System Security - Cannot Open Any Programs

Hello. Today I've been infected with the System Security virus, however I am not on the computer that actually has the virus. I cannot open any programs, which means no browser to get to this site and download HijackThis. I previously had Malwarebyte's Antimalware. I performed a scam (twice, in regular and safe mode) and it deleted a file from my registry, but did not detect anything else. However, System Security is still on my computer. How would I go about getting Hijackthis on my computer to create a log.

P.S. I'm not too techno-savvy, and in safe mode I can't get on to the internet (assuming this is because it's in safe mode) so unless there's a way to bypass that, at the moment I can't access the internet on the infected computer.

Hello.
There is two options for safe mode on the F8 menu, there is:

Safe mode
Safe mode with networking.

Choose the networking option, that has internet connection.

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Alright, I'm now on the infected the computer and did a scan. Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:51 PM, on 7/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKLM\..\Run: [16553434] C:\Documents and Settings\All Users\Application Data\16553434\16553434.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
O16 - DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} (DyynoX Class) - http://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10572 bytes

• Open HijackThis.
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
  O1 - Hosts: ::1 localhost
  O4 - HKLM\..\Run: [16553434] C:\Documents and Settings\All Users\Application Data\16553434\16553434.exe
  O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
  
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.


I see you have Viewpoint software installed.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". Read this article: here and here

I suggest you remove the program now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint Manager (remove only)
  
• Viewpoint Media Player
  
• Viewpoint Toolbar
  

Next, please download ViewpointKiller by Prm753 from here.
Save it to a permanent folder (such as C:\ViewpointKiller) and unzip it there.
Open ViewpointKiller, and press the Start button.
A log will be produced in the same folder where you unzipped it to. Please post the contents of that log in your reply.

Hello Origin. I've followed your steps and am running in regular mode now, and as far as I can see System Security is gone. here is the log from ViewpointKiller:

*(Also, when I logged on, I received a message bubble from an icon on my taskbar. It is a red shield with a white x in the middle that says Windows Security Alerts. It said something to the effect that antivirus software is down and my computer could be compromised. Is this legitimate?)

----------------------------------
ViewpointKiller Version 1.30 (beta)

The removal process was started on Thu Jul 02 13:50:11 2009

Preparing to remove Viewpoint Media Player...



Warning accepted, beginning removal process....



ViewpointKiller determined that "aim.exe" was not running.

ViewpointKiller determined that "aim6.exe" was not running.

ViewpointKiller determined that "aolsoftware.exe" was not running.

ViewpointKiller determined that "aol.exe" was not running.

ViewpointKiller determined that "MtsAxInstaller.exe" was not running.



Preparing to close the Viewpoint Manager Service if it is running...

Closing "Viewpoint Manager Service" failed, or the service is not running.





Searching for all known Viewpoint Media Player registry values and keys...

Found and removed: SOFTWARE\Viewpoint

Finished searching for and removing all known Viewpoint Media Player registry values and keys.



Searching for all known Viewpoint Media Player files and folders...

Found and removed: C:\Documents and Settings\All Users\Application Data\Viewpoint

Finished searching for and removing all known Viewpoint Media Player files and folders.



Finished reporting.

----------------------------------
----------------------------------
ViewpointKiller Version 1.30 (beta)

The removal process was started on Thu Jul 02 13:50:24 2009

Preparing to remove Viewpoint Manager...



ViewpointKiller determined that "viewmgr.exe" was not running.

Searching for all known Viewpoint Manager registry values and keys...

Found and removed: Software\Microsoft\Windows\CurrentVersion\Uninstall\Viewpoint Manager

Finished searching for and removing all known Viewpoint Manager registry values and keys.



Searching for all known Viewpoint Manager files and folders...

Finished searching for and removing all known Viewpoint Manager files and folders.



Finished reporting.

----------------------------------
----------------------------------
ViewpointKiller Version 1.30 (beta)

The removal process was started on Thu Jul 02 13:50:26 2009

Preparing to remove Viewpoint Toolbar...



