trojan and virus overload

adamjac · by adamjac on Fri 30 Oct 2009, 9:22 pm

About a week ago, I downloaded a torrent that when opened infected my computer. It disabeled my McAfee, and Windows scan capabilities. Also, I can now only browse by means of internet explorer. My computer is constantly redirecting me to different sites.

One of the first successful scans gave me Trj/zlob.KH. Subsequent scans also included Downloader-BWS Trojan and DNSchanger.t

Since I have McAfee running again it has shown numerous Artemis trojans and an Exploit-ByteVerify. I'm desperate to reclaim my computer!!!

**DragonMaster Jay** · by **DragonMaster Jay** on Fri 30 Oct 2009, 10:45 pm

Please download ComboFix

from [You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

adamjac · by adamjac on Sat 31 Oct 2009, 10:47 am

finished the combofix program, here are the results. Thank you for your time.

ComboFix 09-10-30.01 - Adam 10/31/2009 11:05.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3001 [GMT -5:00]
Running from: c:\documents and settings\Adam\Desktop\Commy.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\All Users\Application Data\ZangoSA
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSA.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSA_kyf_update.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAAbout.mht
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAau.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAEula.mht
c:\documents and settings\Tiffany\Application Data\Zango
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.idx
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.dat
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\buttondir.txt
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\buttondir.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\default.cdf
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\default.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_511745-514279.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_bidzC_ZT_IE-ca.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_bidzC_ZT_IE-us.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_categorize.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_comparison.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_explorer-Mails.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_explorer-people.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_favorites.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_Games.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_Hide.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_hotbarcom.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_Hotmail.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_hsskin.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_jemster.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_jemsterie.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_jemsteruk.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_jobsearch.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_Mails.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_new.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_premium.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_reun.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_ringtones.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_SearchBoxTrapper.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_searchfor.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_searchgo.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_weather.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\Default_yellowpages.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\email-def-511724-548964.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\email-def-511724-9595.mnu
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.idx
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.dat
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.cdf
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.txt
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\progress.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\progress.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.txt
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.res
c:\documents and settings\Tiffany\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip
c:\program files\Freeze.com Toolbar
c:\program files\Freeze.com Toolbar\basis.xml
c:\program files\Freeze.com Toolbar\freeze.bmp
c:\program files\Freeze.com Toolbar\frzToolbar_logo.bmp
c:\program files\Freeze.com Toolbar\icons.bmp
c:\program files\Freeze.com Toolbar\options.html
c:\program files\Freeze.com Toolbar\powered_yahoo_search.bmp
c:\program files\Freeze.com Toolbar\version.txt
c:\windows\kb913800.exe
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\1028_DELL_XPS_Dell DXP051 .MRK
c:\windows\system32\drivers\DELL_XPS_Dell DXP051 .MRK
F:\Autorun.inf

Infected copy of c:\windows\system32\drivers\iastor.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-31 )))))))))))))))))))))))))))))))
.

2009-10-31 16:01 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-31 16:01 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-10-29 15:23 . 2009-10-29 15:23 22016 ----a-w- c:\windows\system32\tdlwsp.dll
2009-10-25 06:11 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-22 16:33 . 2009-09-16 15:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-22 16:33 . 2009-09-16 15:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-22 16:33 . 2009-09-16 15:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-22 16:33 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-10-22 16:32 . 2009-10-22 16:33 -------- d-----w- c:\program files\Common Files\McAfee
2009-10-22 16:32 . 2009-10-22 16:32 -------- d-----w- c:\program files\McAfee.com
2009-10-22 16:30 . 2009-09-16 15:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-22 13:19 . 2009-10-22 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-22 13:19 . 2009-10-31 16:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-22 13:19 . 2009-10-22 13:19 -------- d-----w- c:\documents and settings\Adam\Application Data\SUPERAntiSpyware.com
2009-10-22 13:09 . 2009-10-22 13:09 -------- d-----w- c:\documents and settings\Adam\Application Data\Malwarebytes
2009-10-22 13:09 . 2009-10-22 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 01:11 . 2009-10-22 01:11 -------- d-----w- c:\program files\Common Files\eSellerate
2009-10-21 19:41 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-21 19:41 . 2009-10-21 19:41 -------- d-----w- c:\program files\Panda Security
2009-10-21 15:14 . 2009-10-21 15:14 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-21 13:48 . 2009-10-21 13:49 -------- d-----w- c:\program files\ATT-SST
2009-10-21 13:23 . 2009-10-21 13:29 -------- d-----w- c:\program files\ATT-PRT22-WISE
2009-10-21 12:59 . 2009-07-20 17:25 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2009-10-21 06:16 . 2009-10-25 19:26 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-21 04:30 . 2009-10-21 15:15 0 ----a-w- c:\windows\win32k.sys
2009-10-21 04:30 . 2009-10-21 04:30 271 ----a-w- c:\documents and settings\Adam\Local Settings\Application Data\pelf.vbs
2009-10-21 04:27 . 2009-10-21 04:27 271 ----a-w- c:\documents and settings\Adam\Local Settings\Application Data\hlgp.vbs
2009-10-16 15:00 . 2009-10-20 18:49 -------- d-----w- c:\windows\system32\Adobe
2009-10-04 16:46 . 2009-10-21 18:20 -------- d-----w- c:\documents and settings\Adam\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 16:21 . 2009-02-03 22:56 -------- d-----w- c:\documents and settings\Adam\Application Data\DNA
2009-10-31 16:21 . 2006-03-13 00:04 -------- d-----w- c:\program files\DNA
2009-10-31 16:02 . 2009-02-03 22:56 -------- d-----w- c:\documents and settings\Adam\Application Data\BitTorrent
2009-10-31 00:06 . 2007-11-08 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-30 19:55 . 2005-12-24 05:00 -------- d-----w- c:\program files\Dl_cats
2009-10-30 03:32 . 2008-12-08 03:48 -------- d-----w- c:\program files\WinTV
2009-10-30 00:19 . 2005-12-16 08:29 -------- d-----w- c:\program files\McAfee
2009-10-22 16:35 . 2005-12-16 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-22 16:19 . 2005-12-16 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-10-22 14:56 . 2005-12-16 08:25 -------- d-----w- c:\program files\WildTangent
2009-10-22 14:54 . 2008-11-23 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-10-22 14:51 . 2005-12-27 04:53 -------- d-----w- c:\program files\EarthLink
2009-10-22 14:48 . 2008-01-29 00:52 -------- d-----w- c:\program files\Cap'n Crunch
2009-10-22 14:48 . 2005-12-16 08:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-22 14:04 . 2005-12-16 08:22 -------- d-----w- c:\program files\Viewpoint
2009-10-22 11:10 . 2005-12-16 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-21 15:30 . 2008-01-03 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 14:58 . 2009-01-12 14:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-21 14:39 . 2007-06-24 22:11 -------- d-----w- c:\program files\Common Files\Motive
2009-10-21 14:37 . 2007-06-24 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-10-21 14:32 . 2007-07-01 04:53 -------- d-----w- c:\documents and settings\Adam\Application Data\Motive
2009-10-21 13:00 . 2009-03-06 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-10-21 12:59 . 2009-01-02 21:34 -------- d-----w- c:\program files\Common Files\Logitech
2009-10-21 06:52 . 2006-03-29 23:29 120816 -c--a-w- c:\documents and settings\Tiffany\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 15:25 . 2009-08-27 18:12 -------- d-----w- c:\documents and settings\Adam\Application Data\dvdcss
2009-10-14 19:06 . 2008-10-12 06:16 101188 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-13 12:25 . 2005-12-27 03:01 120816 -c--a-w- c:\documents and settings\Adam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-13 08:05 . 2008-01-03 02:18 -------- d-----w- c:\program files\Microsoft Works
2009-09-17 19:43 . 2009-09-17 19:43 -------- d-----w- c:\documents and settings\Adam\Application Data\McAfee
2009-09-17 19:22 . 2007-12-12 03:32 -------- d-----w- c:\program files\The Weather Channel FW
2009-09-16 15:40 . 2009-01-02 21:40 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-09-16 15:40 . 2009-09-16 15:40 0 -c-ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-09-16 15:22 . 2009-09-16 15:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-11 14:18 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 15:57 . 2005-12-16 08:12 -------- d-----w- c:\program files\Java
2009-09-04 21:03 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2005-08-16 10:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-07 00:24 . 2005-08-16 10:40 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2005-08-16 10:40 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-08-16 10:40 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2005-05-26 10:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2005-08-16 10:40 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2005-08-16 10:18 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2005-08-16 10:40 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-01-03 03:25 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2008-01-03 03:25 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2005-08-16 10:40 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2005-08-16 10:18 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 04:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-02-16 19:18 . 2009-02-16 19:18 4823040 -c----w- c:\program files\ehthumbs.db
2006-11-05 22:36 . 2006-11-05 22:36 774144 -c--a-w- c:\program files\RngInterstitial.dll
2008-05-03 21:01 . 2005-12-27 03:00 104 -csh--r- c:\windows\system32\7D6C9378DC.sys
2008-05-03 21:01 . 2005-12-27 03:00 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2004-08-10 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-11-30 1945600]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-03 342848]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-28 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-13 180269]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-09 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2009-06-17 55824]

