org/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://games.bigfishgames.com/en_cooking-dash/online/CookingDashWeb.1.0.0.9.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://games.bigfishgames.com/en_burger-shop/online/GoBitGamesPlayer_v4.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://absolutist.com/online/chocolatier2/Chocolatier2Web.1.0.0.10.cab
DPF: {F4EBFE42-D82A-48EB-B70E-7499FFEAFF3F} - hxxp://absolutist.com/online/dress_shop_hop/DressShopHopWeb.1.0.0.7.cab
DPF: {FCB28D51-A017-46B2-9FB3-F7BFD53B2E42} - hxxp://absolutist.com/online/chocolatier-decadence-by-design/Chocolatier3Web.1.0.0.6.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-11 22:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2096645506-828190138-1039861506-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-10-12 22:58
ComboFix-quarantined-files.txt 2009-10-12 03:57
ComboFix2.txt 2009-10-11 03:57
ComboFix3.txt 2009-10-11 02:17

Pre-Run: 95,320,395,776 bytes free
Post-Run: 95,282,163,712 bytes free

184 --- E O F --- 2009-09-17 08:01

Hi

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll
winlogon.exe
comres.dll
crypt32.dll
gpedit.dll
rundll32.exe
sfc.dll
svchost.exe
cngaudit.dll
beep.sys
wscntfy.exe
atapi.sys
petatusa.dll

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2009-10-12 00:57:43
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\CATTIE~1\LOCALS~1\Temp\pxtdqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwClose [0xBA3E98B0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcess [0xB64E9930]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcessEx [0xB64E9AA0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSection [0xB64EA540]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xB64EA190]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateThread [0xB64EAE20]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwDuplicateObject [0xB64E9D60]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadDriver [0xB64E82A0]
SSDT \??\C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwOpenProcess [0xBA3E98E0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenSection [0xB64EA370]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwQuerySystemInformation [0xB64EAAD0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwResumeThread [0xB64EADD0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetContextThread [0xB64EB150]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationFile [0xB64EB770]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationProcess [0xB64EF160]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetSecurityObject [0xB64E6EC0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSuspendThread [0xB64EAD80]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSystemDebugControl [0xB64E8600]
SSDT \??\C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwTerminateProcess [0xBA3E9990]
SSDT \??\C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwTerminateThread [0xBA3E9A30]
SSDT \??\C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwWriteVirtualMemory [0xBA3E9AD0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[284] [0xB64E5D40]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[285] [0xB64E5D50]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[286] [0xB64E5D60]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[287] [0xB64E5D80]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[288] [0xB64E5DA0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[289] [0xB64E5DD0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[290] [0xB64E5DE0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[291] [0xB64E5E00]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[292] [0xB64E5E10]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[293] [0xB64E5ED0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[294] [0xB64E5FA0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[295] [0xB64E5FE0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[296] [0xB64E6020]

Code \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) IoIsOperationSynchronous
Code \??\C:\DOCUME~1\CATTIE~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804E9FA0 5 Bytes JMP B64EBB90 \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab)
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EE874 5 Bytes JMP B64EC150 \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab)
.text ntkrnlpa.exe!KiDispatchInterrupt + BA 805416DA 7 Bytes JMP B64EF280 \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab)
? C:\DOCUME~1\CATTIE~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs klif.sys (spuper-ptor/Kaspersky Lab)
AttachedDevice \FileSystem\Ntfs \Ntfs SafeConnectFilter.sys (SafeConnect Application Activity Monitor Filter Driver./Sana Security, Inc. )
AttachedDevice \Driver\Tcpip \Device\Ip rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)

Device \FileSystem\Fastfat \Fat 8AE01C8A
Device \FileSystem\Fastfat \Fat 8ADFE7C8

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat klif.sys (spuper-ptor/Kaspersky Lab)
AttachedDevice \FileSystem\Fastfat \Fat SafeConnectFilter.sys (SafeConnect Application Activity Monitor Filter Driver./Sana Security, Inc. )

---- EOF - GMER 1.0.15 ----


This is from the other thing he said to download. I will try the next one. Thanks

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 01:08 on 12/10/2009 by Cattie Bullard (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\i386\scecli.dll --a--c 180224 bytes [18:34 17/06/2008] [10:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ERDNT\cache\scecli.dll --a--- 180224 bytes [02:14 11/10/2009] [10:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\scecli.dll --a--- 181248 bytes [00:44 27/08/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll ------ 180224 bytes [17:51 10/08/2004] [10:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A

Searching for "netlogon.dll"
C:\i386\netlogon.dll --a--c 407040 bytes [18:32 17/06/2008] [10:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\$NtUninstallKB968389$\netlogon.dll -----c 407040 bytes [08:01 17/09/2009] [10:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netlogon.dll --a--- 407040 bytes [00:43 27/08/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\dllcache\netlogon.dll ------ 408064 bytes [18:46 06/02/2009] [18:46 06/02/2009] 6C476D33D82F1054849790181E8F7772
C:\WINDOWS\system32\netlogon.dll ------ 408064 bytes [17:51 10/08/2004] [18:46 06/02/2009] 6C476D33D82F1054849790181E8F7772

Searching for "eventlog.dll"
C:\i386\eventlog.dll --a--c 55808 bytes [18:30 17/06/2008] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ERDNT\cache\eventlog.dll --a--- 55808 bytes [02:14 11/10/2009] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll --a--- 56320 bytes [00:42 27/08/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll ------ 55808 bytes [17:51 10/08/2004] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78

