Blue Netsky screen

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-20 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-12-14 467240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-6 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 14\\pccmain.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/25/2006 8:26 AM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/25/2006 8:26 AM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/11/2006 5:11 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/25/2006 8:26 AM 566872]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [5/16/2009 8:28 AM 36224]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/29/2006 2:54 PM 280392]
S2 gupdate1c9d05b86bf973;Google Update Service (gupdate1c9d05b86bf973);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 10:02 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-02-20 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8232728900.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2009-06-06 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8236365442.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2010-02-20 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8255979293.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2010-01-24 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8261677408.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2010-02-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 04:01]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-09 04:02]

2010-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-09 04:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.att.net/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9j828ih8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9j828ih8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - HiddenExtension: XULRunner: {0B7C6D1F-4931-4EB3-B104-0A62393D3321} - c:\documents and settings\Owner\Local Settings\Application Data\{0B7C6D1F-4931-4EB3-B104-0A62393D3321}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

BHO-{3fee9ef3-c33e-455e-8672-88d8b456c9cd} - savohofu.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 18:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A32081A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecfc3
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\iaStor -> iaStor.sys @ 0xba674f78
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Linksys LNE100TX(v5) Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xba553af9
PacketIndicateHandler -> NDIS.sys @ 0xba55eb21
SendHandler -> NDIS.sys @ 0xba553938
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(872)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3652)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\windows\system32\HPZipm12.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-02-20 18:48:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-21 00:48
ComboFix2.txt 2009-10-09 15:46

Pre-Run: 82,584,997,888 bytes free
Post-Run: 82,551,975,936 bytes free

- - End Of File - - 7742B6C77542A4FCFDB290886176A140

Hello.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
atapi.sys
iastor.sys

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
  
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  
• When prompted to run the scan, click Yes.
  
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
  

---

Please post both logs.

Because I can't turn off the antivirus protection, do I need to do this in safe mode too?

Whichever, Combofix is a special one off tool because many of it's component are flagged by many antivirus companies, but they are just a warning.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:19 on 20/02/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\i386\atapi.sys --a--- 95360 bytes [23:03 15/01/2007] [04:59 04/08/2004]

GooredFix by jpshortstuff (08.01.10.1)
Log created at 19:21 on 20/02/2010 (Owner)
Firefox version 3.0.17 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{0B7C6D1F-4931-4EB3-B104-0A62393D3321} -> Success!
Deleting C:\Documents and Settings\Owner\Local Settings\Application Data\{0B7C6D1F-4931-4EB3-B104-0A62393D3321} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
real-networks@partners.mozilla.com [01:25 22/11/2007]
{3112ca9c-de6d-4884-a869-9855de68056c} [01:25 22/11/2007]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [01:25 22/11/2007]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [01:32 20/01/2009]

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\9j828ih8.default\extensions\
{3112ca9c-de6d-4884-a869-9855de68056c} [00:44 01/12/2009]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [01:32 20/01/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [01:31 20/01/2009]

-=E.O.F=-

Hello.
Good work on Gooredfix, but I don't think that's the full SystemLook log.

That's all it showed, should I run it again?

Yes please.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:53 on 20/02/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\i386\atapi.sys --a--- 95360 bytes [23:03 15/01/2007] [04:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 95360 bytes [21:29 20/02/2010] [11:00 10/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\atapi.sys --a--- 96512 bytes [01:04 16/01/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 95360 bytes [11:00 10/08/2004] [11:00 10/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