ViewpointKiller determined that "FotomatDeviceConnect.exe" was not running.

ViewpointKiller determined that "iexplore.exe" was not running.



Searming for all known Viewpoint Toolbar registry values and keys...

Finished searching for and removing all known Viewpoint Toolbar registry values and keys.



Searching for all known Viewpoint Toolbar files and folders...

Finished searching for and removing all known Viewpoint Toolbar files and folders.



Finished reporting.

----------------------------------

Hello can you post the Malwarebytes log as well

Sorry. Here it is. Pretty big so it'll be in several parts.

PART 1

Malwarebytes' Anti-Malware 1.38
Database version: 2363
Windows 5.1.2600 Service Pack 3

7/2/2009 1:44:13 PM
mbam-log-2009-07-02 (13-44-13).txt

Scan type: Quick Scan
Objects scanned: 109751
Time elapsed: 9 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 22
Files Infected: 575

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_NFR (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_NFR (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\nfr (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: mnetxsr.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
c:\documents and settings\HP_Owner\Application Data\Zango (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\IESkins (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0 (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\dynamic (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1 (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\2 (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\DownLoad (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOL (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOL\dynamic (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOL\static (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\Zango (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\Zango\dynamic (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\Zango\dynamic\TooltipXML (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\Zango\dynamic\TooltipXML (Adware.Zango) -> Files: 437 -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\Zango\dynamic\ustat (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\Zango\static (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\Zango\static\1 (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\Zango\static\2 (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\Zango\static\DownLoad (Adware.Zango) -> Quarantined and deleted successfully.

PART 2

Files Infected:
C:\WINDOWS\MNetxsr.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\Temp\AB8.tmp (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BA.tmp (Trojan.Zbot) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\mxivgrctcp.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\rdl7.tmp.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\rdlA.tmp.exe (Trojan.Vundo.V) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\030104_emte10_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\030104_emte11_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\030104_emte12_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\030104_emte13_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\030104_emte14_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\030104_emte19_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\030104_emte20_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\030104_emte21_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\030104_emte9_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\030203lib_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\033102angel_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\033102bigluf_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\033102bigsmile_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\033102birthday_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\033102cheers_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\033102flo_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\033102good_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\033102jump_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\033102king_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\033102lough_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\033102luf_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\033102smiled_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\033102smile_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\033102sor_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\033102thanx_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\033102uhu_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\040103ahh_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\040103wow_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\040104_emi2_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\042102_1134_112_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.

PART 3

(Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\050103gig_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\050103hm_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\050103nomail_emoti_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\050103norm_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\060104_ema15_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\060104_ema16_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\060104_ema17_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\060104_ema18_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\060104_ema19_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\060104_ema20_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\060104_ema21_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\060104_ema24_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\060104_ema25_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\060104_ema26_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\060104_ema30_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\060104_ema33_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\060104_ema34_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\062802hippi_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\062802jumpie_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\080402argh_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\080402oops_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\080402ouch_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\082502no_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\082502yes_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\110103_boring1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\110103_confused_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\110103_crying_ugly_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\110103_fantastic_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\110103_feel_better_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\110103_gimme_break_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\110103_heehee_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\110103_hlopaet_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\110103_ign_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\110103_lol_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\110103_no_comment_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\110103_peace_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\110103_smashing_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\110103_talk2thehand_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\avatar.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\blocked.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\blocked2.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\block_sm.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\block_sm2.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\block_smli.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\block_smli2.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\btn_add-but.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\btn_back-but.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\Zango\v3.0\HostOI\static\1\btn_left_cut_enabled_1.gif (Adware.Zango) -> Quarantined and deleted successfully.

(The rest is a bunch of Zango files that were deleted)
These are the last 3 lines of the log.

C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\drivers\nfr.dll.assembly (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.

