Suspicious files in my document folder

I have also followed your instructions on running the "fix.bat" program.

yekkers wrote:

I have also followed your instructions on running the "fix.bat" program.

Any change?

Still can't turn on Updates.

Still can't turn on Updates..

Please take a look at this to see if it helps.

Please take a look at this to see if it helps.

No, doesn't work, Dave, Updates won't turn on no matter what. This is starting to get to me :sad:

I'm going to check with my colleagues about this problem.

Can you go to MS and get your updates?

Do you have your OS CD/DVD?

If so,

1/ Click the Start button.

2/ From the Start Menu, Click All programs followed by Accessories.

3/ In the Accessories menu, Right Click on the Command Prompt option.

4/ From the drop down menu that appears, Click on the Run as administrator option.

5/ If you have the User Account Control (UAC) enabled you will be asked for authorisation prior to the command prompt opening. You may simply need to press the Continue button if you are the administrator or insert the administrator password etc.

6/ In the Command Prompt window, type: sfc /scannow and then press Enter.

7/ A message will appear stating that the system scan will begin.

8/ Be patient because the scan may take some time.

9/ If any files require replacing SFC will replace them. You may be asked to insert your Vista DVD for this process to continue.

10/ If everything is okay you should, after the scan, see the following message Windows resource protection did not find any integrity violations.

11/ After the scan has completed, Close the command prompt window.

Superdave wrote:

Can you go to MS and get your updates?

You mean go to their websites and get it? If so, then when I try to do it, I will keep getting redirected to this page, which just tells me to turn on updates.

Superdave wrote:

Do you have your OS CD/DVD?

If so,

1/ Click the Start button......

I don't have the Vista disk. I ran your instructions anyway but it never asked for the disk, and it showed the message Windows resource protection did not find any integrity violations. Still can't turn on updates.

Superdave wrote:

Basically, what that is telling you that your IE browser is not up-to-date. The Security check shows that you have IE8 so that shouldn't be a problem. Why not try to update to IE9 and see what happens? You can find it on that site.

Just updated to IE9, but nothing's changed. Still can't turn on Updates.

Select Services and Applications and double-click on Services. Check and see what the status of Automatice Updates and Background Intelligent Transfer Service. They should be set to Automatic.

That's interesting. I see Automatic LiveUpdate (which I'm sure is Symantec, not MS) and Base Filtering Engine, but I don't see either of the services Automatic Updates and Background Intelligent Transfer Service. They seem to be missing.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See [URL="herehttp://www.pchelpforum.com/anti-virus/110194-how-disable-your-security-applications.html"]here[/URL[/url]] for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