Searching for "iastor.sys"
C:\dell\drivers\R158601\iastor.sys --a--- 304920 bytes [21:07 14/01/2009] [18:58 21/03/2007] 997E8F5939F2D12CD9F2E6B395724C16
C:\drivers\storage\R130118\iastor.sys --a--- 246784 bytes [14:51 04/01/2007] [19:03 10/10/2006] 019CF5F31C67030841233C545A0E217A
C:\i386\iaStor.sys --a--- 246784 bytes [23:03 15/01/2007] [12:59 06/07/2006] 019CF5F31C67030841233C545A0E217A
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 484864 bytes [15:11 04/01/2007] [13:01 06/07/2006] 6A3C354BFC163B81F6EF2FC421280DB5
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys --a--- 246784 bytes [15:11 04/01/2007] [12:59 06/07/2006] 019CF5F31C67030841233C545A0E217A
C:\WINDOWS\dell\iastor\iastor.sys --a--- 247808 bytes [16:30 11/05/2006] [16:30 11/05/2006] 294110966CEDD127629C5BE48367C8CF
C:\WINDOWS\system32\drivers\iaStor.sys ------ 247808 bytes [16:30 11/05/2006] [16:30 11/05/2006] (Unable to calculate MD5)

-=End Of File=-

Hello.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

Ask Toolbar
Java(TM) 6 Update 11
LimeWire 5.0.11

Next,

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   KILLALL::
   
   File::
   c:\windows\Gcuro.dat
   c:\windows\Vpapagelewizute.bin
   
   FCopy::
   C:\drivers\storage\R130118\iastor.sys | C:\WINDOWS\system32\drivers\iaStor.sys
   

   
   
4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.
   

ComboFix 10-02-19.03 - Owner 02/20/2010 20:10:05.4.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1803 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\windows\Gcuro.dat"
"c:\windows\Vpapagelewizute.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Gcuro.dat
c:\windows\Vpapagelewizute.bin

.
--------------- FCopy ---------------

.
((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-19 01:36 . 2010-02-19 01:36 -------- d-----w- C:\_OTL
2010-02-18 18:03 . 2010-02-18 18:03 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-01-29 06:45 . 2010-01-29 06:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-27 00:02 . 2010-01-27 00:02 -------- d-----w- c:\documents and settings\Brady.OWNER-B0D885443\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 02:01 . 2007-10-11 00:28 -------- d-----w- c:\program files\LimeWire
2010-02-21 00:46 . 2009-11-25 14:20 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-19 00:46 . 2009-05-09 04:01 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater
2010-02-10 09:01 . 2009-01-14 21:24 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-02-03 21:38 . 2009-01-27 22:18 -------- d-----w- c:\program files\World of Warcraft
2010-01-24 05:02 . 2009-10-14 01:41 -------- d-----w- c:\program files\World of Warcraft Public Test
2010-01-24 05:02 . 2007-10-09 11:42 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-01-23 15:23 . 2009-11-25 16:39 79488 ----a-w- c:\documents and settings\Brady.OWNER-B0D885443\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-23 12:32 . 2009-11-25 09:45 79488 ----a-w- c:\documents and settings\Troy.OWNER-B0D885443\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-10 04:44 . 2009-02-09 20:09 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2010-01-10 00:35 . 2009-01-17 20:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-01-05 10:00 . 2006-03-04 03:33 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-10 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 11:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:14 . 2004-08-10 11:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-25 18:21 . 2009-01-18 13:01 -------- d-----w- c:\documents and settings\Troy.OWNER-B0D885443\Application Data\Apple Computer
2009-12-25 14:14 . 2009-01-18 00:57 -------- d-----w- c:\documents and settings\Brady.OWNER-B0D885443\Application Data\Apple Computer
2009-12-25 13:52 . 2009-01-17 20:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2009-12-25 02:29 . 2009-12-24 18:07 0 ---ha-w- c:\documents and settings\Owner\hpothb07.dat
2009-12-24 18:59 . 2009-12-24 18:07 5924 ---ha-w- C:\hpothb07.dat
2009-12-24 17:48 . 2009-12-24 17:36 20454 ----a-w- c:\windows\hpoins01.dat
