Removed AV, still have issue

Gooredfix from the laptop:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 21:39 on 06/07/2010 (Mr.Clark)
Firefox version 2.0.0.20 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
divx@partners.mozilla.com [00:32 01/10/2007]
talkback@mozilla.org [00:32 01/10/2007]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [00:32 01/10/2007]

C:\Users\Mr.Clark\Application Data\Mozilla\Firefox\Profiles\aee0t5jc.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [18:15 04/09/2009]
{3112ca9c-de6d-4884-a869-9855de68056c} [02:36 07/07/2010]
{c2f863cd-0429-48c7-bb54-db756a951760} [15:32 08/08/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3112ca9c-de6d-4884-a869-9855de68056c}"="C:\ProgramData\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}" [00:32 01/10/2007]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension" [08:23 09/08/2009]

-=E.O.F=-

Ok. OTL for desktop using the file paths you gave:

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{0BF43445-2F28-4351-9252-17FE6E806AA0} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BF43445-2F28-4351-9252-17FE6E806AA0}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Folder C:\Users\Mr.Clark\AppData\Local\niukiwndp\ not found.
Folder C:\Users\Mr.Clark\AppData\Local\yuskimasy\ not found.

OTL by OldTimer - Version 3.2.7.1 log created on 07062010_214816

And OTL for laptop using file paths you gave:

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{0BF43445-2F28-4351-9252-17FE6E806AA0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BF43445-2F28-4351-9252-17FE6E806AA0}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
C:\Users\Mr.Clark\AppData\Local\niukiwndp folder moved successfully.
C:\Users\Mr.Clark\AppData\Local\yuskimasy folder moved successfully.

OTL by OldTimer - Version 3.2.7.1 log created on 07062010_214949

Hello.

1. Close any open browsers.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   

   Code:

   
C:\ProgramData\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

   
   
3. Save this as Script.txt, in the same location as Gooredfix.exe
   
4. Drag Script onto Gooredfix.exe
   
5. When finished, it shall produce a log for you.
   
6. Please post the contents of the log in your next reply.
   

Gooredfix from Desktop (if I did it right....It asked me to reboot)

GooredFix by jpshortstuff (03.07.10.1)
Log created at 13:47 on 07/07/2010 (Clark)
Firefox version [Unable to determine]

========== Script ==========

Deleting "
" -> Failed [87] -> Delete on reboot
Deleting "C:\ProgramData\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
" -> Failed [124] -> Delete on reboot

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}"="C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn" [22:42 25/04/2010]
"{cb84136f-9c44-433a-9048-c5cd9df1dc16}"="C:\Program Files (x86)\Spyware Doctor\BDT\FireFox" [00:38 05/07/2010]

---------- Old Logs ----------
GooredFix[18.42.20_07-07-2010].txt

========== Reboot ==========


-=E.O.F=-

Gooredfix for Laptop:
GooredFix by jpshortstuff (03.07.10.1)
Log created at 13:55 on 07/07/2010 (Mr.Clark)
Firefox version 2.0.0.20 (en-US)

========== Script ==========

Deleting "C:\ProgramData\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}" -> Failed [2]

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
divx@partners.mozilla.com [00:32 01/10/2007]
talkback@mozilla.org [00:32 01/10/2007]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [00:32 01/10/2007]

C:\Users\Mr.Clark\Application Data\Mozilla\Firefox\Profiles\aee0t5jc.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [18:15 04/09/2009]
{3112ca9c-de6d-4884-a869-9855de68056c} [02:36 07/07/2010]
{c2f863cd-0429-48c7-bb54-db756a951760} [15:32 08/08/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension" [08:23 09/08/2009]

---------- Old Logs ----------
GooredFix[18.54.10_07-07-2010].txt

-=E.O.F=-

Also, after it rebooted my desktop, two new notepads were on the desktop. Both called desktop.ini Do you need to see these or can I delete them?