c:\documents and settings\Tiffany\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\Adam\Start Menu\Programs\Startup\
Memeo AutoBackup Launcher.lnk - c:\documents and settings\Adam\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe [2009-10-21 73728]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-12-22 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-12-16 156784]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-6-24 217088]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-16 24576]
Event Reminder.lnk - c:\program files\PrintMaster 16\pmremind.exe [2004-1-20 339968]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-5 813584]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-02-18 18:01 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/21/2009 2:41 PM 28552]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/22/2009 11:35 AM 203280]
R3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\system32\drivers\hcw72ADFilter.sys [7/8/2008 7:35 PM 27904]
R3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\system32\drivers\hcw72ATV.sys [7/8/2008 7:37 PM 1198720]
R3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\system32\drivers\hcw72DTV.sys [7/8/2008 7:41 PM 1191552]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Medcin;Medcin;c:\program files\Medicomp Systems, Inc\Server\medcinserv --> c:\program files\Medicomp Systems, Inc\Server\medcinserv [?]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\ADSFilter.sys --> c:\windows\system32\DRIVERS\ADSFilter.sys [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 krdpdre;krdpdre;\??\c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-05 03:39]

2009-10-22 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]

2009-10-22 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]{searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:8080
uInternet Settings,ProxyOverride = 127.0.0.1;
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Trusted Zone: microsoft.com\oas.support
Trusted Zone: microsoft.com\support
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
AddRemove-OneStep - c:\program files\OneStep\uninstall.exe
AddRemove-SBC Self Support Tool - c:\docume~1\Adam\LOCALS~1\Temp\SST\CustomUninstall.exe
AddRemove-SBC.MCCInstall - c:\windows\Motive\SBC\MCCUninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-10-31 11:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys sfsync02.sys hal.dll iastor.sys
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

iastor.sys @ 0xB9E36000 0xD4E80 bytes

\Driver\iastor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0xB9E48B10 != 0xBA0C98B4 sfsync02.sys
\Driver\iastor IRP hooks detected !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Medcin]
"ImagePath"="c:\program files\Medicomp Systems, Inc\Server\medcinserv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(4868)
c:\windows\system32\WININET.dll
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\CTsvcCDA.EXE
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\windows\eHome\ehmsas.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\system32\dlcccoms.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\windows\system32\dllhost.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\SBC Self Support Tool\bin\mpbtn.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
c:\program files\Memeo\AutoBackup\MemeoBackup.exe
.
**************************************************************************
.
Completion time: 2009-10-31 11:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-31 16:27

Pre-Run: 90,154,369,024 bytes free
Post-Run: 90,055,925,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - CB139586E6036DB46EAD6BFB98D68A41

**DragonMaster Jay** · by **DragonMaster Jay** on Sat 31 Oct 2009, 2:40 pm

There are dangerous backdoor trojans on your system (2). This is a sign of total system compromise.
[You must be registered and logged in to see this link.] are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned.
Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a backdoor trojan. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove backdoor trojans cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

Guides for format and reinstall: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

If you do not have the resources to reformat and reinstall, or would rather clean the computer - Please do the following:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
c:\windows\ServicePackFiles\i386\eventlog.dll | c:\windows\system32\eventlog.dll

NetSvc::
krdpdre

File::
c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys

FileLook::
sfsync02.sys

Driver::
iastor
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

adamjac · by adamjac on Sat 31 Oct 2009, 8:37 pm

Well i was hoping for a little more positive information, but i guess it doesnt always end well. At the moment I am unemployed and in a unemployment dispute for my compensation so having the resources to reformat is out of the question. This computer is a family trove of treasures which now i am desperately trying to copy all important information on to discs, pictures, music, and movies, ect. there is no chance of having infected media is there. should i be worried about my backup harddrive. if you cant clean this computer then i will have to wait to reformat until i can offload all important info, which at the moment is subject to financing. here is the new log, when windows restarted it failed and i had to restart with last known workable configurations. Again I truly appreciate your help, even if it doesn't turn out the way i hope.