2009-12-20 15:02 . 2009-12-20 15:02 79144 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-16 12:58 . 2009-01-14 19:07 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:35 . 2004-08-10 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:11 . 2005-03-30 01:21 2142720 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 17:35 . 2005-03-30 01:01 2020864 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 14:41 . 2004-08-10 11:00 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:33 . 2004-08-10 11:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:33 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2004-08-10 11:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2004-08-10 11:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2004-08-10 11:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-03-21 03:42 . 2009-03-21 03:42 305 ---ha-w- c:\program files\hpothb07.dat
2009-03-21 03:42 . 2009-03-21 03:42 515 ---ha-w- c:\program files\hpothb07.tif
2008-08-09 23:33 . 2008-08-09 23:33 0 ----a-w- c:\program files\temp01
2008-06-16 01:27 . 2008-06-13 17:45 1254593 ----a-w- c:\program files\WotLK-F&F-enUS-downloader.exe
2010-01-18 20:09 . 2010-01-18 20:09 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-01-18 20:09 . 2010-01-18 20:09 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-01-18 20:10 . 2010-01-18 20:10 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-02-21_00.41.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-21 02:00 . 2010-02-21 02:00 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-12-14 467240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-6 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 14\\pccmain.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/25/2006 8:26 AM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/25/2006 8:26 AM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/11/2006 5:11 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/25/2006 8:26 AM 566872]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [5/16/2009 8:28 AM 36224]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/29/2006 2:54 PM 280392]
S2 gupdate1c9d05b86bf973;Google Update Service (gupdate1c9d05b86bf973);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 10:02 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-02-20 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8232728900.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2009-06-06 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8236365442.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2010-02-20 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8255979293.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2010-01-24 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8261677408.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2010-02-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 04:01]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-09 04:02]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-09 04:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.att.net/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9j828ih8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9j828ih8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 20:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A31881A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecfc3
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\iaStor -> iaStor.sys @ 0xba674f78
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Linksys LNE100TX(v5) Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xba553af9
PacketIndicateHandler -> NDIS.sys @ 0xba55eb21
SendHandler -> NDIS.sys @ 0xba553938
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(872)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1668)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\HPZipm12.exe
c:\progra~1\TRENDM~1\INTERN~1\PccGuide.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
.
**************************************************************************
.
Completion time: 2010-02-20 20:33:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-21 02:33
ComboFix2.txt 2010-02-21 00:48
ComboFix3.txt 2009-10-09 15:46