Hello.
Are the logs from two different machine? the first log was x64 bit Vista machine, then the second log was a x32 bit Vista machine.

Yes. My laptop and my desktop BOTH had AV security suite. I ran malwarebytes on both of them and have been doing your suggestions and posting on both of them as well. I've been stating what log is from what computer. So before I posted each log, I told you which computer it came from. Hope it didn't confuse you.

Ah, okay then, run this next program from the x32 bit Vista machine only, this program doesn't work in x64 bit.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Ok, just so we're clear, the Vista Desktop is the one I need to do this for. The desktop is the one that the folder's couldn't be moved on. All the stuff we did worked fine on the laptop. So is it safe to say the laptop is fine now?

Also, my desktop is new and didn't come with back up discs, so I am going to make those first, before I do the combofix.

Nevermind, it's not letting me make backup discs. I keep getting error messages. ???

Hello.

Wrong speech. Vista doesn't have the MS RC, so just run Combofix and it will run without the RC.

I ran Combofix and I get an error message that says:

Incompatible OS. Combofix works only for workstations with Windows 2000 and XP.

Then a Program Compatiblity assistant pops up and says that the program may not have installed correctly. I have two options:

Reinstall Using Recommended settings OR
This program installed correctly

Hello.
Was that from the x64 bit machine? Combofix will only run on the x32 bit machine, not x64.

Maybe this will help:
Desktop: 64bit
Laptop:32 bit

Makes more sense. That's why I tried to clarify. The 32 bit laptop has moved folders when we did the gooredfix. The 64bit desktop did not. So, for the 64bit desktop, what would you like me to do? For the 32bit laptop? Ok, now I think we're on the same page.

Run Combofix on the laptop for now, leave the Desktop as it is. x64 has uses a different file system to x32 bit so malware wise, there is very little malware that is can fully function on a x64 bit so there's less to worry about with that.

Ok, tried running combofix. It says I have Norton Security Online Active. I have read yourdirections on how to turn it off. I don't have it in the system try or in programs. I can't find it. Is there another way to turn it off?

In that case....

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
  

Run Combofix in Safe Mode, select continue if you still get the Norton being active warning, that's why I suggest Safe Mode, the AV wont be running in Safe Mode.

It wouldn't let me stop, so it just ran through. I posted the log, but for some reason it didn't show. Here is the combofix log for the laptop:

ComboFix 10-07-07.02 - Mr.Clark 07/08/2010 11:38:45.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.894.269 [GMT -5:00]
Running from: c:\users\Mr.Clark\Desktop\Combo-Fix.exe
AV: Norton Security Online *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Online *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Security Online *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Windows
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\logs
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))
.