ComboFix 09-10-30.01 - Adam 10/31/2009 20:53.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2658 [GMT -5:00]
Running from: c:\documents and settings\Adam\Desktop\commy.exe
Command switches used :: c:\documents and settings\Adam\Desktop\CFscript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_iastor

((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.

2009-11-01 01:53 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-11-01 01:53 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-01 01:36 . 2009-11-01 01:36 -------- d-----w- c:\windows\LastGood
2009-10-31 16:01 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-31 16:01 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-10-29 15:23 . 2009-10-29 15:23 22016 ----a-w- c:\windows\system32\tdlwsp.dll
2009-10-25 06:11 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-22 16:33 . 2009-09-16 15:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-22 16:33 . 2009-09-16 15:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-22 16:33 . 2009-09-16 15:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-22 16:33 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-10-22 16:32 . 2009-10-22 16:33 -------- d-----w- c:\program files\Common Files\McAfee
2009-10-22 16:32 . 2009-10-22 16:32 -------- d-----w- c:\program files\McAfee.com
2009-10-22 16:30 . 2009-09-16 15:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-22 13:19 . 2009-10-22 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-22 13:19 . 2009-11-01 02:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-22 13:19 . 2009-10-22 13:19 -------- d-----w- c:\documents and settings\Adam\Application Data\SUPERAntiSpyware.com
2009-10-22 13:09 . 2009-10-22 13:09 -------- d-----w- c:\documents and settings\Adam\Application Data\Malwarebytes
2009-10-22 13:09 . 2009-10-22 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 01:11 . 2009-10-22 01:11 -------- d-----w- c:\program files\Common Files\eSellerate
2009-10-21 19:41 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-21 19:41 . 2009-10-21 19:41 -------- d-----w- c:\program files\Panda Security
2009-10-21 15:14 . 2009-10-21 15:14 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-21 13:48 . 2009-10-21 13:49 -------- d-----w- c:\program files\ATT-SST
2009-10-21 13:23 . 2009-10-21 13:29 -------- d-----w- c:\program files\ATT-PRT22-WISE
2009-10-21 12:59 . 2009-07-20 17:25 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2009-10-21 06:16 . 2009-10-25 19:26 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-21 04:30 . 2009-10-21 15:15 0 ----a-w- c:\windows\win32k.sys
2009-10-21 04:30 . 2009-10-21 04:30 271 ----a-w- c:\documents and settings\Adam\Local Settings\Application Data\pelf.vbs
2009-10-21 04:27 . 2009-10-21 04:27 271 ----a-w- c:\documents and settings\Adam\Local Settings\Application Data\hlgp.vbs
2009-10-16 15:00 . 2009-10-20 18:49 -------- d-----w- c:\windows\system32\Adobe
2009-10-08 19:57 . 2009-10-08 19:57 220160 ------w- c:\windows\system32\dllcache\oleacc.dll
2009-10-04 16:46 . 2009-10-21 18:20 -------- d-----w- c:\documents and settings\Adam\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-01 02:10 . 2009-02-03 22:56 -------- d-----w- c:\documents and settings\Adam\Application Data\DNA
2009-11-01 02:10 . 2006-03-13 00:04 -------- d-----w- c:\program files\DNA
2009-11-01 02:03 . 2009-02-03 22:56 -------- d-----w- c:\documents and settings\Adam\Application Data\BitTorrent
2009-10-31 00:06 . 2007-11-08 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-30 19:55 . 2005-12-24 05:00 -------- d-----w- c:\program files\Dl_cats
2009-10-30 03:32 . 2008-12-08 03:48 -------- d-----w- c:\program files\WinTV
2009-10-30 00:19 . 2005-12-16 08:29 -------- d-----w- c:\program files\McAfee
2009-10-22 16:35 . 2005-12-16 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-22 16:19 . 2005-12-16 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-10-22 14:56 . 2005-12-16 08:25 -------- d-----w- c:\program files\WildTangent
2009-10-22 14:54 . 2008-11-23 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-10-22 14:51 . 2005-12-27 04:53 -------- d-----w- c:\program files\EarthLink
2009-10-22 14:48 . 2008-01-29 00:52 -------- d-----w- c:\program files\Cap'n Crunch
2009-10-22 14:48 . 2005-12-16 08:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-22 14:04 . 2005-12-16 08:22 -------- d-----w- c:\program files\Viewpoint
2009-10-22 11:10 . 2005-12-16 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-21 15:30 . 2008-01-03 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 14:58 . 2009-01-12 14:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-21 14:39 . 2007-06-24 22:11 -------- d-----w- c:\program files\Common Files\Motive
2009-10-21 14:37 . 2007-06-24 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-10-21 14:32 . 2007-07-01 04:53 -------- d-----w- c:\documents and settings\Adam\Application Data\Motive
2009-10-21 13:00 . 2009-03-06 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-10-21 12:59 . 2009-01-02 21:34 -------- d-----w- c:\program files\Common Files\Logitech
2009-10-21 06:52 . 2006-03-29 23:29 120816 -c--a-w- c:\documents and settings\Tiffany\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 15:25 . 2009-08-27 18:12 -------- d-----w- c:\documents and settings\Adam\Application Data\dvdcss
2009-10-14 19:06 . 2008-10-12 06:16 101188 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-13 12:25 . 2005-12-27 03:01 120816 -c--a-w- c:\documents and settings\Adam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-13 08:05 . 2008-01-03 02:18 -------- d-----w- c:\program files\Microsoft Works
2009-10-08 19:57 . 2009-10-08 19:57 611328 ----a-w- c:\windows\system32\SETD2.tmp
2009-10-08 19:57 . 2009-10-08 19:57 220160 ----a-w- c:\windows\system32\SETD0.tmp
2009-10-08 19:56 . 2009-10-08 19:56 20480 ----a-w- c:\windows\system32\SETD1.tmp
2009-09-17 19:43 . 2009-09-17 19:43 -------- d-----w- c:\documents and settings\Adam\Application Data\McAfee
2009-09-17 19:22 . 2007-12-12 03:32 -------- d-----w- c:\program files\The Weather Channel FW
2009-09-16 15:40 . 2009-01-02 21:40 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-09-16 15:40 . 2009-09-16 15:40 0 -c-ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-09-16 15:22 . 2009-09-16 15:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-11 14:18 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 15:57 . 2005-12-16 08:12 -------- d-----w- c:\program files\Java
2009-09-04 21:03 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2005-08-16 10:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-07 00:24 . 2005-08-16 10:40 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2005-08-16 10:40 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-08-16 10:40 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2005-05-26 10:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2005-08-16 10:40 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2005-08-16 10:18 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2005-08-16 10:40 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-01-03 03:25 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2008-01-03 03:25 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2005-08-16 10:40 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2005-08-16 10:18 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 04:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-02-16 19:18 . 2009-02-16 19:18 4823040 -c----w- c:\program files\ehthumbs.db
2006-11-05 22:36 . 2006-11-05 22:36 774144 -c--a-w- c:\program files\RngInterstitial.dll
2008-05-03 21:01 . 2005-12-27 03:00 104 -csh--r- c:\windows\system32\7D6C9378DC.sys
2008-05-03 21:01 . 2005-12-27 03:00 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-01 02:08 . 2009-11-01 02:08 16384 c:\windows\Temp\Perflib_Perfdata_460.dat
+ 2005-08-17 03:06 . 2009-03-23 15:50 26488 c:\windows\system32\spupdsvc.exe
- 2005-08-17 03:06 . 2008-05-06 21:16 26488 c:\windows\system32\spupdsvc.exe
+ 2009-08-01 16:49 . 2009-03-23 15:50 17272 c:\windows\system32\spmsg.dll
- 2009-08-01 16:49 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2005-12-24 04:38 . 2009-10-31 22:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-12-24 04:38 . 2009-10-31 13:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-31 17:20 . 2009-10-31 22:05 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-11-30 1945600]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-03 342848]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-28 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-13 180269]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-09 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2009-06-17 55824]