Pre-Run: 82,645,127,168 bytes free
Post-Run: 82,597,912,576 bytes free

- - End Of File - - D0A813D173DF9A5DA2F4670379C05449

Hello.
Did you copy my entire script? Combofix sees the FCopy command, but didn't copy the file I wanted it to.

I did it last night so I'm not absoƖute positive, but I did copy and paste everything that was in the box above. Should I do it again?

Yes, make sure you get everything inside my quote box.

ComboFix 10-02-19.03 - Owner 02/21/2010 12:08:09.5.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1787 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\windows\Gcuro.dat"
"c:\windows\Vpapagelewizute.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\drivers\storage\R130118\iastor.sys --> c:\windows\system32\drivers\iaStor.sys
.
((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-19 01:36 . 2010-02-19 01:36 -------- d-----w- C:\_OTL
2010-02-18 18:03 . 2010-02-18 18:03 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-01-29 06:45 . 2010-01-29 06:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-27 00:02 . 2010-01-27 00:02 -------- d-----w- c:\documents and settings\Brady.OWNER-B0D885443\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 02:50 . 2009-05-09 04:01 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater
2010-02-21 02:01 . 2007-10-11 00:28 -------- d-----w- c:\program files\LimeWire
2010-02-10 09:01 . 2009-01-14 21:24 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-02-03 21:38 . 2009-01-27 22:18 -------- d-----w- c:\program files\World of Warcraft
2010-01-24 05:02 . 2009-10-14 01:41 -------- d-----w- c:\program files\World of Warcraft Public Test
2010-01-24 05:02 . 2007-10-09 11:42 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-01-10 04:44 . 2009-02-09 20:09 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2010-01-10 00:35 . 2009-01-17 20:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-01-05 10:00 . 2006-03-04 03:33 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-10 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 11:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:14 . 2004-08-10 11:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-25 18:21 . 2009-01-18 13:01 -------- d-----w- c:\documents and settings\Troy.OWNER-B0D885443\Application Data\Apple Computer
2009-12-25 14:14 . 2009-01-18 00:57 -------- d-----w- c:\documents and settings\Brady.OWNER-B0D885443\Application Data\Apple Computer
2009-12-25 13:52 . 2009-01-17 20:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2009-12-25 02:29 . 2009-12-24 18:07 0 ---ha-w- c:\documents and settings\Owner\hpothb07.dat
2009-12-24 18:59 . 2009-12-24 18:07 5924 ---ha-w- C:\hpothb07.dat
2009-12-24 17:48 . 2009-12-24 17:36 20454 ----a-w- c:\windows\hpoins01.dat
2009-12-16 12:58 . 2009-01-14 19:07 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:35 . 2004-08-10 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:11 . 2005-03-30 01:21 2142720 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 17:35 . 2005-03-30 01:01 2020864 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 14:41 . 2004-08-10 11:00 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:33 . 2004-08-10 11:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:33 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2004-08-10 11:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2004-08-10 11:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2004-08-10 11:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-03-21 03:42 . 2009-03-21 03:42 305 ---ha-w- c:\program files\hpothb07.dat
2009-03-21 03:42 . 2009-03-21 03:42 515 ---ha-w- c:\program files\hpothb07.tif
2008-08-09 23:33 . 2008-08-09 23:33 0 ----a-w- c:\program files\temp01
2008-06-16 01:27 . 2008-06-13 17:45 1254593 ----a-w- c:\program files\WotLK-F&F-enUS-downloader.exe
2010-01-18 20:09 . 2010-01-18 20:09 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-01-18 20:09 . 2010-01-18 20:09 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-01-18 20:10 . 2010-01-18 20:10 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-02-21_00.41.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-21 02:00 . 2010-02-21 02:00 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2010-02-21 09:00 . 2010-02-21 09:00 19210240 c:\windows\Installer\16d14a1.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-12-14 467240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-6 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 14\\pccmain.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/25/2006 8:26 AM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/25/2006 8:26 AM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/11/2006 5:11 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/25/2006 8:26 AM 566872]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [5/16/2009 8:28 AM 36224]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/29/2006 2:54 PM 280392]
S2 gupdate1c9d05b86bf973;Google Update Service (gupdate1c9d05b86bf973);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 10:02 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-02-21 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8232728900.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2009-06-06 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8236365442.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2010-02-20 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8255979293.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2010-01-24 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8261677408.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

2010-02-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 04:01]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-09 04:02]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-09 04:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.att.net/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9j828ih8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9j828ih8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 12:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3444)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-21 12:26:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-21 18:26
ComboFix2.txt 2010-02-21 02:33
ComboFix3.txt 2010-02-21 00:48
ComboFix4.txt 2009-10-09 15:46

Pre-Run: 82,517,815,296 bytes free
Post-Run: 82,538,840,064 bytes free

- - End Of File - - 584ED0B12DA6BBCCC24D1B70CE945BC8

Hello.
It worked that time, okay, last few things to clean up.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

Java(TM) 6 Update 11
LimeWire 5.0.11

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

• Check (tick) this box: YES, I accept the Terms of Use.
  
• Click on the Start button next to it.
  
• When prompted to run ActiveX. click Yes.
  
• You will be asked to install an ActiveX. Click Install.
  
• Once installed, the scanner will be initialized.
  
• After the scanner is initialized, click Start.
  
• Check (tick) Remove found threats box.
  
• Check (tick) Scan unwanted applications.
  
• Click on Scan.
  
• It will start scanning. Please be patient.
  
• Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.
  