ComboFix 12-03-13.01 - Lou 14/03/2012 2:48.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1249 [GMT 8:00]
Running from: c:\users\Lou\Desktop\ComboFix.exe
AV: COMODO Antivirus *Disabled/Updated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\~GLH0014.TMP
c:\windows\system32\drivers\39f53c95945612ae.sys . . . . Failed to delete
c:\windows\system32\drivers\e100b325.sys . . . . Failed to delete
.
Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\ntfs.sys
Infected copy of c:\windows\system32\drivers\asyncmac.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\asyncmac.sys
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_c949a5b6\cdrom.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_39f53c95945612ae
-------\Service_39f53c95945612ae
-------\Service_E100B
.
.
((((((((((((((((((((((((( Files Created from 2012-02-13 to 2012-03-13 )))))))))))))))))))))))))))))))
.
.
2012-03-13 18:59 . 2012-03-13 19:02 -------- d-----w- c:\users\Lou\AppData\Local\temp
2012-03-13 18:59 . 2012-03-13 18:59 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-13 18:59 . 2012-03-13 18:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-13 18:43 . 2012-03-13 18:43 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-13 17:58 . 2012-03-13 17:58 -------- d-----w- c:\users\Lou\AppData\Local\Comodo
2012-03-13 09:06 . 2012-03-13 09:06 -------- d--h--w- c:\windows\msdownld.tmp
2012-03-11 21:54 . 2012-03-11 21:54 -------- d-----w- c:\users\Lou\AppData\Local\Microsoft Corporation
2012-03-11 21:53 . 2012-03-11 21:53 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-03-07 21:36 . 2012-03-07 21:40 -------- d-----w- C:\MGADiagToolOutput
2012-03-05 19:13 . 2012-03-05 19:13 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-05 19:13 . 2012-03-05 19:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-05 18:58 . 2012-03-05 19:45 -------- d-----w- c:\programdata\CPA_VA
2012-03-05 18:51 . 2012-03-05 18:58 -------- d-----w- c:\programdata\Comodo
2012-03-05 18:48 . 2012-03-05 18:48 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-05 18:48 . 2012-03-05 18:49 -------- d-----w- c:\program files\COMODO
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\users\Lou\AppData\Roaming\SUPERAntiSpyware.com
2012-03-04 19:13 . 2012-03-04 19:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-02 13:24 . 2012-03-02 13:24 43352 ----a-w- c:\windows\system32\drivers\58eb7.sys
2012-02-29 10:27 . 2012-03-02 13:53 -------- d-----w- c:\users\Lou\AppData\Roaming\Onxe
2012-02-29 10:27 . 2012-03-02 13:20 -------- d-----w- c:\users\Lou\AppData\Roaming\Veuhen
2012-02-21 13:06 . 1998-11-22 06:23 84992 ----a-w- c:\windows\system32\Ledit32.dll
2012-02-21 13:06 . 1998-11-18 03:40 89600 ----a-w- c:\windows\system32\Leocx32.ocx
2012-02-21 13:06 . 1998-06-25 16:00 644400 ----a-w- c:\windows\system32\Mscomct2.ocx
2012-02-21 13:06 . 1998-06-23 16:00 369696 ----a-w- c:\windows\system32\Comct332.ocx
2012-02-21 13:06 . 2012-02-21 13:07 -------- d-----w- c:\program files\PageBreeze
2012-02-21 13:06 . 2008-09-12 06:55 1245184 ----a-w- c:\windows\system32\ChilkatCert.dll
2012-02-21 13:06 . 2008-09-12 06:50 1105920 ----a-w- c:\windows\system32\ChilkatFtp2.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2012-03-02 08:50 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{81B92148-B0DB-4FD1-9999-A6DD375EC2AD}\mpengine.dll
2012-01-28 21:10 . 2010-05-02 21:28 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-17 13:00 . 2012-01-17 13:00 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2012-01-12 19:52 . 2012-02-16 09:00 2044416 ----a-w- c:\windows\system32\win32k.sys