2010-07-08 16:58 . 2010-07-08 16:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-08 16:58 . 2010-07-08 16:58 -------- d-----w- c:\users\Patrick\AppData\Local\temp
2010-07-08 15:59 . 2010-07-08 16:33 -------- d-----w- C:\32788R22FWJFW
2010-07-07 02:49 . 2010-07-07 02:49 -------- d-----w- C:\_OTL
2010-07-05 03:32 . 2010-07-05 03:32 -------- d-----w- c:\users\Mr.Clark\AppData\Roaming\Malwarebytes
2010-07-05 03:32 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-05 03:32 . 2010-07-05 03:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-05 03:32 . 2010-07-05 03:32 -------- d-----w- c:\programdata\Malwarebytes
2010-07-05 03:32 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 15:54 . 2008-04-04 03:54 -------- d-----w- c:\programdata\Google Updater
2010-07-08 11:16 . 2007-04-12 01:41 -------- d-----w- c:\program files\Gateway Games
2010-07-06 13:13 . 2007-04-12 01:41 -------- d-----w- c:\programdata\WildTangent
2010-07-05 05:00 . 2008-04-30 16:00 -------- d-----w- c:\program files\Lx_cats
2010-07-05 04:56 . 2008-05-29 17:55 -------- d-----w- c:\program files\GamesBar
2010-07-05 03:26 . 2008-12-07 03:21 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-02 16:03 . 2007-11-27 21:01 3304 ----a-w- c:\users\Mr.Clark\AppData\Roaming\wklnhst.dat
2010-06-13 08:18 . 2007-04-12 01:48 -------- d-----w- c:\programdata\Microsoft Help
2010-06-02 18:37 . 2010-06-02 18:23 -------- d-----w- c:\users\Mr.Clark\AppData\Roaming\DreamDale
2010-06-02 18:27 . 2010-06-02 18:23 -------- d-----w- c:\users\Mr.Clark\AppData\Roaming\MB3
2010-06-02 18:23 . 2010-06-02 18:23 -------- d-----w- c:\users\Mr.Clark\AppData\Roaming\SmashFrenzy3
2010-05-30 12:38 . 2010-05-30 12:38 -------- d-----w- c:\programdata\PopCap Games
2010-05-29 12:56 . 2010-05-29 12:56 -------- d-----w- c:\programdata\MumboJumbo
2010-05-27 11:56 . 2010-05-27 11:56 -------- d-----w- c:\program files\AGEIA Technologies
2010-05-27 11:55 . 2010-05-27 11:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-13 12:20 . 2007-04-12 01:52 -------- d-----w- c:\program files\Google
2010-02-10 15:32 . 2010-02-10 15:32 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-03-23 18:02 . 2007-10-01 00:32 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-03-23 18:02 . 2007-10-01 00:32 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-23 18:02 . 2007-10-01 00:32 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-03-23 18:02 . 2007-10-01 00:32 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-03-23 18:02 . 2007-10-01 00:32 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-09-17 1006264]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-02-10 30192]
"NapsterShell"="c:\program files\Napster\napster.exe" [2006-09-06 323216]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [2006-11-16 2348584]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-16 185896]
"LXCGCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2007-02-22 73728]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2007-04-30 205744]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2007-04-30 103344]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2007-10-26 509224]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\Patrick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\users\Mr.Clark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-7-7 282624]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-9-23 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-9-23 692224]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-8-17 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4004181874-1218646721-3285697250-1000]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4004181874-1218646721-3285697250-500]
"EnableNotificationsRef"=dword:00000002

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-04 135664]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-02-10 30192]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20090604.001\IDSvix86.sys [2009-02-09 272432]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 MRVW147;Marvell TOPDOG (TM) 802.11n Driver for Vista Native WIFI (CB8x/EC8x);c:\windows\system32\DRIVERS\MRVW147.sys [2007-01-27 321536]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2008-10-03 37936]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-04 05:20]

2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-04 05:20]

2010-05-04 c:\windows\Tasks\Norton Security Online - Run Full System Scan - Mr.Clark.job
- c:\progra~1\Symantec\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]

2010-07-08 c:\windows\Tasks\User_Feed_Synchronization-{9E180437-3F6A-40F3-A2C5-DFE896E3C40D}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mail.yahoo.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6458
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\users\Mr.Clark\AppData\Roaming\Mozilla\Firefox\Profiles\aee0t5jc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\users\Mr.Clark\AppData\Roaming\Mozilla\Firefox\Profiles\aee0t5jc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
HKLM-Run-PRISMSVR.EXE - c:\windows\system32\PRISMSVR.EXE
ActiveSetup-ccc-core-static - msiexec



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-08 11:59
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4004181874-1218646721-3285697250-1001\Software\SecuROM\License information*]
"datasecu"=hex:a7,cc,63,cb,11,18,b2,ce,50,dc,9d,83,1d,9a,78,db,c2,4b,60,6e,67,
27,e0,9d,7b,02,d5,63,fb,f4,d8,a8,97,60,51,70,c3,69,82,19,59,98,fd,47,37,a1,\
"rkeysecu"=hex:53,23,ec,92,8c,0b,b6,ed,90,02,0c,7a,7e,b5,b9,67

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-07-08 12:11:40
ComboFix-quarantined-files.txt 2010-07-08 17:11

Pre-Run: 81,418,584,064 bytes free
Post-Run: 88,968,744,960 bytes free

- - End Of File - - 577B51864380D070AC6E6D098CDF694A

Hello.