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16981 (vista_gdr.091215-2244)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=78176bbcb20acf4d93f7993dc888b00f
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-02-21 10:01:47
# local_time=2010-02-21 04:01:47 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777195 100 0 36977092 36977092 0 0
# compatibility_mode=1026 16777214 0 2 38326878 38326878 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=167068
# found=58
# cleaned=58
# scan_time=3602
C:\Documents and Settings\Angelique\My Documents\My Downloads\snowwhitesnemesis4.exe multiple threats (deleted - quarantined) 2919BE3EC2E45FBD1583C2678A5260FF C
C:\Documents and Settings\Angelique\My Documents\My Music\LimeWire\cool sources human abstract 192kb.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 877A8EFFDC193DC9B8F00D08EFB9F298 C
C:\Documents and Settings\Angelique\My Documents\My Themes\blackexperience.exe multiple threats (deleted - quarantined) F428150A7557582F7B73B52B063033AD C
C:\Documents and Settings\Angelique\My Documents\My Walpaper\wmoonnight.exe Win32/Adware.OneStep application (deleted - quarantined) FFB99C7A54444B574219DDD9D77A48DB C
C:\Documents and Settings\Owner\My Documents\LimeWire\Saved\sargasso sea.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) A0E8FF9CEAAE51F4A499BC3861A6EDE0 C
C:\Documents and Settings\Troy.OWNER-B0D885443\Desktop\SetupGamevance.exe a variant of Win32/Adware.Gamevance.AE application (cleaned by deleting - quarantined) BE22F445A15857E83EE2C68AB58642FF C
C:\Program Files\Trend Micro\Internet Security 14\BRfD_de4.VIR a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) A1A52BAD4C5467777395DEF74843CEA5 C
C:\Program Files\Trend Micro\Internet Security 14\e002102318801r0409J0b000601R0143fdeeX951a1291Yde4ba96eZ03f017300[1] a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) A1A52BAD4C5467777395DEF74843CEA5 C
C:\Program Files\Trend Micro\Internet Security 14\e002102318801r0409J0b000601X951a154eYde4ba96eZ03f017300[1] a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) A1A52BAD4C5467777395DEF74843CEA5 C
C:\Program Files\Trend Micro\Internet Security 14\e002102801r0409J0b000601X951a1571Yde4ba96eZ03f0173030dP000000090[1] a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) A1A52BAD4C5467777395DEF74843CEA5 C
C:\Program Files\Trend Micro\Internet Security 14\eH8c829754V03f01630002R0143fdee102Tc7bc8747Q000002fd901801F0020000aJ0b000601l04093180[1] a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) 086E95B797E95140808336B819FDCD49 C
C:\Program Files\Trend Micro\Internet Security 14\H8SRTc499.tmp Win32/Adware.CoreguardAntivirus application (cleaned by deleting - quarantined) B52C2ABA109F76371FB16F873BAD3BAB C
C:\Program Files\Trend Micro\Internet Security 14\HHUE_de4.VIR a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) A1A52BAD4C5467777395DEF74843CEA5 C
C:\Program Files\Trend Micro\Internet Security 14\jaws theme song.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 1AE778C955B8558233E66CFCE206202A C
C:\Program Files\Trend Micro\Internet Security 14\ksim_e70.VIR a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) 086E95B797E95140808336B819FDCD49 C
C:\Program Files\Trend Micro\Internet Security 14\mrkgrn.dll_a94.VIR Win32/TrojanDownloader.FakeAlert.UA trojan (cleaned by deleting - quarantined) 06101E5CF00E63E27404AE8123A098B2 C
C:\Program Files\Trend Micro\Internet Security 14\Ooos_28c.VIR a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) DB4374BBEF7025605CD53CDFBBD4B9D3 C
C:\Program Files\Trend Micro\Internet Security 14\pzpsp23511834.exe_abc.VIR Win32/TrojanDownloader.FakeAlert.UA trojan (cleaned by deleting - quarantined) 7B5007C3B4819E72DF56799C4513343C C
C:\Program Files\Trend Micro\Internet Security 14\T-5188466-kayleigh [very good quality]_ab4.VIR a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) D4B4854EEF571808FA73A1F4D99F07C0 C
C:\Program Files\Trend Micro\Internet Security 14\xbuS_dd8.VIR a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) A1A52BAD4C5467777395DEF74843CEA5 C
C:\Program Files\Trend Micro\Internet Security 14\z002102318801r0409J0b000601R0143fdeeXd11cd988Y9a4faa64Z03f017300[1] a variant of Win32/Olmarik.SV trojan (cleaned by deleting - quarantined) DB4374BBEF7025605CD53CDFBBD4B9D3 C
C:\Program Files\Trend Micro\Internet Security 14\_VOIDd.sys a variant of Win32/Olmarik.SR trojan (cleaned by deleting - quarantined) 42D1D9D16D4744C485000E499CE8C295 C
C:\Qoobox\Quarantine\C\Program Files\Gamevance\gamevancelib32.dll.vir a variant of Win32/Adware.Gamevance.AA application (cleaned by deleting - quarantined) C9417323BAEEAF0038108416BAE7ECC8 C
C:\Qoobox\Quarantine\C\Program Files\Gamevance\gvtl.dll.vir a variant of Win32/Adware.Gamevance.AB application (cleaned by deleting - quarantined) CB21462ACBADFAE66F4AEE696E6C29E7 C
C:\Qoobox\Quarantine\C\Program Files\Securityessentials2010\SE2010.exe.vir Win32/Adware.AdvancedVirusRemover.B application (cleaned by deleting - quarantined) 9C5D9358A02D8A80B85D54A92EDC10ED C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\hdaihl.sys.vir Win32/SpamTool.Agent.NDR trojan (cleaned by deleting - quarantined) 4C7A681B8F87924370E98AB01412A968 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\00000044.tmp.vir Win32/Olmarik.TN trojan (cleaned by deleting - quarantined) E4EDC2505D7FF83825358C739B0038FA C