2011-12-19 10:59 . 2011-12-19 10:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 10:59 . 2011-12-19 10:59 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 10:59 . 2011-12-19 10:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 10:58 . 2011-12-19 10:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 10:58 . 2011-12-19 10:58 301224 ----a-w- c:\windows\system32\guard32.dll
2011-12-15 06:22 . 2012-02-16 09:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-02-17 13:14 . 2011-05-08 10:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 13:43 27648 --sh--w- c:\windows\System32\Smab0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 04:44 212992 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO]
2011-11-23 10:27 208184 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
2011-12-20 16:41 6676808 ----a-w- c:\program files\COMODO\COMODO Internet Security\cfp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA]
2011-11-23 10:27 182584 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\VALA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileOpenBroker]
2011-10-21 07:08 724352 ----a-w- c:\program files\FileOpen\Services\FileOpenBroker32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-11 20:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-10-03 23:15 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 23:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-11 20:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-01-13 06:53 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-11 20:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-28 00:05 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\Hp\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 06:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-29 21:59 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-09-14 00:32 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 58eb7;1rxzhicpme.exe;c:\windows\system32\drivers\58eb7.sys [2012-03-02 43352]
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 39F53C95945612AE
*NewlyCreated* - WS2IFSL
*Deregistered* - 39f53c95945612ae
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2012-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2011-02-28 c:\windows\Tasks\Norton Security Scan for Lou.job
- c:\progra~1\NORTON~2\Engine\310~1.21\Nss.exe [2011-02-28 14:02]
.
2012-03-13 c:\windows\Tasks\User_Feed_Synchronization-{A7F3F3D5-62F7-427C-B5D4-201B298E7C61}.job
- c:\windows\system32\msfeedssync.exe [2012-02-16 04:44]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: o2.co.uk\*.broadband
TCP: DhcpNameServer = 203.185.0.35 203.185.0.36
TCP: Interfaces\{1B476100-CBD2-4DB2-B7ED-0C4B02C3BD76}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{B9B091AA-3F61-4407-8F4F-838AD2721C82}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\Lou\AppData\Roaming\Mozilla\Firefox\Profiles\i1isjn8p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-1117921776.www.telechart.com - c:\program files\Microsoft Silverlight\4.0.60129.0\Silverlight.Configuration.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\39f53c95945612ae]
"ImagePath"="\SystemRoot\System32\Drivers\39f53c95945612ae.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\FileOpen\Services\FileOpenManagerSvc32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2012-03-14 03:09:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-13 19:09
ComboFix2.txt 2010-08-07 16:16
.
Pre-Run: 89,004,785,664 bytes free
Post-Run: 88,956,080,128 bytes free
.
- - End Of File - - D0D6261F0ED0C2433130E648BE9F9EAD

