Infected witn multiple...stuff!

I'm back!

Thanks again for helping me out with my work computer. It's running beautifully and I haven't had any problems since.

My home computer, however, needs big time help. Ever since it crashed back in October and I had to do a recovery, it's been getting hit with all kinds of nasty malware. I've had google hijacked, Malwarebytes disabled, system restore disabled, safe mode disabled, desktop hijacked, my computer doing weird stuff. You name it, it has happened.

I have a Gateway desktop with Windows XP Home SP3. I switched from IE 8 to Firefox because IE was just too buggy for me. I have McAfee thru Comcast. I've ran that so many times. I finally got Malwarebytes to work. It finds the nasty malware and trojans. I'm able to get my control of my computer for a while but a few minutes later and I'm infected again. Like right now! In the middle of working on a time sensitive project I got infected. Every time I clicked on a link in google I would a stupid redirect or some fake warning that this link is a virus. I ran Malwarebytes and this is my log:

Malwarebytes' Anti-Malware 1.43
Database version: 3461
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/31/2009 12:52:51 AM
mbam-log-2009-12-31 (00-52-51).txt

Scan type: Quick Scan
Objects scanned: 122085
Time elapsed: 14 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\winsts (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygua8e7yhuiesfha876yfauy8fe (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\yja93.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\oqnqso.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\waxfhosk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gh3hcu404.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> Delete on reboot.
C:\WINDOWS\system32\mshlps.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vvkxrbfw3f.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\nunlj.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\3105258424.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\529451608.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\818201608.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\debug.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\drweb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\spoolsv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\notepad.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\jtmti.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\jyjrjnrtm.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bh2os.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\sa331195.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-20CB7B5077\Local Settings\Temporary Internet Files\Content.IE5\E1H99H4G\SetupIS2010[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Delete on reboot.
C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\dfgdgdfgrgdgfdrdfs.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


I'll be forever in your debt if you can save me from Malware Hades

Last edited by Hardykat on 31st December 2009, 5:09 pm; edited 1 time in total

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:11:52 PM, on 12/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\COMMON~1\AOL\125582~1\EE\AOLHOS~1.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\PROGRA~1\COMMON~1\AOL\125582~1\EE\AOLServiceHost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=D

TP&M=GT4024
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -

C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Anti-Phishing Filter -

{41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program

files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -

C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Browser Address Error Redirector -

{CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C}

- C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google

Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media

Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common

Files\AOL\1255829409\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection]

"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe]

C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program

Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program

Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [VirusScan Online] \mcvsshld.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common

Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite

Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [Dyawucucaqiqeje] rundll32.exe

"C:\WINDOWS\avinimiqay.dll",Startup
O4 - HKLM\..\Run: [Recordpad] "C:\Program Files\NCH Swift

Sound\Recordpad\recordpad.exe" -logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [notepad] rundll32.exe

C:\DOCUME~1\LOCALS~1\ntload.dll,_IWMPEvents@0 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [asg984jgkfmgasi8ug98jgkfgfb]

C:\WINDOWS\TEMP\win.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} -

c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter -

{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program

files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:

C:\WINDOWS\system32\kbdsock.dll,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui preloader -

{438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon -

{8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online -

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America

Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) -

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner -

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

(file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun

Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program

Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. -

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee,

Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. -

C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program

Files\Comm

Sorry, can barely read that.

Open the logfile in Notepad, go into the "Format" menu, and untick Word Wrap.


Please re-post the log without Word Wrap on.

oops!

Here ya go!