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   Code:

   
DDS::
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5577

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

   
   
4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.
   

Ok, so I did that. It finished. I tried to get on IE, it said "illegal operation attempted on a registry key that has been marked for deletion." Then it has a box that says: "The item you selected is unavailable. It might have been moved, renamed, or removed. Do you want to remove it from the list?" and gives me a yes or no option. What does it mean and what do I choose? Also, this is the same for MANY other programs.....firefox, yahoo messenger, google earth, kodak easy share, msn messenger, etc. the folder on my destop are the only thing that will open.

Bump

Hmm.
Are you able to use MBAM?

No. All programs I try and open give me the same "illegal operation attempted on a registry key that has been marked for deletion" message. The ony things I can open are folders on the desktop, ie. pictures, etc.

Can you logon under another user account and try MBAM please.

Ok. I had to reboot because the laptop froze, and this time it decided it didn't care it hasn't worked in three days. All the programs work again. I'm sending the CFScript.txt log.


ComboFix 10-07-08.02 - Mr.Clark 07/09/2010 16:00:22.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.894.252 [GMT -5:00]
Running from: c:\users\Mr.Clark\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Mr.Clark\Desktop\CFScript.txt
AV: Norton Security Online *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Online *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Security Online *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-06-09 to 2010-07-09 )))))))))))))))))))))))))))))))
.