I can't open the ComboFix.txt file, or any program, right now. It gives mes the error message Illegal operation attempted on a registry key that has been marked for deletion.

Just noticed that there is some weird file called catchme.txt that has appeared on the Desktop. From the sounds of it, this just can't be a good file.

Illegal operation attempted on a registry key that has been marked for deletion.

A reboot will fix that.

Just noticed that there is some weird file called catchme.txt that has appeared on the Desktop. From the sounds of it, this just can't be a good file.

That's part of ComboFix. Just leave it.

Re-running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the quotebox below into it:
  

  
  KillAll::
  
  File::
  c:\windows\system32\drivers\39f53c95945612ae.sys
  c:\windows\system32\drivers\e100b325.sys
  Firefox::
  Trusted Zone: o2.co.uk\*.broadband
  
  DDS::
  Trusted Zone: o2.co.uk\*.broadband
  
  

  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.
  

ComboFix 12-03-13.01 - Lou 14/03/2012 17:54:00.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1275 [GMT 8:00]
Running from: c:\users\Lou\Desktop\ComboFix.exe
Command switches used :: c:\users\Lou\Desktop\CFScript.txt
AV: COMODO Antivirus *Disabled/Outdated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\drivers\39f53c95945612ae.sys"
"c:\windows\system32\drivers\e100b325.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\39f53c95945612ae.sys . . . . Failed to delete
c:\windows\system32\drivers\e100b325.sys . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_39f53c95945612ae
-------\Service_39f53c95945612ae
.
.
((((((((((((((((((((((((( Files Created from 2012-02-14 to 2012-03-14 )))))))))))))))))))))))))))))))
.
.
2012-03-14 10:01 . 2012-03-14 10:03 -------- d-----w- c:\users\Lou\AppData\Local\temp
2012-03-14 10:01 . 2012-03-14 10:01 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-14 10:01 . 2012-03-14 10:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-13 18:43 . 2012-03-13 18:43 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-13 17:58 . 2012-03-13 17:58 -------- d-----w- c:\users\Lou\AppData\Local\Comodo
2012-03-13 09:06 . 2012-03-13 09:06 -------- d--h--w- c:\windows\msdownld.tmp
2012-03-11 21:54 . 2012-03-11 21:54 -------- d-----w- c:\users\Lou\AppData\Local\Microsoft Corporation
2012-03-11 21:53 . 2012-03-11 21:53 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-03-07 21:36 . 2012-03-07 21:40 -------- d-----w- C:\MGADiagToolOutput
2012-03-05 19:13 . 2012-03-05 19:13 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-05 19:13 . 2012-03-05 19:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-05 18:58 . 2012-03-05 19:45 -------- d-----w- c:\programdata\CPA_VA
2012-03-05 18:51 . 2012-03-05 18:58 -------- d-----w- c:\programdata\Comodo
2012-03-05 18:48 . 2012-03-05 18:48 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-05 18:48 . 2012-03-05 18:49 -------- d-----w- c:\program files\COMODO
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\users\Lou\AppData\Roaming\SUPERAntiSpyware.com
2012-03-04 19:13 . 2012-03-04 19:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-02 13:24 . 2012-03-02 13:24 43352 ----a-w- c:\windows\system32\drivers\58eb7.sys
2012-02-29 10:27 . 2012-03-02 13:53 -------- d-----w- c:\users\Lou\AppData\Roaming\Onxe
2012-02-29 10:27 . 2012-03-02 13:20 -------- d-----w- c:\users\Lou\AppData\Roaming\Veuhen
2012-02-16 09:00 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2012-03-02 08:50 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{81B92148-B0DB-4FD1-9999-A6DD375EC2AD}\mpengine.dll
2012-01-28 21:10 . 2010-05-02 21:28 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-17 13:00 . 2012-01-17 13:00 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-19 10:59 . 2011-12-19 10:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 10:59 . 2011-12-19 10:59 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 10:59 . 2011-12-19 10:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 10:58 . 2011-12-19 10:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 10:58 . 2011-12-19 10:58 301224 ----a-w- c:\windows\system32\guard32.dll