c:\documents and settings\Tiffany\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\Adam\Start Menu\Programs\Startup\
Memeo AutoBackup Launcher.lnk - c:\documents and settings\Adam\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe [2009-10-21 73728]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-12-22 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-12-16 156784]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-6-24 217088]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-16 24576]
Event Reminder.lnk - c:\program files\PrintMaster 16\pmremind.exe [2004-1-20 339968]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-5 813584]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-02-18 18:01 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/21/2009 2:41 PM 28552]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/22/2009 11:35 AM 203280]
R3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\system32\drivers\hcw72ADFilter.sys [7/8/2008 7:35 PM 27904]
R3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\system32\drivers\hcw72ATV.sys [7/8/2008 7:37 PM 1198720]
R3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\system32\drivers\hcw72DTV.sys [7/8/2008 7:41 PM 1191552]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Medcin;Medcin;c:\program files\Medicomp Systems, Inc\Server\medcinserv --> c:\program files\Medicomp Systems, Inc\Server\medcinserv [?]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\ADSFilter.sys --> c:\windows\system32\DRIVERS\ADSFilter.sys [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 krdpdre;krdpdre;\??\c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-05 03:39]

2009-11-01 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]{searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:8080
uInternet Settings,ProxyOverride = 127.0.0.1;
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Trusted Zone: microsoft.com\oas.support
Trusted Zone: microsoft.com\support
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-10-31 21:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys sfsync02.sys hal.dll iastor.sys
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

iastor.sys @ 0xB9E36000 0xD4E80 bytes

\Driver\iastor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0xB9E48B10 != 0xBA0C98B4 sfsync02.sys
\Driver\iastor IRP hooks detected !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Medcin]
"ImagePath"="c:\program files\Medicomp Systems, Inc\Server\medcinserv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3284)
c:\windows\system32\WININET.dll
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\CTsvcCDA.EXE
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\dlcccoms.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
c:\program files\Memeo\AutoBackup\MemeoBackup.exe
c:\progra~1\mcafee\msc\mcupdmgr.exe
.
**************************************************************************
.
Completion time: 2009-11-01 21:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-01 02:16
ComboFix2.txt 2009-10-31 16:27

Pre-Run: 80,900,530,176 bytes free
Post-Run: 80,834,650,112 bytes free

- - End Of File - - BBAAC81D4249C7859AEEF6D25742CBDB

**DragonMaster Jay** · by **DragonMaster Jay** on Sat 31 Oct 2009, 8:47 pm

Let's try to smash it...ok

Please download [You must be registered and logged in to see this link.] and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

adamjac · by adamjac on Sat 31 Oct 2009, 10:17 pm

unsure what a hijackthis log is but here are the results of the report, again thank you.

SDFix: Version 1.240
Run by Administrator on Sat 10/31/2009 at 10:45 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-10-31 22:54:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden services & system hive ...

scanning hȋdden registry entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden processes: 0
hȋdden services: 0
hȋdden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:AT&T Yahoo! Music Jukebox"
"C:\\Program Files\\Yahoo! Games\\Hamsterball\\Hamsterball.exe"="C:\\Program Files\\Yahoo! Games\\Hamsterball\\Hamsterball.exe:*:Disabled:Hamsterball"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

Files with hȋdden Attributes :

Mon 26 Dec 2005 56 A.SHR --- "C:\i386\7D6C9378DC.sys"
Mon 26 Dec 2005 2,516 A.SH. --- "C:\i386\KGyGaAvL.sys"
Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Sat 3 May 2008 104 ..SHR --- "C:\WINDOWS\system32\7D6C9378DC.sys"
Sat 3 May 2008 3,350 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Tue 14 Feb 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 24 May 2009 10,053,112 A..H. --- "C:\Program Files\Google\Picasa3\setup.exe"
Thu 22 Oct 2009 20,688 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Thu 22 Oct 2009 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Thu 13 Jul 2006 1,675,264 ...H. --- "C:\Program Files\PopCap Games\Bejeweled 2 Deluxe\game.exe"
Wed 19 Jul 2006 1,675,264 ...H. --- "C:\Program Files\PopCap Games\Bejeweled 2 Deluxe\game2.exe"
Sat 1 Aug 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sat 31 Oct 2009 6,004 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE7.tmp"
Sat 31 Oct 2009 5,946 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE8.tmp"

Finished!