Searching for "winlogon.exe"
C:\i386\winlogon.exe --a--c 502272 bytes [18:35 17/06/2008] [10:00 04/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\WINDOWS\ERDNT\cache\winlogon.exe --a--- 502272 bytes [02:14 11/10/2009] [10:00 04/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe --a--- 507904 bytes [00:45 27/08/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.exe ------ 502272 bytes [17:51 10/08/2004] [10:00 04/08/2004] 01C3346C241652F43AED8E2149881BFE

Searching for "comres.dll"
C:\i386\comres.dll --a--c 792064 bytes [18:28 17/06/2008] [10:00 04/08/2004] 6728270CB7DBB776ED086F5AC4C82310
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\comres.dll --a--- 792064 bytes [00:42 27/08/2008] [00:11 14/04/2008] 1280A158C722FA95A80FB7AEBE78FA7D
C:\WINDOWS\system32\comres.dll --a--- 792064 bytes [17:50 10/08/2004] [10:00 04/08/2004] 6728270CB7DBB776ED086F5AC4C82310

Searching for "crypt32.dll"
C:\i386\crypt32.dll --a--c 597504 bytes [18:28 17/06/2008] [10:00 04/08/2004] EFC958396A7A7EF7E6D4A52B97512E18
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\crypt32.dll --a--- 599040 bytes [00:42 27/08/2008] [00:11 14/04/2008] BDAAF79DD63F194434D31A74B9BB8B77
C:\WINDOWS\system32\crypt32.dll --a--- 597504 bytes [17:50 10/08/2004] [10:00 04/08/2004] EFC958396A7A7EF7E6D4A52B97512E18

Searching for "gpedit.dll"
No files found.

Searching for "rundll32.exe"
C:\i386\rundll32.exe --a--c 33280 bytes [18:34 17/06/2008] [10:00 04/08/2004] DA285490BBD8A1D0CE6623577D5BA1FF
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\rundll32.exe --a--- 33280 bytes [00:44 27/08/2008] [00:12 14/04/2008] 037B1E7798960E0420003D05BB577EE6
C:\WINDOWS\system32\rundll32.exe --a--- 33280 bytes [17:51 10/08/2004] [10:00 04/08/2004] DA285490BBD8A1D0CE6623577D5BA1FF

Searching for "sfc.dll"
C:\i386\sfc.dll --a--c 5120 bytes [18:34 17/06/2008] [10:00 04/08/2004] E8A12A12EA9088B4327D49EDCA3ADD3E
C:\WINDOWS\ERDNT\cache\sfc.dll --a--- 5120 bytes [02:14 11/10/2009] [10:00 04/08/2004] E8A12A12EA9088B4327D49EDCA3ADD3E
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\sfc.dll --a--- 5120 bytes [00:44 27/08/2008] [00:12 14/04/2008] 96E1C926F22EE1BFBAE82901A35F6BF3
C:\WINDOWS\system32\sfc.dll ------ 5120 bytes [17:51 10/08/2004] [10:00 04/08/2004] E8A12A12EA9088B4327D49EDCA3ADD3E

Searching for "svchost.exe"
C:\i386\svchost.exe --a--c 14336 bytes [18:34 17/06/2008] [10:00 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\ERDNT\cache\svchost.exe --a--- 14336 bytes [02:14 11/10/2009] [10:00 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe --a--- 14336 bytes [00:44 27/08/2008] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\svchost.exe ------ 14336 bytes [17:51 10/08/2004] [10:00 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716

Searching for "cngaudit.dll"
No files found.

Searching for "beep.sys"
C:\i386\beep.sys --a--c 4224 bytes [18:29 17/06/2008] [10:00 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9
C:\WINDOWS\ERDNT\cache\beep.sys --a--- 4224 bytes [02:14 11/10/2009] [10:00 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9
C:\WINDOWS\system32\dllcache\beep.sys --a--- 4224 bytes [17:50 10/08/2004] [10:00 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9
C:\WINDOWS\system32\drivers\beep.sys ------ 4224 bytes [17:50 10/08/2004] [10:00 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9

Searching for "wscntfy.exe"
C:\i386\wscntfy.exe --a--c 13824 bytes [18:35 17/06/2008] [10:00 04/08/2004] 49911DD39E023BB6C45E4E436CFBD297
C:\WINDOWS\ERDNT\cache\wscntfy.exe --a--- 13824 bytes [02:14 11/10/2009] [10:00 04/08/2004] 49911DD39E023BB6C45E4E436CFBD297
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\wscntfy.exe --a--- 13824 bytes [00:45 27/08/2008] [00:12 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5
C:\WINDOWS\system32\wscntfy.exe ------ 13824 bytes [17:51 10/08/2004] [10:00 04/08/2004] 49911DD39E023BB6C45E4E436CFBD297

Searching for "atapi.sys"
C:\i386\atapi.sys --a--c 95360 bytes [18:29 17/06/2008] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys --a--- 96512 bytes [00:42 27/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 95360 bytes [03:59 04/08/2004] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

Searching for "petatusa.dll"
No files found.

-=End Of File=-


Thanks Please tell me we are almost done Dont think I can take to much more of this lol pulling my hair out now.

Hi

Please do not be disappointed. It appears the rootkit is gone. That is good news. A couple of more things to check, then your computer will probably be clean. I will assure that after the next one or two posts, this issue will probably be resolved.

==

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

==

Please post the Malwarebytes and Security Check logs in your next reply.