2012-02-17 13:14 . 2011-05-08 10:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 13:43 27648 --sh--w- c:\windows\System32\Smab0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 04:44 212992 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO]
2011-11-23 10:27 208184 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
2011-12-20 16:41 6676808 ----a-w- c:\program files\COMODO\COMODO Internet Security\cfp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA]
2011-11-23 10:27 182584 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\VALA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileOpenBroker]
2011-10-21 07:08 724352 ----a-w- c:\program files\FileOpen\Services\FileOpenBroker32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-11 20:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-10-03 23:15 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 23:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-11 20:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-01-13 06:53 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-11 20:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-28 00:05 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\Hp\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 06:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-29 21:59 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-09-14 00:32 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 58eb7;1rxzhicpme.exe;c:\windows\system32\drivers\58eb7.sys [2012-03-02 43352]
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 39F53C95945612AE
*Deregistered* - 39f53c95945612ae
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2011-02-28 c:\windows\Tasks\Norton Security Scan for Lou.job
- c:\progra~1\NORTON~2\Engine\310~1.21\Nss.exe [2011-02-28 14:02]
.
2012-03-13 c:\windows\Tasks\User_Feed_Synchronization-{A7F3F3D5-62F7-427C-B5D4-201B298E7C61}.job
- c:\windows\system32\msfeedssync.exe [2012-02-16 04:44]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 203.185.0.35 203.185.0.36
TCP: Interfaces\{1B476100-CBD2-4DB2-B7ED-0C4B02C3BD76}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{B9B091AA-3F61-4407-8F4F-838AD2721C82}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\Lou\AppData\Roaming\Mozilla\Firefox\Profiles\i1isjn8p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\39f53c95945612ae]
"ImagePath"="\SystemRoot\System32\Drivers\39f53c95945612ae.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\FileOpen\Services\FileOpenManagerSvc32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2012-03-14 18:10:13 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-14 10:10
ComboFix2.txt 2012-03-14 09:41
ComboFix3.txt 2012-03-13 19:09
ComboFix4.txt 2010-08-07 16:16
.
Pre-Run: 88,764,956,672 bytes free
Post-Run: 88,735,502,336 bytes free
.
- - End Of File - - 4037C3026CC765154B0470AFA9B1BE06

Copy and paste the text in the code box below into Notepad.


Then click File > Save as
Save to the Desktop as blackpudding.bat
And Save as type: All Files.

Double-click on blackpudding.bat to run it.
After running this bat file please run ComboFix again and post the log.
*********************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
  
• In the Write to log box select the following items.
  
  
  
  • Process << Selected
    
  • Kernel Modules << Selected
    
  • SSDT << Selected
    
  • Kernel Hooks << Selected
    
  • IRP Hooks << NOT Selected
    
  • Ports << NOT Selected
    
  • Hidden Files << Selected
    
  
  
• At the bottom of the page
  
  
  
  • Hidden Objects Only << Selected
    
  
  
• Click on the Create Log button on the bottom right.
  