**DragonMaster Jay** · by **DragonMaster Jay** on Sun 01 Nov 2009, 12:22 pm

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

adamjac · by adamjac on Sun 01 Nov 2009, 8:19 pm

Well, seems everything was quarantined and removed without a glitch. First here is the infection log.
Malwarebytes' Anti-Malware 1.41
Database version: 3081
Windows 5.1.2600 Service Pack 3

11/1/2009 8:01:12 PM
mbam-log-2009-11-01 (20-01-01).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 285486
Time elapsed: 2 hour(s), 24 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\Zango@Zango.com (Adware.Zango) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> No action taken.

Files Infected:
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> No action taken.

------------------------------------------------------------------------------------------------
and the finished log

Malwarebytes' Anti-Malware 1.41
Database version: 3081
Windows 5.1.2600 Service Pack 3

11/1/2009 8:01:24 PM
mbam-log-2009-11-01 (20-01-24).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 285486
Time elapsed: 2 hour(s), 24 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\Zango@Zango.com (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.

As always thank you for your patience and help.

**DragonMaster Jay** · by **DragonMaster Jay** on Sun 01 Nov 2009, 8:54 pm

Please re-run ComboFix as noted above, and post a new log in your next reply.

adamjac · by adamjac on Sun 01 Nov 2009, 9:42 pm

Here is the new combofix report

ComboFix 09-10-30.01 - Adam 11/01/2009 21:24.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2847 [GMT -6:00]
Running from: c:\documents and settings\Adam\desktop\commy.exe
Command switches used :: /stepdel
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-11-02 03:22 . 2009-11-02 03:22 -------- d-----w- C:\32788R22FWJFW
2009-11-01 22:41 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 22:41 . 2009-11-01 22:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 22:41 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 03:44 . 2009-11-01 03:44 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2009-11-01 03:41 . 2009-11-01 03:42 -------- d-----w- c:\windows\ERUNT
2009-11-01 03:25 . 2009-11-01 03:58 -------- d-----w- C:\SDFix
2009-11-01 01:53 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-01 01:53 . 2008-04-14 00:11 56320 ------w- c:\windows\system32\eventlog.dll
2009-10-31 16:01 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-31 16:01 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-10-29 15:23 . 2009-10-29 15:23 22016 ----a-w- c:\windows\system32\tdlwsp.dll
2009-10-25 06:11 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-22 16:33 . 2009-09-16 15:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-22 16:33 . 2009-09-16 15:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-22 16:33 . 2009-09-16 15:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-22 16:33 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-10-22 16:32 . 2009-10-22 16:33 -------- d-----w- c:\program files\Common Files\McAfee
2009-10-22 16:32 . 2009-10-22 16:32 -------- d-----w- c:\program files\McAfee.com
2009-10-22 16:30 . 2009-09-16 15:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-22 13:19 . 2009-10-22 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-22 13:19 . 2009-11-02 03:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-22 13:19 . 2009-10-22 13:19 -------- d-----w- c:\documents and settings\Adam\Application Data\SUPERAntiSpyware.com
2009-10-22 13:09 . 2009-10-22 13:09 -------- d-----w- c:\documents and settings\Adam\Application Data\Malwarebytes
2009-10-22 13:09 . 2009-10-22 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 01:11 . 2009-10-22 01:11 -------- d-----w- c:\program files\Common Files\eSellerate
2009-10-21 19:41 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-21 19:41 . 2009-10-21 19:41 -------- d-----w- c:\program files\Panda Security
2009-10-21 15:14 . 2009-10-21 15:14 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-21 13:48 . 2009-10-21 13:49 -------- d-----w- c:\program files\ATT-SST
2009-10-21 13:23 . 2009-10-21 13:29 -------- d-----w- c:\program files\ATT-PRT22-WISE
2009-10-21 12:59 . 2009-07-20 17:25 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2009-10-21 06:16 . 2009-10-25 19:26 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-21 04:30 . 2009-10-21 04:30 271 ----a-w- c:\documents and settings\Adam\Local Settings\Application Data\pelf.vbs
2009-10-21 04:27 . 2009-10-21 04:27 271 ----a-w- c:\documents and settings\Adam\Local Settings\Application Data\hlgp.vbs
2009-10-16 15:00 . 2009-10-20 18:49 -------- d-----w- c:\windows\system32\Adobe
2009-10-08 19:57 . 2009-10-08 19:57 220160 ------w- c:\windows\system32\dllcache\oleacc.dll
2009-10-04 16:46 . 2009-10-21 18:20 -------- d-----w- c:\documents and settings\Adam\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 03:24 . 2009-02-03 22:56 -------- d-----w- c:\documents and settings\Adam\Application Data\DNA
2009-11-02 03:10 . 2007-11-08 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-02 02:04 . 2006-03-13 00:04 -------- d-----w- c:\program files\DNA
2009-11-02 02:01 . 2009-02-03 22:56 -------- d-----w- c:\documents and settings\Adam\Application Data\BitTorrent
2009-11-02 02:00 . 2008-12-08 03:48 -------- d-----w- c:\program files\WinTV
2009-10-30 19:55 . 2005-12-24 05:00 -------- d-----w- c:\program files\Dl_cats
2009-10-30 00:19 . 2005-12-16 08:29 -------- d-----w- c:\program files\McAfee
2009-10-22 16:35 . 2005-12-16 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-22 16:19 . 2005-12-16 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-10-22 14:56 . 2005-12-16 08:25 -------- d-----w- c:\program files\WildTangent
2009-10-22 14:54 . 2008-11-23 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-10-22 14:51 . 2005-12-27 04:53 -------- d-----w- c:\program files\EarthLink
2009-10-22 14:48 . 2008-01-29 00:52 -------- d-----w- c:\program files\Cap'n Crunch
2009-10-22 14:48 . 2005-12-16 08:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-22 14:04 . 2005-12-16 08:22 -------- d-----w- c:\program files\Viewpoint
2009-10-22 11:10 . 2005-12-16 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-21 15:30 . 2008-01-03 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 14:58 . 2009-01-12 14:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-21 14:39 . 2007-06-24 22:11 -------- d-----w- c:\program files\Common Files\Motive
2009-10-21 14:37 . 2007-06-24 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-10-21 14:32 . 2007-07-01 04:53 -------- d-----w- c:\documents and settings\Adam\Application Data\Motive
2009-10-21 13:00 . 2009-03-06 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-10-21 12:59 . 2009-01-02 21:34 -------- d-----w- c:\program files\Common Files\Logitech
2009-10-21 06:52 . 2006-03-29 23:29 120816 -c--a-w- c:\documents and settings\Tiffany\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 15:25 . 2009-08-27 18:12 -------- d-----w- c:\documents and settings\Adam\Application Data\dvdcss
2009-10-14 19:06 . 2008-10-12 06:16 101188 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-13 12:25 . 2005-12-27 03:01 120816 -c--a-w- c:\documents and settings\Adam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-13 08:05 . 2008-01-03 02:18 -------- d-----w- c:\program files\Microsoft Works
2009-10-08 19:57 . 2009-10-08 19:57 611328 ----a-w- c:\windows\system32\SETD2.tmp
2009-10-08 19:57 . 2009-10-08 19:57 220160 ----a-w- c:\windows\system32\SETD0.tmp
2009-10-08 19:56 . 2009-10-08 19:56 20480 ----a-w- c:\windows\system32\SETD1.tmp
2009-09-17 19:43 . 2009-09-17 19:43 -------- d-----w- c:\documents and settings\Adam\Application Data\McAfee
2009-09-17 19:22 . 2007-12-12 03:32 -------- d-----w- c:\program files\The Weather Channel FW
2009-09-16 15:40 . 2009-01-02 21:40 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-09-16 15:40 . 2009-09-16 15:40 0 -c-ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-09-16 15:22 . 2009-09-16 15:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-11 14:18 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 15:57 . 2005-12-16 08:12 -------- d-----w- c:\program files\Java
2009-09-04 21:03 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2005-08-16 10:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-07 00:24 . 2005-08-16 10:40 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2005-08-16 10:40 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-08-16 10:40 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2005-05-26 10:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2005-08-16 10:40 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2005-08-16 10:18 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2005-08-16 10:40 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-01-03 03:25 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2008-01-03 03:25 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2005-08-16 10:40 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2005-08-16 10:18 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 04:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-02-16 19:18 . 2009-02-16 19:18 4823040 -c----w- c:\program files\ehthumbs.db
2006-11-05 22:36 . 2006-11-05 22:36 774144 -c--a-w- c:\program files\RngInterstitial.dll
2008-05-03 21:01 . 2005-12-27 03:00 104 -csh--r- c:\windows\system32\7D6C9378DC.sys
2008-05-03 21:01 . 2005-12-27 03:00 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2005-08-17 03:06 . 2008-05-06 21:16 26488 c:\windows\system32\spupdsvc.exe
+ 2005-08-17 03:06 . 2009-03-23 15:50 26488 c:\windows\system32\spupdsvc.exe
+ 2009-08-01 16:49 . 2009-03-23 15:50 17272 c:\windows\system32\spmsg.dll
- 2009-08-01 16:49 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2005-08-16 10:18 . 2009-11-02 02:08 84444 c:\windows\system32\perfc009.dat
- 2005-08-16 10:18 . 2009-10-21 15:32 84444 c:\windows\system32\perfc009.dat
+ 2005-12-24 04:38 . 2009-11-02 02:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-12-24 04:38 . 2009-10-31 13:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-12-24 04:38 . 2009-10-31 13:02 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-10-31 17:20 . 2009-11-02 02:09 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-01 03:42 . 2009-11-01 03:42 8192 c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2009-11-01 03:42 . 2009-11-01 03:42 8192 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2005-08-16 10:18 . 2009-10-21 15:32 475006 c:\windows\system32\perfh009.dat
+ 2005-08-16 10:18 . 2009-11-02 02:08 475006 c:\windows\system32\perfh009.dat
+ 2009-11-01 03:42 . 2009-11-01 03:42 598016 c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2009-11-01 03:42 . 2008-08-07 20:27 163328 c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-11-01 03:42 . 2009-11-01 03:42 598016 c:\windows\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2009-11-01 03:42 . 2008-08-07 20:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 4670968]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-11-30 1945600]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-03 342848]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-28 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-13 180269]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-09 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2009-06-17 55824]