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:11:52 PM, on 12/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\COMMON~1\AOL\125582~1\EE\AOLHOS~1.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\PROGRA~1\COMMON~1\AOL\125582~1\EE\AOLServiceHost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4024
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1255829409\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [VirusScan Online] \mcvsshld.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [Dyawucucaqiqeje] rundll32.exe "C:\WINDOWS\avinimiqay.dll",Startup
O4 - HKLM\..\Run: [Recordpad] "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" -logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [notepad] rundll32.exe C:\DOCUME~1\LOCALS~1\ntload.dll,_IWMPEvents@0 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\WINDOWS\TEMP\win.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9720 bytes

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O1 - Hosts: ::1 localhost
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
  O4 - HKLM\..\Run: [Dyawucucaqiqeje] rundll32.exe "C:\WINDOWS\avinimiqay.dll",Startup
  O4 - HKUS\S-1-5-18\..\Run: [notepad] rundll32.exe C:\DOCUME~1\LOCALS~1\ntload.dll,_IWMPEvents@0 (User 'SYSTEM')
  O4 - HKUS\S-1-5-18\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\WINDOWS\TEMP\win.exe (User 'SYSTEM')
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

ComboFix 09-12-31.01 - Owner 12/31/2009 12:46:56.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.468 [GMT -5:00]
Running from: c:\documents and settings\Owner.YOUR-20CB7B5077\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-163167965-408290686-327467740-500
c:\windows\avinimiqay.dll
c:\windows\run.log
D:\Autorun.inf
J:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_WINSTS
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.