• After a few seconds a new window should appear.
  
• Select Scan Root Drive. Click on the Start button.
  
• When it is complete a new window will appear to indicate that the scan is finished.
  
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
  

In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

I don't think I understand. Are the items IRP Hooks and Ports originally supposed to be NOT selected, and I have to check those boxes? Or am I supposed to leave the boxes for IRP Hooks and Ports unchecked?

Edit: Nvm I got it.

ComboFix 12-03-13.01 - Lou 15/03/2012 3:39.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1300 [GMT 8:00]
Running from: c:\users\Lou\Desktop\ComboFix.exe
AV: COMODO Antivirus *Disabled/Outdated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\e100b325.sys
c:\windows\system32\drivers\39f53c95945612ae.sys . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_39f53c95945612ae
-------\Service_39f53c95945612ae
.
.
((((((((((((((((((((((((( Files Created from 2012-02-14 to 2012-03-14 )))))))))))))))))))))))))))))))
.
.
2012-03-14 19:53 . 2012-03-14 19:53 272 ----a-w- c:\windows\system32\drivers\sfi.dat
2012-03-14 19:48 . 2012-03-14 19:57 -------- d-----w- c:\users\Lou\AppData\Local\temp
2012-03-14 19:48 . 2012-03-14 19:48 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-14 19:48 . 2012-03-14 19:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-13 18:43 . 2012-03-13 18:43 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-13 17:58 . 2012-03-13 17:58 -------- d-----w- c:\users\Lou\AppData\Local\Comodo
2012-03-13 09:06 . 2012-03-13 09:06 -------- d--h--w- c:\windows\msdownld.tmp
2012-03-11 21:54 . 2012-03-11 21:54 -------- d-----w- c:\users\Lou\AppData\Local\Microsoft Corporation
2012-03-11 21:53 . 2012-03-11 21:53 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-03-07 21:36 . 2012-03-07 21:40 -------- d-----w- C:\MGADiagToolOutput
2012-03-05 19:13 . 2012-03-05 19:13 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-05 19:13 . 2012-03-05 19:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-05 18:58 . 2012-03-05 19:45 -------- d-----w- c:\programdata\CPA_VA
2012-03-05 18:51 . 2012-03-05 18:58 -------- d-----w- c:\programdata\Comodo
2012-03-05 18:48 . 2012-03-05 18:48 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-05 18:48 . 2012-03-05 18:49 -------- d-----w- c:\program files\COMODO
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\users\Lou\AppData\Roaming\SUPERAntiSpyware.com
2012-03-04 19:13 . 2012-03-04 19:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-02 13:25 . 2012-03-02 13:25 43352 ----a-w- c:\windows\system32\drivers\39f53c95945612ae.sys
2012-02-29 10:27 . 2012-03-02 13:53 -------- d-----w- c:\users\Lou\AppData\Roaming\Onxe
2012-02-29 10:27 . 2012-03-02 13:20 -------- d-----w- c:\users\Lou\AppData\Roaming\Veuhen
2012-02-16 09:00 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2012-03-02 08:50 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{81B92148-B0DB-4FD1-9999-A6DD375EC2AD}\mpengine.dll
2012-01-28 21:10 . 2010-05-02 21:28 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-17 13:00 . 2012-01-17 13:00 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-19 10:59 . 2011-12-19 10:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 10:59 . 2011-12-19 10:59 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 10:59 . 2011-12-19 10:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 10:58 . 2011-12-19 10:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 10:58 . 2011-12-19 10:58 301224 ----a-w- c:\windows\system32\guard32.dll
2012-02-17 13:14 . 2011-05-08 10:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 13:43 27648 --sh--w- c:\windows\System32\Smab0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 04:44 212992 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO]
2011-11-23 10:27 208184 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
2011-12-20 16:41 6676808 ----a-w- c:\program files\COMODO\COMODO Internet Security\cfp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA]
2011-11-23 10:27 182584 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\VALA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileOpenBroker]
2011-10-21 07:08 724352 ----a-w- c:\program files\FileOpen\Services\FileOpenBroker32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-11 20:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-10-03 23:15 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 23:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-11 20:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-01-13 06:53 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-11 20:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-28 00:05 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\Hp\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 06:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-29 21:59 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-09-14 00:32 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 25B7BF45801895D6
*NewlyCreated* - 58EB7
*NewlyCreated* - CMDERD
*NewlyCreated* - CMDGUARD
*Deregistered* - 25b7bf45801895d6
*Deregistered* - 58eb7
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2011-02-28 c:\windows\Tasks\Norton Security Scan for Lou.job
- c:\progra~1\NORTON~2\Engine\310~1.21\Nss.exe [2011-02-28 14:02]
.
2012-03-14 c:\windows\Tasks\User_Feed_Synchronization-{A7F3F3D5-62F7-427C-B5D4-201B298E7C61}.job
- c:\windows\system32\msfeedssync.exe [2012-02-16 04:44]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 203.185.0.35 203.185.0.36
TCP: Interfaces\{1B476100-CBD2-4DB2-B7ED-0C4B02C3BD76}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{B9B091AA-3F61-4407-8F4F-838AD2721C82}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\Lou\AppData\Roaming\Mozilla\Firefox\Profiles\i1isjn8p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-15 03:57
Windows 6.0.6002 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\25b7bf45801895d6]
"ImagePath"="\SystemRoot\System32\Drivers\25b7bf45801895d6.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'Explorer.exe'(2268)
c:\windows\system32\guard32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\FileOpen\Services\FileOpenManagerSvc32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2012-03-15 04:03:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-14 20:03
ComboFix2.txt 2012-03-14 10:10
ComboFix3.txt 2012-03-14 09:41
ComboFix4.txt 2012-03-13 19:09
ComboFix5.txt 2012-03-14 19:38
.
Pre-Run: 88,681,222,144 bytes free
Post-Run: 88,134,369,280 bytes free
.
- - End Of File - - B82A610563DC10B2F0CDD571E9825BBE