That's good most of the infections have been delt with, lets just remove the left overs, please do the following:

• Download combofix from here
  Link 1
  Link 2
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Here's the log for Combofix:

PART 1

ComboFix 09-07-01.04 - HP_Owner 07/02/2009 14:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1470.1133 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\16553434
c:\documents and settings\All Users\Application Data\16553434\16553434
c:\documents and settings\All Users\Application Data\16553434\16553434.exe
c:\documents and settings\HP_Owner\Application Data\WeatherDPA
c:\documents and settings\HP_Owner\Application Data\WeatherDPA\Weather\WeatherStartup.xml
c:\documents and settings\HP_Owner\Local Settings\Application Data\{A6B4328E-BACD-4443-8BA0-21674ED05918}
c:\documents and settings\HP_Owner\Local Settings\Application Data\{A6B4328E-BACD-4443-8BA0-21674ED05918}\chrome.manifest
c:\documents and settings\HP_Owner\Local Settings\Application Data\{A6B4328E-BACD-4443-8BA0-21674ED05918}\chrome\content\_cfg.js
c:\documents and settings\HP_Owner\Local Settings\Application Data\{A6B4328E-BACD-4443-8BA0-21674ED05918}\chrome\content\c.js
c:\documents and settings\HP_Owner\Local Settings\Application Data\{A6B4328E-BACD-4443-8BA0-21674ED05918}\chrome\content\overlay.xul
c:\documents and settings\HP_Owner\Local Settings\Application Data\{A6B4328E-BACD-4443-8BA0-21674ED05918}\install.rdf
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\program files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll
c:\windows\system32\config\systemprofile\Desktop\System Security 2009.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security\System Security
c:\windows\system32\drivers\hjgruimtabfmwg.sys
c:\windows\system32\hjgruibjoqhxnq.dll
c:\windows\system32\hjgruijobqdcbn.dat
c:\windows\system32\hjgruirctwhatd.dat
c:\windows\system32\hjgruirtiwthqp.dll
c:\windows\system32\uniq.tll
c:\windows\wiaserviv.log
D:\Autorun.inf
D:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruitconqdxu


((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.