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\0000646e.tmp.vir Win32/Olmarik.TN trojan (cleaned by deleting - quarantined) E4EDC2505D7FF83825358C739B0038FA C
C:\Qoobox\Quarantine\C\WINDOWS\system32\23281.exe.vir a variant of Win32/Kryptik.CIZ trojan (cleaned by deleting - quarantined) 6EF341EAE123C60D094F7B73BE7D6434 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\a78dz.dll.vir probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 3F12906AE4B6A15BF9B118151C95B2CA C
C:\Qoobox\Quarantine\C\WINDOWS\system32\dojapode.dll.vir a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) FF8A48F063ADD740DE4CCC9ED60B5081 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\helpers32.dll.vir Win32/TrojanDownloader.FakeAlert.AUL trojan (cleaned by deleting - quarantined) 340E56E893582E56DC327458619F4C71 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir a variant of Win32/TrojanClicker.Punad.AA trojan (cleaned by deleting - quarantined) FEE204FF50931BE9287EB2EA890F8E2A C
C:\Qoobox\Quarantine\C\WINDOWS\system32\semajosu.dll.vir a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) FF8A48F063ADD740DE4CCC9ED60B5081 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\smss32.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) DCEB3622D1325817CD55EE92F1B1EEA9 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\sshnas21.dll.vir a variant of Win32/Kryptik.CLW trojan (cleaned by deleting - quarantined) 5898A25738A35CE000C3A822DCD835D4 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\togobanu.dll.vir a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) 3BBD3B7C8C33B5FD0EE6A205F9B95EB9 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon32.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) DCEB3622D1325817CD55EE92F1B1EEA9 C
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir a variant of Win32/Kryptik.CLW trojan (cleaned by deleting - quarantined) 15D2D092ACF3A3983B6AC1C5A52CFD9F C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP715\A0141691.dll Win32/TrojanDownloader.FakeAlert.UA trojan (cleaned by deleting - quarantined) 06101E5CF00E63E27404AE8123A098B2 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP715\A0142726.dll Win32/TrojanDownloader.FakeAlert.UA trojan (cleaned by deleting - quarantined) 06101E5CF00E63E27404AE8123A098B2 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP724\A0151758.dll Win32/TrojanDownloader.FakeAlert.UA trojan (cleaned by deleting - quarantined) 06101E5CF00E63E27404AE8123A098B2 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP724\A0151759.exe Win32/TrojanDownloader.FakeAlert.UA trojan (cleaned by deleting - quarantined) 7B5007C3B4819E72DF56799C4513343C C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000024.dll a variant of Win32/Kryptik.CLA trojan (cleaned by deleting - quarantined) 96893165BB2CA2341E6DBB5A20DF8760 C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000025.dll a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) 52AEFC12895819344283F70827C62FE9 C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000026.dll a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) 6F20912603999EFDF7543F8BDB8FB606 C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000027.dll a variant of Win32/Kryptik.CMN trojan (cleaned by deleting - quarantined) 2E3DD34D262274048817484EDE1D8FEA C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000028.dll a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) A7532F6F1052CBC28E25C09C4663FE4F C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000029.dll a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) 52AEFC12895819344283F70827C62FE9 C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000030.dll a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) 47005ABE765816D52E2F3F523D99C324 C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000031.dll a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) 0289243625A2E4A1620503D4131E5BF3 C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000032.dll a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) FF8A48F063ADD740DE4CCC9ED60B5081 C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP0\A0000033.dll a variant of Win32/Kryptik.CIQ trojan (cleaned by deleting - quarantined) FF8A48F063ADD740DE4CCC9ED60B5081 C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP2\A0000776.exe multiple threats (deleted - quarantined) 2919BE3EC2E45FBD1583C2678A5260FF C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP2\A0000777.exe multiple threats (deleted - quarantined) F428150A7557582F7B73B52B063033AD C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP2\A0000778.exe Win32/Adware.OneStep application (deleted - quarantined) FFB99C7A54444B574219DDD9D77A48DB C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP2\A0000779.exe a variant of Win32/Adware.Gamevance.AE application (cleaned by deleting - quarantined) BE22F445A15857E83EE2C68AB58642FF C
C:\System Volume Information\_restore{905D8BD0-D34A-48CC-B796-FD60BD96415A}\RP2\A0000780.sys a variant of Win32/Olmarik.SR trojan (cleaned by deleting - quarantined) 42D1D9D16D4744C485000E499CE8C295 C