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
No Hidden Kernel Modules found

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No hidden files/folders found

Re-running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the quotebox below into it:
  

  
  KillAll::
  
  File::
  c:\windows\system32\drivers\58eb7.sys
  1rxzhicpme.exe
  
  Driver::
  R1 58eb7
  

  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.
  

***********************************************
Any change in the Windows Update problem?

ComboFix 12-03-13.01 - Lou 17/03/2012 3:40.8.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1242 [GMT 8:00]
Running from: c:\users\Lou\Desktop\ComboFix.exe
Command switches used :: c:\users\Lou\Desktop\CFScript.txt
AV: COMODO Antivirus *Disabled/Outdated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\system32\drivers\58eb7.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\25b7bf45801895d6.sys . . . . Failed to delete
c:\windows\system32\drivers\39f53c95945612ae.sys . . . . Failed to delete
.
Infected copy of c:\windows\system32\drivers\asyncmac.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\asyncmac.sys
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_c949a5b6\cdrom.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_25b7bf45801895d6
-------\Service_25b7bf45801895d6
.
.
((((((((((((((((((((((((( Files Created from 2012-02-16 to 2012-03-16 )))))))))))))))))))))))))))))))
.
.
2012-03-16 19:48 . 2012-03-16 19:51 -------- d-----w- c:\users\Lou\AppData\Local\temp
2012-03-16 19:48 . 2012-03-16 19:48 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-16 19:48 . 2012-03-16 19:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-14 19:53 . 2012-03-14 19:53 272 ----a-w- c:\windows\system32\drivers\sfi.dat
2012-03-13 18:43 . 2012-03-13 18:43 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-13 17:58 . 2012-03-13 17:58 -------- d-----w- c:\users\Lou\AppData\Local\Comodo
2012-03-13 09:06 . 2012-03-13 09:06 -------- d--h--w- c:\windows\msdownld.tmp
2012-03-11 21:54 . 2012-03-11 21:54 -------- d-----w- c:\users\Lou\AppData\Local\Microsoft Corporation
2012-03-11 21:53 . 2012-03-11 21:53 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-03-07 21:36 . 2012-03-07 21:40 -------- d-----w- C:\MGADiagToolOutput
2012-03-05 19:13 . 2012-03-05 19:13 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-05 19:13 . 2012-03-05 19:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-05 18:58 . 2012-03-05 19:45 -------- d-----w- c:\programdata\CPA_VA
2012-03-05 18:51 . 2012-03-05 18:58 -------- d-----w- c:\programdata\Comodo
2012-03-05 18:48 . 2012-03-05 18:48 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-05 18:48 . 2012-03-05 18:49 -------- d-----w- c:\program files\COMODO
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\users\Lou\AppData\Roaming\SUPERAntiSpyware.com
2012-03-04 19:13 . 2012-03-04 19:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-02 13:25 . 2012-03-02 13:25 43352 ----a-w- c:\windows\system32\drivers\39f53c95945612ae.sys
2012-02-29 10:27 . 2012-03-02 13:53 -------- d-----w- c:\users\Lou\AppData\Roaming\Onxe
2012-02-29 10:27 . 2012-03-02 13:20 -------- d-----w- c:\users\Lou\AppData\Roaming\Veuhen
2012-02-16 09:00 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2012-03-02 08:50 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{81B92148-B0DB-4FD1-9999-A6DD375EC2AD}\mpengine.dll
2012-01-28 21:10 . 2010-05-02 21:28 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-17 13:00 . 2012-01-17 13:00 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-19 10:59 . 2011-12-19 10:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 10:59 . 2011-12-19 10:59 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 10:59 . 2011-12-19 10:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 10:58 . 2011-12-19 10:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 10:58 . 2011-12-19 10:58 301224 ----a-w- c:\windows\system32\guard32.dll
2012-02-17 13:14 . 2011-05-08 10:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 13:43 27648 --sh--w- c:\windows\System32\Smab0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 04:44 212992 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO]
2011-11-23 10:27 208184 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
2011-12-20 16:41 6676808 ----a-w- c:\program files\COMODO\COMODO Internet Security\cfp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA]
2011-11-23 10:27 182584 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\VALA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileOpenBroker]
2011-10-21 07:08 724352 ----a-w- c:\program files\FileOpen\Services\FileOpenBroker32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-11 20:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-10-03 23:15 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 23:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-11 20:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-01-13 06:53 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-11 20:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-28 00:05 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\Hp\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 06:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-29 21:59 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-09-14 00:32 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 25B7BF45801895D6
*Deregistered* - 25b7bf45801895d6
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2011-02-28 c:\windows\Tasks\Norton Security Scan for Lou.job
- c:\progra~1\NORTON~2\Engine\310~1.21\Nss.exe [2011-02-28 14:02]
.
2012-03-16 c:\windows\Tasks\User_Feed_Synchronization-{A7F3F3D5-62F7-427C-B5D4-201B298E7C61}.job
- c:\windows\system32\msfeedssync.exe [2012-02-16 04:44]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 203.185.0.35 203.185.0.36
TCP: Interfaces\{1B476100-CBD2-4DB2-B7ED-0C4B02C3BD76}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{B9B091AA-3F61-4407-8F4F-838AD2721C82}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\Lou\AppData\Roaming\Mozilla\Firefox\Profiles\i1isjn8p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-17 03:50
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\25b7bf45801895d6]
"ImagePath"="\SystemRoot\System32\Drivers\25b7bf45801895d6.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\FileOpen\Services\FileOpenManagerSvc32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2012-03-17 03:57:07 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-16 19:57
ComboFix2.txt 2012-03-14 20:03
ComboFix3.txt 2012-03-14 10:10
ComboFix4.txt 2012-03-14 09:41
ComboFix5.txt 2012-03-16 19:38
.
Pre-Run: 88,017,149,952 bytes free
Post-Run: 87,463,014,400 bytes free
.
- - End Of File - - 9591F523E232E8CA93DC9EF4EBF78114

Any change in the Windows Update problem?

Still no change, can't turn it on.

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
  
• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  
• Double click the setup file to run it.
  
• Click Next to continue.
  
• Accept the License agreement and click on next.
  