2009-07-02 17:22 . 2009-07-02 17:22 -------- d-----w- c:\program files\Trend Micro
2009-07-02 16:27 . 2009-07-02 16:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-02 15:55 . 2009-07-02 15:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-17 17:39 . 2009-05-19 05:36 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-06-17 17:26 . 2006-10-12 16:29 83504 ----a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\TEMP\ProgUpd.dll
2009-06-13 13:51 . 2009-03-19 14:42 217088 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\qf78i5qp.default\extensions\NPDyyno@dyyno.com\Plugins\npDyyno.dll
2009-06-11 22:29 . 2009-06-11 22:29 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-06-06 16:05 . 2009-06-06 16:05 120088 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Plugins\npoctoshape.dll
2009-06-06 16:05 . 2009-06-06 16:05 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Octoshape
2009-06-06 16:05 . 2009-06-04 10:03 396288 ----a-w- c:\documents and settings\HP_Owner\Application Data\Octoshape\Octoshape Streaming Services\sua-0906040-0-libOctoshapeClient.dll
2009-06-06 16:05 . 2009-06-04 10:03 124184 ----a-w- c:\documents and settings\HP_Owner\Application Data\Octoshape\Octoshape Streaming Services\sua-0906040-0-apoctoshape.dll
2009-06-06 16:05 . 2009-06-04 10:03 120088 ----a-w- c:\documents and settings\HP_Owner\Application Data\Octoshape\Octoshape Streaming Services\sua-0906040-0-npoctoshape.dll
2009-06-06 16:05 . 2009-01-08 13:44 70936 ----a-w- c:\documents and settings\HP_Owner\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
2009-06-05 18:15 . 2009-06-05 18:15 29696 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{312255E7-E2C2-4F3E-BBCB-02C5B8696CCB}\IconF0CEFCC9.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 17:45 . 2009-05-27 10:31 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-02 17:34 . 2009-02-19 00:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-02 14:56 . 2009-03-03 22:42 -------- d-----w- c:\program files\Xfire
2009-06-30 17:42 . 2009-03-03 22:42 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Xfire
2009-06-29 03:03 . 2007-12-25 01:11 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-29 03:01 . 2008-09-15 20:15 -------- d-----w- c:\program files\World of Warcraft Public Test
2009-06-17 18:44 . 2008-08-16 04:09 -------- d-----w- c:\program files\AIM6
2009-06-17 17:39 . 2008-08-16 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-17 15:27 . 2009-02-19 00:53 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-02-19 00:53 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 10:36 . 2008-01-05 05:36 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\LimeWire
2009-06-11 02:48 . 2008-11-05 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-07 01:18 . 2008-07-15 21:35 -------- d-----w- c:\program files\World of Warcraft
2009-06-05 01:48 . 2009-05-29 18:00 29696 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{BBB08B2B-F1F7-43BF-803F-AA3AA807E9FF}\IconF0CEFCC9.exe
2009-06-05 01:48 . 2009-05-29 17:57 -------- d-----w- c:\program files\Verizon
2009-06-03 00:17 . 2008-09-04 23:36 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\U3
2009-05-29 18:10 . 2009-05-29 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-05-29 18:05 . 2009-05-29 18:05 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Motive
2009-05-29 18:03 . 2009-05-29 18:00 -------- d-----w- c:\program files\Common Files\Motive
2009-05-27 10:31 . 2009-05-27 10:31 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-05-20 23:53 . 2009-05-20 23:26 -------- d-----w- c:\program files\Flash-Creator 1
2009-05-20 23:52 . 2009-05-20 23:26 75264 ----a-w- c:\windows\cadkasdeinst01e.exe
2009-05-20 23:47 . 2009-05-20 23:46 -------- d-----w- c:\program files\UltraSlideshow
2009-05-20 23:42 . 2009-05-20 23:38 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Download Manager
2009-05-19 05:36 . 2009-06-17 17:39 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 05:36 . 2009-06-17 17:39 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 05:36 . 2009-06-17 17:39 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 05:36 . 2009-06-17 17:39 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 05:36 . 2009-06-17 17:39 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 05:36 . 2009-06-17 17:39 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 05:36 . 2009-06-17 17:39 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2009-05-17 02:47 . 2009-05-17 02:47 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\eMusic
2009-05-17 02:47 . 2009-05-17 02:47 -------- d-----w- c:\program files\eMusic Download Manager
2009-05-13 13:18 . 2009-04-22 17:30 77312 ----a-w- c:\windows\DEVCON.EXE
2009-05-09 14:57 . 2009-04-08 19:38 0 ----a-w- c:\windows\Mdekuqoqepoqu.bin
2009-05-07 15:32 . 2004-08-04 04:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 18:27 . 2009-05-06 18:26 -------- d-----w- c:\program files\Coupons
2009-04-29 04:56 . 2004-08-04 04:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-22 02:50 . 2009-04-22 01:07 117390 ----a-w- c:\windows\hpoins11.dat
2009-04-22 02:45 . 2007-12-25 01:19 57224 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 12:26 . 2004-08-04 04:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 16:37 . 2009-04-08 19:38 408 ----a-w- c:\windows\Utodomuyixusumo.dat
2009-04-15 14:51 . 2004-08-04 04:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-09 02:03 . 2009-04-09 02:03 81920 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-04-09 02:03 . 2009-04-09 02:03 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-04-09 02:03 . 2009-04-09 02:03 520192 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-04-09 02:03 . 2009-04-09 02:03 335872 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-04-09 02:03 . 2009-04-09 02:03 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-04-09 02:03 . 2009-04-09 02:03 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-31 68856]
"Octoshape Streaming Services"="c:\documents and settings\HP_Owner\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-04-05 344064]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-31 185872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-2-15 27136]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-2-15 27136]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2009-6-11 3182928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-2-16 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\World of Warcraft Public Test2\\Launcher.exe"=
"c:\\Documents and Settings\\HP_Owner\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Documents and Settings\\HP_Owner\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Tortun\\gui.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=