c:\documents and settings\Tiffany\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\Adam\Start Menu\Programs\Startup\
Memeo AutoBackup Launcher.lnk - c:\documents and settings\Adam\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe [2009-10-21 73728]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-12-22 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-12-16 156784]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-6-24 217088]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-16 24576]
Event Reminder.lnk - c:\program files\PrintMaster 16\pmremind.exe [2004-1-20 339968]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-5 813584]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-02-18 18:01 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/21/2009 1:41 PM 28552]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/22/2009 10:35 AM 203280]
R3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\system32\drivers\hcw72ADFilter.sys [7/8/2008 6:35 PM 27904]
R3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\system32\drivers\hcw72ATV.sys [7/8/2008 6:37 PM 1198720]
R3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\system32\drivers\hcw72DTV.sys [7/8/2008 6:41 PM 1191552]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Medcin;Medcin;c:\program files\Medicomp Systems, Inc\Server\medcinserv --> c:\program files\Medicomp Systems, Inc\Server\medcinserv [?]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\ADSFilter.sys --> c:\windows\system32\DRIVERS\ADSFilter.sys [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 krdpdre;krdpdre;\??\c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-05 03:39]

2009-11-01 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]{searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:8080
uInternet Settings,ProxyOverride = 127.0.0.1;
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Trusted Zone: microsoft.com\oas.support
Trusted Zone: microsoft.com\support
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-01 21:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys sfsync02.sys hal.dll iastor.sys
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

iastor.sys @ 0xB9E36000 0xD4E80 bytes

\Driver\iastor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0xB9E48B10 != 0xBA0C98B4 sfsync02.sys
\Driver\iastor IRP hooks detected !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Medcin]
"ImagePath"="c:\program files\Medicomp Systems, Inc\Server\medcinserv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(876)
c:\windows\system32\WININET.dll
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-02 21:36
ComboFix-quarantined-files.txt 2009-11-02 03:36
ComboFix2.txt 2009-11-01 02:16
ComboFix3.txt 2009-10-31 16:27

Pre-Run: 80,104,730,624 bytes free
Post-Run: 80,085,897,216 bytes free

- - End Of File - - 5BD81022B8B4D9ECBDD6994CB61A301A

**DragonMaster Jay** · by **DragonMaster Jay** on Sun 01 Nov 2009, 10:14 pm

Jotti File Submission:

Please go to [You must be registered and logged in to see this link.]
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
- c:\windows\system32\dllcache\oleacc.dll
Click on the submit button
Please post the results (URL) in your next reply.

==

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\SETD2.tmp
c:\windows\system32\SETD0.tmp
c:\windows\system32\SETD1.tmp
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Also, please tell me how your computer is running.

adamjac · by adamjac on Sun 01 Nov 2009, 10:57 pm

My computer seems to be running faster and without all the redirecting. Even the activity light on my modem seems to have stabalized and i have been able to update some of my windows. I dont know how i stumbled onto this site but i sure am glad there are people in this world who still have kindness, thanks to all the people who make this site possible.