• It will, by default, install it to your desktop folder. Click Next.
  
• It will then open a box There will be a tab that says Automatic scan.
  
• Under Automatic scan make sure these are checked.
  
  
• Hidden Startup Objects
  
• System Memory
  
• Disk Boot Sectors.
  
• My Computer.
  
• Also any other drives (Removable that you may have)
  

Leave the rest of the settings as they appear as default.
•Then click on Scan at the to right hand Corner.
•It will automatically Neutralize any objects found.
•If some objects are left un-neutralized then click the button that says Neutralize all
•If it says it cannot be neutralized then choose the delete option when prompted.
•After that is done click on the reports button at the bottom and save it to file name it Kas.
•Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

My PC shut down on me while AVPTool was scanning. When I booted it back up and ran AVPTool again, when the scan completed, it just said it didn't detect anything. As such, I don't have any logs. Please advise on what to do next.

Start Malwarebytes and go to the
More Tools tab. There you'll find a button named Run Tool to run FileASSISSIN.

Then browse to these files:
c:\windows\system32\drivers\25b7bf45801895d6.sys
c:\windows\system32\drivers\39f53c95945612ae.sys

Select that file and click OK, then Yes to remove it.
*******************************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

The module "wuaueng.dll" was loaded but the call to DllRegisterServer failed with error code 0x80070005.

I believe this is what is causing your problem with the Windows Updates.
This site explains why you receive this message although they only mention XP. Could it be something to do with you not using Adm priveleges? Here's another site that may help. Please notice that Adm. is also mentioned. If none of these help, I think you should request help from Windows Vista about this problem.

Start Malwarebytes and go to the
More Tools tab. There you'll find a button named Run Tool to run FileASSISSIN.

Then browse to these files:
c:\windows\system32\drivers\25b7bf45801895d6.sys
c:\windows\system32\drivers\39f53c95945612ae.sys

Select that file and click OK, then Yes to remove it.

FileAssassin was able to remove 39f53c95945612ae.sys, but when I tried to remove 25b7bf45801895d6.sys, I just get the message You don't have permission to open this file.

C:\Qoobox\Quarantine\C\Windows\System32\drivers\_25b7bf45801895d6_.sys.zip a variant of Win32/Rootkit.Kryptik.HT trojan deleted - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\drivers\_39f53c95945612ae_.sys.zip a variant of Win32/Rootkit.Kryptik.HT trojan deleted - quarantined
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\4b83f3c4-302a17e0 multiple threats deleted - quarantined
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\77c3a532-53cc42a2 Java/TrojanDownloader.Agent.NAI trojan deleted - quarantined
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\799c6e88-7e033fcb multiple threats deleted - quarantined
C:\Users\Lou\Videos\Veoh\16_VeohWebPlayerSetup_eng.exe a variant of Win32/Toolbar.Zugo application deleted - quarantined

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=bb4d046c04010c43b47b1ddaaebd0b23
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-03-19 08:38:56
# local_time=2012-03-20 04:38:56 (+0800, China Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1797 16774142 0 6 67394331 103706268 0 0
# compatibility_mode=3073 16777214 80 71 1417 7887021 0 0
# compatibility_mode=5892 16776574 100 100 1209976 169708531 0 0
# compatibility_mode=8192 67108863 100 0 1479 1479 0 0
# compatibility_mode=9217 16777214 0 4 102320204 102320204 0 0
# scanned=278860
# found=6
# cleaned=6
# scan_time=10132
C:\Qoobox\Quarantine\C\Windows\System32\drivers\_25b7bf45801895d6_.sys.zip a variant of Win32/Rootkit.Kryptik.HT trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\System32\drivers\_39f53c95945612ae_.sys.zip a variant of Win32/Rootkit.Kryptik.HT trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\4b83f3c4-302a17e0 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\77c3a532-53cc42a2 Java/TrojanDownloader.Agent.NAI trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\799c6e88-7e033fcb multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Lou\Videos\Veoh\16_VeohWebPlayerSetup_eng.exe a variant of Win32/Toolbar.Zugo application (deleted - quarantined) 00000000000000000000000000000000 C