PART 2

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:WoWDownloader
"6112:TCP"= 6112:TCP:WoWDownloader
"6881:TCP"= 6881:TCP:WoWDownloader
"6882:TCP"= 6882:TCP:WoWDownloader
"6883:TCP"= 6883:TCP:WoWDownloader
"6884:TCP"= 6884:TCP:WoWDownloader
"6885:TCP"= 6885:TCP:WoWDownloader
"6886:TCP"= 6886:TCP:WoWDownloader
"6887:TCP"= 6887:TCP:WoWDownloader
"6888:TCP"= 6888:TCP:WoWDownloader
"6889:TCP"= 6889:TCP:WoWDownloader
"6900:TCP"= 6900:TCP:WoWDownloader
"7070:TCP"= 7070:TCP:nfr
"57000:TCP"= 57000:TCP:Pando Media Booster
"57000:UDP"= 57000:UDP:Pando Media Booster

S2 scoibeyq;scoibeyq;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
faqzgfom
scoibeyq
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://aol.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: Adobe.com\www
DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.CAB
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\qf78i5qp.default\
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\HP_Owner\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 14:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-07-02 14:47
ComboFix-quarantined-files.txt 2009-07-02 18:46

Pre-Run: 69,111,889,920 bytes free
Post-Run: 71,496,540,160 bytes free

259 --- E O F --- 2009-06-11 02:48

Now open a new notepad file.
Input this into the notepad file:

Folder::
c:\documents and settings\HP_Owner\Application Data\LimeWire

File::
c:\windows\Mdekuqoqepoqu.bin
c:\windows\Utodomuyixusumo.dat

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Here it is:

ComboFix 09-07-01.04 - HP_Owner 07/02/2009 15:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1470.883 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point

FILE ::
"c:\windows\Mdekuqoqepoqu.bin"
"c:\windows\Utodomuyixusumo.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Owner\Application Data\LimeWire
c:\documents and settings\HP_Owner\Application Data\LimeWire\414splashfree.png
c:\documents and settings\HP_Owner\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\HP_Owner\Application Data\LimeWire\createtimes.cache
c:\documents and settings\HP_Owner\Application Data\LimeWire\downloads.dat
c:\documents and settings\HP_Owner\Application Data\LimeWire\fileurns.bak
c:\documents and settings\HP_Owner\Application Data\LimeWire\fileurns.cache
c:\documents and settings\HP_Owner\Application Data\LimeWire\filters.props
c:\documents and settings\HP_Owner\Application Data\LimeWire\installation.props
c:\documents and settings\HP_Owner\Application Data\LimeWire\library.dat
c:\documents and settings\HP_Owner\Application Data\LimeWire\limewire.props
c:\documents and settings\HP_Owner\Application Data\LimeWire\mojito.props
c:\documents and settings\HP_Owner\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\HP_Owner\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\HP_Owner\Application Data\LimeWire\promotion\promodb.lck
c:\documents and settings\HP_Owner\Application Data\LimeWire\promotion\promodb.log
c:\documents and settings\HP_Owner\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\HP_Owner\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\HP_Owner\Application Data\LimeWire\questions.props
c:\documents and settings\HP_Owner\Application Data\LimeWire\responses.cache
c:\documents and settings\HP_Owner\Application Data\LimeWire\simpp.xml
c:\documents and settings\HP_Owner\Application Data\LimeWire\spam.dat
c:\documents and settings\HP_Owner\Application Data\LimeWire\tables.props
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\logo.png
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\notsearching.png
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\searching.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\splash.png
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\splashpro.png
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\HP_Owner\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\version.xml
c:\documents and settings\HP_Owner\Application Data\LimeWire\versions.props
c:\documents and settings\HP_Owner\Application Data\LimeWire\xml\data\audio.sxml2
c:\documents and settings\HP_Owner\Application Data\LimeWire\xml\data\delete_me
c:\documents and settings\HP_Owner\Application Data\LimeWire\xml\misc\application.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\xml\misc\audio.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\xml\misc\document.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\xml\misc\image.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\xml\misc\video.gif
c:\documents and settings\HP_Owner\Application Data\LimeWire\xml\schemas\application.xsd
c:\documents and settings\HP_Owner\Application Data\LimeWire\xml\schemas\audio.xsd
c:\documents and settings\HP_Owner\Application Data\LimeWire\xml\schemas\document.xsd
c:\documents and settings\HP_Owner\Application Data\LimeWire\xml\schemas\image.xsd
c:\documents and settings\HP_Owner\Application Data\LimeWire\xml\schemas\video.xsd
c:\windows\Mdekuqoqepoqu.bin
c:\windows\Utodomuyixusumo.dat