BTW I did remove Limewire, Java, and Ask Toolbar last night. I did it normal mode and not safe. When I checked both normal and safe mode today its not showing up in the add/remove programs box.

Hello.

Looks like this infection came from Limewire, ESET found these:

C:\Documents and Settings\Angelique\My Documents\My Downloads\snowwhitesnemesis4.exe
C:\Documents and Settings\Angelique\My Documents\My Music\LimeWire\cool sources human abstract 192kb.mp3
C:\Documents and Settings\Angelique\My Documents\My Themes\blackexperience.exe
C:\Documents and Settings\Angelique\My Documents\My Walpaper\wmoonnight.exe
C:\Documents and Settings\Owner\My Documents\LimeWire\Saved\sargasso sea.mp3

Guessing they all came through Limewire?

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

Those are old files downloaded a long time ago. He was downloading from just a generic site when the infection happened. It's running fine, after the first scan the fake virus pop up stopped. It was still trying to open new tabs everytime I got on the internet. But I've been in safe mode for the last few scans of stuff so I don't know what its doing.

Should I remove goored, systemlook and OTL also?

Yes. Boot to normal mode please, let me know what's happening, the logs look good now

Everything seems to be running fine no pop ups and when I'm on firefox it's not trying to open more tabs on its own.

To remove those programs use add/uninstall programs?

No, just delete them, Gooredfix and what not don't install, they just run when needed like.

Thanks so much for all your help.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.