2009-12-31 17:11 . 2009-12-31 17:11 -------- d-----w- c:\program files\TrendMicro
2009-12-31 05:29 . 2009-12-31 05:29 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Recordpad
2009-12-15 10:41 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-15 10:41 . 2009-12-31 05:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-15 10:41 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 02:14 . 2009-12-11 02:14 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-11 02:14 . 2009-12-20 22:28 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\skypePM
2009-12-11 02:11 . 2009-12-20 23:55 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Skype
2009-12-11 02:10 . 2009-12-11 02:10 -------- d-----w- c:\program files\Common Files\Skype
2009-12-11 02:10 . 2009-12-11 02:11 -------- d-----r- c:\program files\Skype
2009-12-11 02:10 . 2009-12-11 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-12-05 02:01 . 2009-12-05 02:01 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-05 01:32 . 2009-12-05 01:32 237600 ----a-w- c:\windows\system32\drivers\str.sys.vir
2009-12-03 12:39 . 2009-12-03 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-12-03 12:07 . 2009-12-03 12:23 -------- d-----w- c:\program files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 18:04 . 2009-12-28 20:44 773120 ----a-w- c:\windows\system32\drivers\nunlj.sys
2009-12-31 17:11 . 2009-12-31 17:11 388096 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-31 14:59 . 2009-12-28 21:01 120 ----a-w- c:\windows\Vsakozoloce.dat
2009-12-31 06:23 . 2009-10-18 00:27 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\FrostWire
2009-12-31 05:36 . 2009-12-31 05:36 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-31 05:24 . 2009-12-28 21:01 0 ----a-w- c:\windows\Ffazikuji.bin
2009-12-31 03:57 . 2009-12-31 03:52 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\NCH Swift Sound
2009-12-31 03:53 . 2009-12-31 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-12-31 03:52 . 2009-12-18 01:50 -------- d-----w- c:\program files\NCH Swift Sound
2009-12-31 03:52 . 2009-12-31 03:52 -------- d-----w- c:\program files\NCH Software
2009-12-31 02:31 . 2009-10-25 02:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-22 01:31 . 2005-01-10 01:26 186704 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-16 23:46 . 2009-11-12 18:43 926 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\wklnhst.dat
2009-12-05 03:22 . 2009-10-18 01:37 -------- d-----w- c:\program files\McAfee
2009-12-05 03:22 . 2009-10-18 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-28 02:02 . 2009-10-24 00:37 -------- d-----w- c:\program files\Yahoo!
2009-11-28 02:01 . 2009-10-18 01:14 -------- d-----w- c:\program files\Google
2009-11-20 00:14 . 2009-11-20 00:14 726008 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\gotomypc_438.exe
2009-11-19 01:09 . 2009-10-18 23:14 -------- d-----w- c:\program files\FrostWire
2009-11-19 00:53 . 2009-11-19 00:53 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\IsolatedStorage
2009-11-15 16:55 . 2009-11-15 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-15 16:52 . 2009-10-18 01:28 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-15 16:50 . 2009-11-15 16:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-15 16:49 . 2009-11-15 16:49 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-14 20:32 . 2009-11-14 20:32 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Elluminate
2009-11-14 20:32 . 2009-11-14 20:32 74240 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\36\2c690564-5eecdd80-n\JINECELP.dll
2009-11-14 20:32 . 2009-11-14 20:32 73216 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\36\2c690564-5eecdd80-n\JIWAudio.dll
2009-11-14 20:32 . 2009-11-14 20:32 66048 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\36\2c690564-5eecdd80-n\JIWMixer.dll
2009-11-14 20:32 . 2009-11-14 20:32 65536 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\47\442eef-364e1f84-n\ICE_JNIRegistry.dll
2009-11-14 20:32 . 2009-11-14 20:32 60928 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\47\442eef-364e1f84-n\WinPlatform.dll
2009-11-13 03:17 . 2009-11-13 03:17 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-11-13 03:16 . 2009-11-13 03:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-13 01:15 . 2009-11-04 03:18 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\DivX
2009-11-12 18:43 . 2009-11-12 18:43 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Template
2009-11-10 02:54 . 2009-11-10 02:54 -------- d-----w- c:\program files\MSECache
2009-11-04 02:48 . 2009-10-25 02:45 -------- d-----w- c:\program files\Sony Setup
2009-11-04 02:39 . 2009-11-01 09:55 -------- d-----w- c:\program files\DivX
2009-11-04 02:39 . 2009-11-04 02:36 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-29 07:45 . 2006-09-30 03:36 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2006-09-30 03:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-09-30 03:30 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2006-09-30 03:30 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-18 23:43 . 2009-10-18 23:43 0 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-10-18 23:13 . 2009-10-18 23:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-18 23:13 . 2009-10-18 23:13 152576 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-18 19:09 . 2005-01-10 01:10 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-18 01:32 . 2009-10-18 02:05 49152 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 02:05 45056 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 02:05 45056 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-10-18 01:32 . 2009-10-18 02:05 10134 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-10-18 01:32 . 2009-10-18 02:04 49152 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 02:04 45056 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 02:04 45056 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-10-18 01:32 . 2009-10-18 02:04 10134 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-10-18 01:32 . 2009-10-18 01:32 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 01:32 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 01:32 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-10-18 01:32 . 2009-10-18 01:32 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-10-18 01:31 . 2009-10-18 01:31 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-10-18 01:30 . 2009-10-18 01:30 335 ----a-w- c:\windows\nsreg.dat
2009-10-18 01:28 . 2009-10-18 01:28 4 ----a-w- c:\windows\Pix11.dat
2009-10-17 23:18 . 2009-10-17 23:18 144 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Local Settings\Application Data\fusioncache.dat
2009-10-13 10:30 . 2006-09-30 03:34 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2006-09-30 03:35 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2006-09-30 03:35 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-10 07:07 . 2009-11-15 16:50 38208 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-09-19 01:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-09-19 01:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-09-19 01:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-18 169984]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-12 15961088]
"CHotkey"="zHotkey.exe" [2004-12-09 550912]
"HostManager"="c:\program files\Common Files\AOL\1255829409\EE\AOLHostManager.exe" [2004-11-03 125528]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-19 79448]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-10-18 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-09-19 670864]
"Recordpad"="c:\program files\NCH Swift Sound\Recordpad\recordpad.exe" [2009-12-31 913412]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner.YOUR-20CB7B5077\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
2005-06-01 21:05 368714 ----a-w- c:\progra~1\McAfee.com\Agent\mcregwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1255829409\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Toolbars\\Shared\\SkypeNames.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - nunlj
.
Contents of the 'Scheduled Tasks' folder

2009-12-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1987120589-1196514716-1893015011-1006Core.job
- c:\documents and settings\Owner.YOUR-20CB7B5077\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-22 05:49]

2009-10-18 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-18 16:22]

2009-10-18 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-18 16:22]