.
((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.

2009-07-02 17:22 . 2009-07-02 17:22 -------- d-----w- c:\program files\Trend Micro
2009-07-02 16:27 . 2009-07-02 16:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-02 15:55 . 2009-07-02 15:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-17 17:39 . 2009-05-19 05:36 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-06-17 17:26 . 2006-10-12 16:29 83504 ----a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\TEMP\ProgUpd.dll
2009-06-13 13:51 . 2009-03-19 14:42 217088 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\qf78i5qp.default\extensions\NPDyyno@dyyno.com\Plugins\npDyyno.dll
2009-06-11 22:29 . 2009-06-11 22:29 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-06-06 16:05 . 2009-06-06 16:05 120088 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Plugins\npoctoshape.dll
2009-06-06 16:05 . 2009-06-06 16:05 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Octoshape
2009-06-06 16:05 . 2009-06-04 10:03 396288 ----a-w- c:\documents and settings\HP_Owner\Application Data\Octoshape\Octoshape Streaming Services\sua-0906040-0-libOctoshapeClient.dll
2009-06-06 16:05 . 2009-06-04 10:03 124184 ----a-w- c:\documents and settings\HP_Owner\Application Data\Octoshape\Octoshape Streaming Services\sua-0906040-0-apoctoshape.dll
2009-06-06 16:05 . 2009-06-04 10:03 120088 ----a-w- c:\documents and settings\HP_Owner\Application Data\Octoshape\Octoshape Streaming Services\sua-0906040-0-npoctoshape.dll
2009-06-06 16:05 . 2009-01-08 13:44 70936 ----a-w- c:\documents and settings\HP_Owner\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
2009-06-05 18:15 . 2009-06-05 18:15 29696 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{312255E7-E2C2-4F3E-BBCB-02C5B8696CCB}\IconF0CEFCC9.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 19:05 . 2008-07-15 21:35 -------- d-----w- c:\program files\World of Warcraft
2009-07-02 17:45 . 2009-05-27 10:31 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-02 17:34 . 2009-02-19 00:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-02 14:56 . 2009-03-03 22:42 -------- d-----w- c:\program files\Xfire
2009-06-30 17:42 . 2009-03-03 22:42 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Xfire
2009-06-29 03:03 . 2007-12-25 01:11 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-29 03:01 . 2008-09-15 20:15 -------- d-----w- c:\program files\World of Warcraft Public Test
2009-06-17 18:44 . 2008-08-16 04:09 -------- d-----w- c:\program files\AIM6
2009-06-17 17:39 . 2008-08-16 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-17 15:27 . 2009-02-19 00:53 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-02-19 00:53 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-11 02:48 . 2008-11-05 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-05 01:48 . 2009-05-29 18:00 29696 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{BBB08B2B-F1F7-43BF-803F-AA3AA807E9FF}\IconF0CEFCC9.exe
2009-06-05 01:48 . 2009-05-29 17:57 -------- d-----w- c:\program files\Verizon
2009-06-03 00:17 . 2008-09-04 23:36 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\U3
2009-05-29 18:10 . 2009-05-29 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-05-29 18:05 . 2009-05-29 18:05 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Motive
2009-05-29 18:03 . 2009-05-29 18:00 -------- d-----w- c:\program files\Common Files\Motive
2009-05-27 10:31 . 2009-05-27 10:31 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-05-20 23:53 . 2009-05-20 23:26 -------- d-----w- c:\program files\Flash-Creator 1
2009-05-20 23:52 . 2009-05-20 23:26 75264 ----a-w- c:\windows\cadkasdeinst01e.exe
2009-05-20 23:47 . 2009-05-20 23:46 -------- d-----w- c:\program files\UltraSlideshow
2009-05-20 23:42 . 2009-05-20 23:38 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Download Manager
2009-05-19 05:36 . 2009-06-17 17:39 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 05:36 . 2009-06-17 17:39 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 05:36 . 2009-06-17 17:39 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 05:36 . 2009-06-17 17:39 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 05:36 . 2009-06-17 17:39 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 05:36 . 2009-06-17 17:39 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 05:36 . 2009-06-17 17:39 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2009-05-17 02:47 . 2009-05-17 02:47 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\eMusic
2009-05-17 02:47 . 2009-05-17 02:47 -------- d-----w- c:\program files\eMusic Download Manager
2009-05-13 13:18 . 2009-04-22 17:30 77312 ----a-w- c:\windows\DEVCON.EXE
2009-05-07 15:32 . 2004-08-04 04:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 18:27 . 2009-05-06 18:26 -------- d-----w- c:\program files\Coupons
2009-04-29 04:56 . 2004-08-04 04:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-22 02:50 . 2009-04-22 01:07 117390 ----a-w- c:\windows\hpoins11.dat
2009-04-22 02:45 . 2007-12-25 01:19 57224 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 12:26 . 2004-08-04 04:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 04:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-09 02:03 . 2009-04-09 02:03 81920 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-04-09 02:03 . 2009-04-09 02:03 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-04-09 02:03 . 2009-04-09 02:03 520192 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-04-09 02:03 . 2009-04-09 02:03 335872 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-04-09 02:03 . 2009-04-09 02:03 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-04-09 02:03 . 2009-04-09 02:03 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