2010-07-09 21:15 . 2010-07-09 21:15 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-09 21:15 . 2010-07-09 21:15 -------- d-----w- c:\users\Patrick\AppData\Local\temp
2010-07-09 21:15 . 2010-07-09 21:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-09 20:53 . 2010-07-09 20:54 -------- d-----w- C:\32788R22FWJFW
2010-07-09 11:26 . 2010-07-09 11:26 19 ----a-w- c:\windows\popcinfo.dat
2010-07-08 16:33 . 2010-07-08 17:11 -------- d-----w- C:\Combo-Fix
2010-07-07 02:49 . 2010-07-07 02:49 -------- d-----w- C:\_OTL
2010-07-05 03:32 . 2010-07-05 03:32 -------- d-----w- c:\users\Mr.Clark\AppData\Roaming\Malwarebytes
2010-07-05 03:32 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-05 03:32 . 2010-07-05 03:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-05 03:32 . 2010-07-05 03:32 -------- d-----w- c:\programdata\Malwarebytes
2010-07-05 03:32 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-09 20:48 . 2008-04-30 16:00 -------- d-----w- c:\program files\Lx_cats
2010-07-09 18:55 . 2008-04-04 03:54 -------- d-----w- c:\programdata\Google Updater
2010-07-09 13:45 . 2007-04-12 01:41 -------- d-----w- c:\program files\Gateway Games
2010-07-09 11:13 . 2009-10-01 22:06 2319072 ----a-w- c:\programdata\WildTangent\Gateway Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2010-07-06 13:13 . 2007-04-12 01:41 -------- d-----w- c:\programdata\WildTangent
2010-07-05 04:56 . 2008-05-29 17:55 -------- d-----w- c:\program files\GamesBar
2010-07-05 03:26 . 2008-12-07 03:21 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-02 16:03 . 2007-11-27 21:01 3304 ----a-w- c:\users\Mr.Clark\AppData\Roaming\wklnhst.dat
2010-07-02 14:25 . 2010-03-06 01:08 439816 ----a-w- c:\users\Mr.Clark\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-07-01 18:52 . 2010-07-07 02:36 1496064 ----a-w- c:\users\Mr.Clark\AppData\Roaming\Mozilla\Firefox\Profiles\aee0t5jc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-01 18:51 . 2010-07-07 02:36 43008 ----a-w- c:\users\Mr.Clark\AppData\Roaming\Mozilla\Firefox\Profiles\aee0t5jc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-01 18:51 . 2010-07-07 02:36 338944 ----a-w- c:\users\Mr.Clark\AppData\Roaming\Mozilla\Firefox\Profiles\aee0t5jc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-01 18:51 . 2010-07-07 02:36 346112 ----a-w- c:\users\Mr.Clark\AppData\Roaming\Mozilla\Firefox\Profiles\aee0t5jc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-06-13 08:18 . 2007-04-12 01:48 -------- d-----w- c:\programdata\Microsoft Help
2010-06-02 18:37 . 2010-06-02 18:23 -------- d-----w- c:\users\Mr.Clark\AppData\Roaming\DreamDale
2010-06-02 18:27 . 2010-06-02 18:23 -------- d-----w- c:\users\Mr.Clark\AppData\Roaming\MB3
2010-06-02 18:23 . 2010-06-02 18:23 -------- d-----w- c:\users\Mr.Clark\AppData\Roaming\SmashFrenzy3
2010-05-30 12:38 . 2010-05-30 12:38 -------- d-----w- c:\programdata\PopCap Games
2010-05-29 12:56 . 2010-05-29 12:56 -------- d-----w- c:\programdata\MumboJumbo
2010-05-27 11:56 . 2010-05-27 11:56 -------- d-----w- c:\program files\AGEIA Technologies
2010-05-27 11:55 . 2010-05-27 11:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-13 12:20 . 2007-04-12 01:52 -------- d-----w- c:\program files\Google
2010-02-10 15:32 . 2010-02-10 15:32 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-03-23 18:02 . 2007-10-01 00:32 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-03-23 18:02 . 2007-10-01 00:32 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-23 18:02 . 2007-10-01 00:32 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-03-23 18:02 . 2007-10-01 00:32 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-03-23 18:02 . 2007-10-01 00:32 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-09-17 1006264]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-02-10 30192]
"NapsterShell"="c:\program files\Napster\napster.exe" [2006-09-06 323216]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [2006-11-16 2348584]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-16 185896]
"LXCGCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2007-02-22 73728]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2007-04-30 205744]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2007-04-30 103344]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2007-10-26 509224]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\Patrick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\users\Mr.Clark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-7-7 282624]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-9-23 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-9-23 692224]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-8-17 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4004181874-1218646721-3285697250-1000]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4004181874-1218646721-3285697250-500]
"EnableNotificationsRef"=dword:00000002

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-04 135664]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-02-10 30192]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20090604.001\IDSvix86.sys [2009-02-09 272432]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 MRVW147;Marvell TOPDOG (TM) 802.11n Driver for Vista Native WIFI (CB8x/EC8x);c:\windows\system32\DRIVERS\MRVW147.sys [2007-01-27 321536]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2008-10-03 37936]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-24 05:17]

2010-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-04 05:20]

2010-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-04 05:20]

2010-05-04 c:\windows\Tasks\Norton Security Online - Run Full System Scan - Mr.Clark.job
- c:\progra~1\Symantec\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]

2010-07-09 c:\windows\Tasks\User_Feed_Synchronization-{9E180437-3F6A-40F3-A2C5-DFE896E3C40D}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mail.yahoo.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6458
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\users\Mr.Clark\AppData\Roaming\Mozilla\Firefox\Profiles\aee0t5jc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\users\Mr.Clark\AppData\Roaming\Mozilla\Firefox\Profiles\aee0t5jc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-09 16:15
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4004181874-1218646721-3285697250-1001\Software\SecuROM\License information*]
"datasecu"=hex:a7,cc,63,cb,11,18,b2,ce,50,dc,9d,83,1d,9a,78,db,c2,4b,60,6e,67,
27,e0,9d,7b,02,d5,63,fb,f4,d8,a8,97,60,51,70,c3,69,82,19,59,98,fd,47,37,a1,\
"rkeysecu"=hex:53,23,ec,92,8c,0b,b6,ed,90,02,0c,7a,7e,b5,b9,67
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3400)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2010-07-09 16:26:52
ComboFix-quarantined-files.txt 2010-07-09 21:26
ComboFix2.txt 2010-07-08 17:11