2009-12-31 c:\windows\Tasks\User_Feed_Synchronization-{81066519-6634-4B8E-9960-EDDCCAEC4BB9}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = www.comcast.net/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Mozilla\Firefox\Profiles\12ryfjfj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Owner.YOUR-20CB7B5077\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-VirusScan Online - \mcvsshld.exe
HKLM-Run-Dyawucucaqiqeje - c:\windows\avinimiqay.dll
SafeBoot-aawservice
MSConfigStartUp-notepad - c:\windows\system32\notepad.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-31 13:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nunlj]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,19,13,4e,3c,40,f6,28,40,98,53,a7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,19,13,4e,3c,40,f6,28,40,98,53,a7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3216)
c:\windows\system32\WININET.dll
c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\program files\Google\Google Desktop Search\GoogleDesktopHyper.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\dllhost.exe
c:\windows\RTHDCPL.EXE
c:\windows\zHotkey.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\progra~1\COMMON~1\AOL\125582~1\EE\AOLHOS~1.EXE
c:\progra~1\COMMON~1\AOL\125582~1\EE\AOLServiceHost.exe
c:\program files\McAfee\MPF\MPFSrv.exe
.
**************************************************************************
.
Completion time: 2009-12-31 13:08:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-31 18:08

Pre-Run: 214,563,799,040 bytes free
Post-Run: 214,661,099,520 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 2CE3F5DA9852430610EA2A5B4742EFEA

Working on the next part.

Just to let you know, after Combofix did its thing and the computer restarted, I got a rundll error involving "avinimiqay.dll"

Last edited by Hardykat on 31st December 2009, 6:58 pm; edited 1 time in total

ComboFix 09-12-31.01 - Owner 12/31/2009 13:34:15.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.398 [GMT -5:00]
Running from: c:\documents and settings\Owner.YOUR-20CB7B5077\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner.YOUR-20CB7B5077\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\Ffazikuji.bin"
"c:\windows\system32\drivers\nunlj.sys"
"c:\windows\system32\drivers\str.sys.vir"
"c:\windows\Vsakozoloce.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Ffazikuji.bin
c:\windows\system32\drivers\nunlj.sys
c:\windows\system32\drivers\str.sys.vir
c:\windows\Vsakozoloce.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISDRV
-------\Legacy_NUNLJ
-------\Service_ndisdrv
-------\Service_nunlj


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.