PART 2

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-31 68856]
"Octoshape Streaming Services"="c:\documents and settings\HP_Owner\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-04-05 344064]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-31 185872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-2-15 27136]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-2-15 27136]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2009-6-11 3182928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-2-16 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\World of Warcraft Public Test2\\Launcher.exe"=
"c:\\Documents and Settings\\HP_Owner\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Documents and Settings\\HP_Owner\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Tortun\\gui.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:WoWDownloader
"6112:TCP"= 6112:TCP:WoWDownloader
"6881:TCP"= 6881:TCP:WoWDownloader
"6882:TCP"= 6882:TCP:WoWDownloader
"6883:TCP"= 6883:TCP:WoWDownloader
"6884:TCP"= 6884:TCP:WoWDownloader
"6885:TCP"= 6885:TCP:WoWDownloader
"6886:TCP"= 6886:TCP:WoWDownloader
"6887:TCP"= 6887:TCP:WoWDownloader
"6888:TCP"= 6888:TCP:WoWDownloader
"6889:TCP"= 6889:TCP:WoWDownloader
"6900:TCP"= 6900:TCP:WoWDownloader
"7070:TCP"= 7070:TCP:nfr
"57000:TCP"= 57000:TCP:Pando Media Booster
"57000:UDP"= 57000:UDP:Pando Media Booster

S2 scoibeyq;scoibeyq;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
faqzgfom
scoibeyq
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aol.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: Adobe.com\www
DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.CAB
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\qf78i5qp.default\
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\HP_Owner\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 15:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-07-02 15:11
ComboFix-quarantined-files.txt 2009-07-02 19:10
ComboFix2.txt 2009-07-02 18:47

Pre-Run: 71,488,032,768 bytes free
Post-Run: 71,464,550,400 bytes free

290 --- E O F --- 2009-06-11 02:48

Please run another Malwarebytes quick scan for me and paste all the contents back here.

Here's the Malwarebytes log:

Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hello.
There's still an infection here.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7070:TCP"=-

Driver::
scoibeyq

NetSvc::
faqzgfom
scoibeyq

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.