Pre-Run: 88,742,576,128 bytes free
Post-Run: 88,391,405,568 bytes free

- - End Of File - - 22416CFEB2958CA8FCA8C7A8CEF66882

BUMP

Hello.
Do this from the machine Combofix was run on.

• Click Start >> Control Panel.
  
• Under the Programs click Uninstall a Program
  
• Highlight the following:
  
  Adobe Reader 9.1
  Java(TM) SE Runtime Environment 6
  Viewpoint Media Player
  
  
• Click on the Uninstall/Change button at the top.
  

Updating Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 20.
  
• Click the "Download JRE" button to the right.
  
• In the Window that opens, select your platform, check the "agree" box, and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Then from your desktop double-click on jre-6u20-windows-i586.exe that you downloaded to install the newest version.
  

Then download and install Adobe Reader 9.3.3

---

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

• Check (tick) this box: YES, I accept the Terms of Use.
  
• Click on the Start button next to it.
  
• When prompted to run ActiveX. click Yes.
  
• You will be asked to install an ActiveX. Click Install.
  
• Once installed, the scanner will be initialized.
  
• After the scanner is initialized, click Start.
  
• Check (tick) Remove found threats box.
  
• Check (tick) Scan unwanted applications.
  
• Click on Scan.
  
• It will start scanning. Please be patient.
  
• Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.
  

Alright. Completed the scan. The log doesn't look complete, but whatever. It didn't find any infected files, so maybe that's all it had to say.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

How is the machine running now?

It's running better. Super slow. But it's performing everything as it should.

BUMP

Just wondering what I should do next. I'll uninstall the programs we've used, since, hopefully, I won't be needing them for a while. I'm thinking that will help make the system faster. Thanks for your help.

Hi,

Your computer is now clean. Now, time to remove the tools used, and update your computer to prevent vulnerability.

==========

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, click No at the prompt.

Click Exit on the Main menu to close the program.

==========

Updating System Restore
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE.

You now have a clean restore point.

To get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do a calculation of temporary/old files, and then display a dialogue box.
  
• Select the More Options Tab.
  
• At the bottom will be a System Restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done.

========

Removing the tools
Now, to remove all of the tools we used and the files and folders they created, please do the following:

Download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

============

Service Pack upgrade
Please consider upgrading to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

More info about SP3: Here

=========

Here are some prevention tips I have provided:

1. Don't download files from untrusted websites or websites that seem suspious.

2. Don't use torrents they are a good way to get lots of malware.

3. Don't download and use cracks/warez/keygens they are illegal and are another good way to contract malware.

4. Disable autorun XP or Vista/7

5. Always make sure you have the latest Windows updates. windowsupdate.microsoft.com

6. Don't ever click on the links inside of a popup.

7. Make sure you know what you install you can make sure it is not know for being a virus by just simply searching about it on google.

8. Use a Site Advisor so you don't go to sites that will infect you. Mcafee Siteadvisor

9. Also there are many holes and flaws in Internet Explorer I recommend using Firefox 3 to keep you more safe.

10. Always keep your Java and Adobe updated.

11. Don't fall for the Scareware. What is Scareware? it is a website made to download a rogue Antivirus on your system that will scare you into buying their fake software due to false detections.

12. Always have a Firewall and a Antivirus.

Thanks for choosing GeekPolice, see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

For more information please visit Here

Alright. I did all of those steps. Thank you for all of your help!

You're welcome, glad to help.