2009-12-31 18:32 . 2009-12-31 18:32 -------- d-----w- C:\32788R22FWJFW
2009-12-31 17:11 . 2009-12-31 17:11 -------- d-----w- c:\program files\TrendMicro
2009-12-31 05:29 . 2009-12-31 05:29 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Recordpad
2009-12-31 03:52 . 2009-12-31 03:52 -------- d-----w- c:\program files\NCH Software
2009-12-31 03:52 . 2009-12-31 03:57 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\NCH Swift Sound
2009-12-31 03:52 . 2009-12-31 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-12-30 03:04 . 2009-12-30 03:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-12-28 21:40 . 2009-12-28 21:40 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-12-28 20:51 . 2009-12-28 20:51 -------- d-----w- C:\found.000
2009-12-18 01:50 . 2009-12-31 03:52 -------- d-----w- c:\program files\NCH Swift Sound
2009-12-15 10:41 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-15 10:41 . 2009-12-31 05:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-15 10:41 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 02:14 . 2009-12-11 02:14 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-11 02:14 . 2009-12-20 22:28 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\skypePM
2009-12-11 02:11 . 2009-12-20 23:55 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Skype
2009-12-11 02:10 . 2009-12-11 02:10 -------- d-----w- c:\program files\Common Files\Skype
2009-12-11 02:10 . 2009-12-11 02:11 -------- d-----r- c:\program files\Skype
2009-12-11 02:10 . 2009-12-11 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-12-05 02:01 . 2009-12-05 02:01 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-03 12:39 . 2009-12-03 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-12-03 12:07 . 2009-12-03 12:23 -------- d-----w- c:\program files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 17:11 . 2009-12-31 17:11 388096 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-31 06:23 . 2009-10-18 00:27 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\FrostWire
2009-12-31 05:36 . 2009-12-31 05:36 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-31 02:31 . 2009-10-25 02:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-22 01:31 . 2005-01-10 01:26 186704 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-16 23:46 . 2009-11-12 18:43 926 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\wklnhst.dat
2009-12-05 03:22 . 2009-10-18 01:37 -------- d-----w- c:\program files\McAfee
2009-12-05 03:22 . 2009-10-18 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-28 02:02 . 2009-10-24 00:37 -------- d-----w- c:\program files\Yahoo!
2009-11-28 02:01 . 2009-10-18 01:14 -------- d-----w- c:\program files\Google
2009-11-20 00:14 . 2009-11-20 00:14 726008 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\gotomypc_438.exe
2009-11-19 01:09 . 2009-10-18 23:14 -------- d-----w- c:\program files\FrostWire
2009-11-19 00:53 . 2009-11-19 00:53 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\IsolatedStorage
2009-11-15 16:55 . 2009-11-15 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-15 16:52 . 2009-10-18 01:28 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-15 16:50 . 2009-11-15 16:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-15 16:49 . 2009-11-15 16:49 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-14 20:32 . 2009-11-14 20:32 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Elluminate
2009-11-14 20:32 . 2009-11-14 20:32 74240 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\36\2c690564-5eecdd80-n\JINECELP.dll
2009-11-14 20:32 . 2009-11-14 20:32 73216 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\36\2c690564-5eecdd80-n\JIWAudio.dll
2009-11-14 20:32 . 2009-11-14 20:32 66048 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\36\2c690564-5eecdd80-n\JIWMixer.dll
2009-11-14 20:32 . 2009-11-14 20:32 65536 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\47\442eef-364e1f84-n\ICE_JNIRegistry.dll
2009-11-14 20:32 . 2009-11-14 20:32 60928 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\47\442eef-364e1f84-n\WinPlatform.dll
2009-11-13 03:17 . 2009-11-13 03:17 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-11-13 03:16 . 2009-11-13 03:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-13 01:15 . 2009-11-04 03:18 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\DivX
2009-11-12 18:43 . 2009-11-12 18:43 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Template
2009-11-10 02:54 . 2009-11-10 02:54 -------- d-----w- c:\program files\MSECache
2009-11-04 02:48 . 2009-10-25 02:45 -------- d-----w- c:\program files\Sony Setup
2009-11-04 02:39 . 2009-11-01 09:55 -------- d-----w- c:\program files\DivX
2009-11-04 02:39 . 2009-11-04 02:36 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-29 07:45 . 2006-09-30 03:36 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2006-09-30 03:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-09-30 03:30 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2006-09-30 03:30 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-18 23:43 . 2009-10-18 23:43 0 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-10-18 23:13 . 2009-10-18 23:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-18 23:13 . 2009-10-18 23:13 152576 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-18 19:09 . 2005-01-10 01:10 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-18 01:32 . 2009-10-18 02:05 49152 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 02:05 45056 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 02:05 45056 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-10-18 01:32 . 2009-10-18 02:05 10134 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-10-18 01:32 . 2009-10-18 02:04 49152 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 02:04 45056 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 02:04 45056 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-10-18 01:32 . 2009-10-18 02:04 10134 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-10-18 01:32 . 2009-10-18 01:32 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 01:32 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 01:32 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-10-18 01:32 . 2009-10-18 01:32 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-10-18 01:31 . 2009-10-18 01:31 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-10-18 01:30 . 2009-10-18 01:30 335 ----a-w- c:\windows\nsreg.dat
2009-10-18 01:28 . 2009-10-18 01:28 4 ----a-w- c:\windows\Pix11.dat
2009-10-17 23:18 . 2009-10-17 23:18 144 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Local Settings\Application Data\fusioncache.dat
2009-10-13 10:30 . 2006-09-30 03:34 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2006-09-30 03:35 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2006-09-30 03:35 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-10 07:07 . 2009-11-15 16:50 38208 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-09-19 01:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-09-19 01:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-09-19 01:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-18 169984]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-12 15961088]
"CHotkey"="zHotkey.exe" [2004-12-09 550912]
"HostManager"="c:\program files\Common Files\AOL\1255829409\EE\AOLHostManager.exe" [2004-11-03 125528]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-19 79448]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-10-18 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-09-19 670864]
"Recordpad"="c:\program files\NCH Swift Sound\Recordpad\recordpad.exe" [2009-12-31 913412]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner.YOUR-20CB7B5077\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
2005-06-01 21:05 368714 ----a-w- c:\progra~1\McAfee.com\Agent\mcregwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1255829409\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Toolbars\\Shared\\SkypeNames.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-12-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1987120589-1196514716-1893015011-1006Core.job
- c:\documents and settings\Owner.YOUR-20CB7B5077\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-22 05:49]