The Jotti report

Filename: oleacc.dll
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Mon 2 Nov 2009 05:19:46 (CET) Permalink

--------------------------------------------------------------------------------
Additional info
File size: 220160 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: dfc132d3ec7900bcb21e9375a10130c8
SHA1: bd575cfd062fbb03d5c25268835be84a0d7d03e4

And the combofix report

ComboFix 09-10-30.01 - Adam 11/01/2009 22:29.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2886 [GMT -6:00]
Running from: c:\documents and settings\Adam\Desktop\commy.exe
Command switches used :: c:\documents and settings\Adam\Desktop\CFscript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\SETD0.tmp"
"c:\windows\system32\SETD1.tmp"
"c:\windows\system32\SETD2.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\SETD0.tmp
c:\windows\system32\SETD1.tmp
c:\windows\system32\SETD2.tmp

.
((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-11-02 04:27 . 2009-11-02 04:27 -------- d-----w- C:\32788R22FWJFW
2009-11-01 22:41 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 22:41 . 2009-11-01 22:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 22:41 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 03:44 . 2009-11-01 03:44 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2009-11-01 03:41 . 2009-11-01 03:42 -------- d-----w- c:\windows\ERUNT
2009-11-01 03:25 . 2009-11-01 03:58 -------- d-----w- C:\SDFix
2009-11-01 01:53 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-01 01:53 . 2008-04-14 00:11 56320 ------w- c:\windows\system32\eventlog.dll
2009-10-31 16:01 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-31 16:01 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-10-29 15:23 . 2009-10-29 15:23 22016 ----a-w- c:\windows\system32\tdlwsp.dll
2009-10-25 06:11 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-22 16:33 . 2009-09-16 15:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-22 16:33 . 2009-09-16 15:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-22 16:33 . 2009-09-16 15:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-22 16:33 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-10-22 16:32 . 2009-10-22 16:33 -------- d-----w- c:\program files\Common Files\McAfee
2009-10-22 16:32 . 2009-10-22 16:32 -------- d-----w- c:\program files\McAfee.com
2009-10-22 16:30 . 2009-09-16 15:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-22 13:19 . 2009-10-22 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-22 13:19 . 2009-11-02 04:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-22 13:19 . 2009-10-22 13:19 -------- d-----w- c:\documents and settings\Adam\Application Data\SUPERAntiSpyware.com
2009-10-22 13:09 . 2009-10-22 13:09 -------- d-----w- c:\documents and settings\Adam\Application Data\Malwarebytes
2009-10-22 13:09 . 2009-10-22 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 01:11 . 2009-10-22 01:11 -------- d-----w- c:\program files\Common Files\eSellerate
2009-10-21 19:41 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-21 19:41 . 2009-10-21 19:41 -------- d-----w- c:\program files\Panda Security
2009-10-21 15:14 . 2009-10-21 15:14 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-21 13:48 . 2009-10-21 13:49 -------- d-----w- c:\program files\ATT-SST
2009-10-21 13:23 . 2009-10-21 13:29 -------- d-----w- c:\program files\ATT-PRT22-WISE
2009-10-21 12:59 . 2009-07-20 17:25 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2009-10-21 06:16 . 2009-10-25 19:26 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-21 04:30 . 2009-10-21 04:30 271 ----a-w- c:\documents and settings\Adam\Local Settings\Application Data\pelf.vbs
2009-10-21 04:27 . 2009-10-21 04:27 271 ----a-w- c:\documents and settings\Adam\Local Settings\Application Data\hlgp.vbs
2009-10-16 15:00 . 2009-10-20 18:49 -------- d-----w- c:\windows\system32\Adobe
2009-10-08 19:57 . 2009-10-08 19:57 220160 ------w- c:\windows\system32\dllcache\oleacc.dll
2009-10-04 16:46 . 2009-10-21 18:20 -------- d-----w- c:\documents and settings\Adam\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 04:34 . 2009-02-03 22:56 -------- d-----w- c:\documents and settings\Adam\Application Data\DNA
2009-11-02 03:10 . 2007-11-08 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-02 02:04 . 2006-03-13 00:04 -------- d-----w- c:\program files\DNA
2009-11-02 02:01 . 2009-02-03 22:56 -------- d-----w- c:\documents and settings\Adam\Application Data\BitTorrent
2009-11-02 02:00 . 2008-12-08 03:48 -------- d-----w- c:\program files\WinTV
2009-10-30 19:55 . 2005-12-24 05:00 -------- d-----w- c:\program files\Dl_cats
2009-10-30 00:19 . 2005-12-16 08:29 -------- d-----w- c:\program files\McAfee
2009-10-22 16:35 . 2005-12-16 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-22 16:19 . 2005-12-16 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-10-22 14:56 . 2005-12-16 08:25 -------- d-----w- c:\program files\WildTangent
2009-10-22 14:54 . 2008-11-23 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-10-22 14:51 . 2005-12-27 04:53 -------- d-----w- c:\program files\EarthLink
2009-10-22 14:48 . 2008-01-29 00:52 -------- d-----w- c:\program files\Cap'n Crunch
2009-10-22 14:48 . 2005-12-16 08:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-22 14:04 . 2005-12-16 08:22 -------- d-----w- c:\program files\Viewpoint
2009-10-22 11:10 . 2005-12-16 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-21 15:30 . 2008-01-03 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 14:58 . 2009-01-12 14:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-21 14:39 . 2007-06-24 22:11 -------- d-----w- c:\program files\Common Files\Motive
2009-10-21 14:37 . 2007-06-24 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-10-21 14:32 . 2007-07-01 04:53 -------- d-----w- c:\documents and settings\Adam\Application Data\Motive
2009-10-21 13:00 . 2009-03-06 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-10-21 12:59 . 2009-01-02 21:34 -------- d-----w- c:\program files\Common Files\Logitech
2009-10-21 06:52 . 2006-03-29 23:29 120816 -c--a-w- c:\documents and settings\Tiffany\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 15:25 . 2009-08-27 18:12 -------- d-----w- c:\documents and settings\Adam\Application Data\dvdcss
2009-10-14 19:06 . 2008-10-12 06:16 101188 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-13 12:25 . 2005-12-27 03:01 120816 -c--a-w- c:\documents and settings\Adam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-13 08:05 . 2008-01-03 02:18 -------- d-----w- c:\program files\Microsoft Works
2009-09-17 19:43 . 2009-09-17 19:43 -------- d-----w- c:\documents and settings\Adam\Application Data\McAfee
2009-09-17 19:22 . 2007-12-12 03:32 -------- d-----w- c:\program files\The Weather Channel FW
2009-09-16 15:40 . 2009-01-02 21:40 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-09-16 15:40 . 2009-09-16 15:40 0 -c-ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-09-16 15:22 . 2009-09-16 15:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-11 14:18 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 15:57 . 2005-12-16 08:12 -------- d-----w- c:\program files\Java
2009-09-04 21:03 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2005-08-16 10:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-07 00:24 . 2005-08-16 10:40 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2005-08-16 10:40 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-08-16 10:40 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2005-05-26 10:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2005-08-16 10:40 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2005-08-16 10:18 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2005-08-16 10:40 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-01-03 03:25 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2008-01-03 03:25 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2005-08-16 10:40 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2005-08-16 10:18 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 04:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-02-16 19:18 . 2009-02-16 19:18 4823040 -c----w- c:\program files\ehthumbs.db
2006-11-05 22:36 . 2006-11-05 22:36 774144 -c--a-w- c:\program files\RngInterstitial.dll
2008-05-03 21:01 . 2005-12-27 03:00 104 -csh--r- c:\windows\system32\7D6C9378DC.sys
2008-05-03 21:01 . 2005-12-27 03:00 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2005-08-17 03:06 . 2008-05-06 21:16 26488 c:\windows\system32\spupdsvc.exe
+ 2005-08-17 03:06 . 2009-03-23 15:50 26488 c:\windows\system32\spupdsvc.exe
+ 2009-08-01 16:49 . 2009-03-23 15:50 17272 c:\windows\system32\spmsg.dll
- 2009-08-01 16:49 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2005-08-16 10:18 . 2009-11-02 02:08 84444 c:\windows\system32\perfc009.dat
- 2005-08-16 10:18 . 2009-10-21 15:32 84444 c:\windows\system32\perfc009.dat
+ 2005-12-24 04:38 . 2009-11-02 02:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-12-24 04:38 . 2009-10-31 13:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-01 03:42 . 2009-11-01 03:42 8192 c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2009-11-01 03:42 . 2009-11-01 03:42 8192 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2005-08-16 10:18 . 2009-10-21 15:32 475006 c:\windows\system32\perfh009.dat
+ 2005-08-16 10:18 . 2009-11-02 02:08 475006 c:\windows\system32\perfh009.dat
+ 2009-11-01 03:42 . 2009-11-01 03:42 598016 c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2009-11-01 03:42 . 2008-08-07 20:27 163328 c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-11-01 03:42 . 2009-11-01 03:42 598016 c:\windows\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2009-11-01 03:42 . 2008-08-07 20:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 4670968]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-11-30 1945600]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-03 342848]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-28 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-13 180269]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-09 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2009-06-17 55824]