2009-10-18 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-18 16:22]

2009-10-18 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-18 16:22]

2009-12-31 c:\windows\Tasks\User_Feed_Synchronization-{81066519-6634-4B8E-9960-EDDCCAEC4BB9}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = www.comcast.net/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Mozilla\Firefox\Profiles\12ryfjfj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Owner.YOUR-20CB7B5077\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-31 13:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,19,13,4e,3c,40,f6,28,40,98,53,a7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,19,13,4e,3c,40,f6,28,40,98,53,a7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3732)
c:\windows\system32\WININET.dll
c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\program files\Google\Google Desktop Search\GoogleDesktopHyper.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\RTHDCPL.EXE
c:\windows\zHotkey.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\progra~1\COMMON~1\AOL\125582~1\EE\AOLHOS~1.EXE
c:\progra~1\COMMON~1\AOL\125582~1\EE\AOLServiceHost.exe
c:\program files\McAfee\MPF\MPFSrv.exe
.
**************************************************************************
.
Completion time: 2009-12-31 13:50:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-31 18:50
ComboFix2.txt 2009-12-31 18:08

Pre-Run: 214,677,671,936 bytes free
Post-Run: 214,623,887,360 bytes free

- - End Of File - - 28BC2E73573A2147AFB4D5961FF6499F

Okay, nearly done.

• Open HijackThis.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Open Uninstall Manager"
  
• Click on "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 9.2
Adobe Stock Photos 1.0
Agere Systems PCI-SV92PP Soft Modem
America Online (Choose which version to remove)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL Instant Messenger
AOL Spyware Protection
AOL You've Got Pictures Screensaver
ATI - Software Uninstall Utility
ATI Display Driver
ATI Parental Control & Encoder
Browser Address Error Redirector
Carbonite
Compatibility Pack for the 2007 Office system
Digital Media Reader
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DVD Solution
FrostWire 4.18.4
Google Desktop
gtw_logo
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 15
ljArchive
Macromedia Dreamweaver 8
Macromedia Extension Manager
Malwarebytes' Anti-Malware
McAfee SecurityCenter
McAfee Uninstall Wizard
McAfee Virtual Technician
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Starter Edition 2006
Microsoft Money 2006
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
middle_man
MixPad Audio Mixer
Mozilla Firefox (3.5.6)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Multimedia Keyboard Driver
Napster
Napster Burn Engine
Photo Story 3 for Windows
Power2Go 4.0
PowerDVD
Pure Networks Port Magic
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
RecordPad Sound Recorder
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Skype web features
Skype 4.1
Sonic Encoders
Sony Vegas Pro 8.0
Switch Sound File Converter
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC80CRTRedist - 8.0.50727.4053
Viewpoint Media Player
WavePad Sound Editor
Windows Backup Utility
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Messenger
Yahoo! Software Update
YouTube Downloader 2.5.3

Hello.

I see that you are running Frostwire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

FrostWire 4.18.4
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 15
Viewpoint Media Player

Updating Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 17.
  
• Select the second option where it says "This special release provides a few key fixes.".
  
• Click the "Download" button to the right.
  
• In the Window that opens, select your platform, check the "agree" box, and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Then from your desktop double-click on jre-6u17-windows-i586.exe that you downloaded to install the newest version.
  

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

It's running great now!

This should be fine now.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.