c:\documents and settings\Tiffany\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\Adam\Start Menu\Programs\Startup\
Memeo AutoBackup Launcher.lnk - c:\documents and settings\Adam\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe [2009-10-21 73728]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-12-22 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-12-16 156784]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-6-24 217088]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-16 24576]
Event Reminder.lnk - c:\program files\PrintMaster 16\pmremind.exe [2004-1-20 339968]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-5 813584]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-02-18 18:01 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/21/2009 1:41 PM 28552]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/22/2009 10:35 AM 203280]
R3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\system32\drivers\hcw72ADFilter.sys [7/8/2008 6:35 PM 27904]
R3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\system32\drivers\hcw72ATV.sys [7/8/2008 6:37 PM 1198720]
R3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\system32\drivers\hcw72DTV.sys [7/8/2008 6:41 PM 1191552]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Medcin;Medcin;c:\program files\Medicomp Systems, Inc\Server\medcinserv --> c:\program files\Medicomp Systems, Inc\Server\medcinserv [?]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\ADSFilter.sys --> c:\windows\system32\DRIVERS\ADSFilter.sys [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 krdpdre;krdpdre;\??\c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\Adam\LOCALS~1\Temp\krdpdre.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-05 03:39]

2009-11-01 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]{searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:8080
uInternet Settings,ProxyOverride = 127.0.0.1;
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Trusted Zone: microsoft.com\oas.support
Trusted Zone: microsoft.com\support
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-01 22:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys sfsync02.sys hal.dll iastor.sys
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

iastor.sys @ 0xB9E36000 0xD4E80 bytes

\Driver\iastor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0xB9E48B10 != 0xBA0C98B4 sfsync02.sys
\Driver\iastor IRP hooks detected !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Medcin]
"ImagePath"="c:\program files\Medicomp Systems, Inc\Server\medcinserv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll
.
Completion time: 2009-11-02 22:40
ComboFix-quarantined-files.txt 2009-11-02 04:40
ComboFix2.txt 2009-11-02 03:36
ComboFix3.txt 2009-11-01 02:16
ComboFix4.txt 2009-10-31 16:27

Pre-Run: 80,052,609,024 bytes free
Post-Run: 80,031,080,448 bytes free

- - End Of File - - 2EF78595FC65B0CA62F47854298802AF

After the combofix finished running it had me upload some file.

**DragonMaster Jay** · by **DragonMaster Jay** on Mon 02 Nov 2009, 4:01 am

Please download the [You must be registered and logged in to see this link.].

Save it to your Desktop.
Please double-click OTM.exe to run it.
Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

c:\windows\system32\dllcache\oleacc.dll
Return to OTM.exe, right click in the "Paste Instructions for Items to be Moved" window (under the light yellow bar) and choose Paste.
Click the red Moveit! button.
A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

adamjac · by adamjac on Tue 03 Nov 2009, 9:29 am

Sorry it took so long to reply but here are the results

Error: Unable to interpret in the current context!

OTM by OldTimer - Version 3.0.0.6 log created on 11032009_092744

trojan and virus overload

trojan and virus overload

Re: trojan and virus overload

ran ComboFix

Re: trojan and virus overload

Re: trojan and virus overload

Re: trojan and virus overload

Re: trojan and virus overload

Re: trojan and virus overload

Re: trojan and virus overload

Re: trojan and virus overload

Re: trojan and virus overload

Re: trojan and virus overload

Re: trojan and virus overload

Re: trojan and virus overload

Re: trojan and virus overload