Trojan: Win32/Alureon.CO

Windows Defender has removed this virus, however, it will reappear and WinDefender will open a warning window when I open IE8.

• Internet searches will redirect to unrelated sites

• Windows Update will produce "Internet Explorer cannot display the webpage"

• Malwarebytes update, from within the program, produces Error Code: 732(12007.0)

• Malwarebytes.org produces the "Internet Explorer cannot display the webpage"

I've downloaded ComboFix and will post the log in the next post.

ComboFix 10-02-12.01 - Michael Sherman 02/14/2010 14:46:19.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.778 [GMT -5:00]
Running from: c:\documents and settings\Michael Sherman\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))
.

2010-02-14 01:34 . 2010-02-14 01:34 -------- d-----w- c:\program files\IObit
2010-02-14 01:34 . 2010-02-14 01:34 -------- d-----w- c:\documents and settings\Michael Sherman\Application Data\IObit
2010-02-14 01:14 . 2010-02-14 01:33 -------- d-----w- c:\documents and settings\Michael Sherman\Application Data\Error Fix
2010-02-14 01:13 . 2010-02-14 01:33 -------- d-----w- c:\program files\Error Fix
2010-02-13 22:27 . 2010-02-13 22:27 -------- d-----w- c:\documents and settings\Michael Sherman\Application Data\Malwarebytes
2010-02-13 22:27 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-13 22:27 . 2010-02-13 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-13 22:27 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-13 22:27 . 2010-02-13 22:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-13 17:48 . 2010-02-13 17:48 388096 ----a-r- c:\documents and settings\Michael Sherman\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-13 17:48 . 2010-02-13 17:48 -------- d-----w- c:\program files\TrendMicro
2010-02-13 16:38 . 2010-02-13 16:40 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-27 11:36 . 2010-01-27 11:36 503808 ----a-w- c:\documents and settings\Michael Sherman\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-551d42c3-n\msvcp71.dll
2010-01-27 11:36 . 2010-01-27 11:36 499712 ----a-w- c:\documents and settings\Michael Sherman\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-551d42c3-n\jmc.dll
2010-01-27 11:36 . 2010-01-27 11:36 348160 ----a-w- c:\documents and settings\Michael Sherman\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-551d42c3-n\msvcr71.dll
2010-01-27 11:36 . 2010-01-27 11:36 61440 ----a-w- c:\documents and settings\Michael Sherman\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5ed44dd9-n\decora-sse.dll
2010-01-27 11:36 . 2010-01-27 11:36 12800 ----a-w- c:\documents and settings\Michael Sherman\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5ed44dd9-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 14:16 . 2007-11-26 23:16 -------- d-----w- c:\program files\LogMeIn
2010-02-14 02:19 . 2004-03-12 10:45 -------- d-----w- c:\program files\Google
2010-02-13 21:04 . 2003-12-02 21:10 130512 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-13 18:09 . 2007-06-12 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-13 17:26 . 2008-04-11 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-27 11:36 . 2003-12-02 20:48 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 11:36 . 2003-12-02 20:48 -------- d-----w- c:\program files\Java
2010-01-21 02:38 . 2009-06-14 13:22 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 16:12 . 2009-10-03 12:11 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-25 19:22 . 2009-12-25 19:22 -------- d-----w- c:\program files\Microsoft LifeCam
2009-12-21 19:14 . 2004-02-06 22:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 22:14 . 2008-12-19 11:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-11-26 00:35 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-11-21 15:51 . 2002-08-29 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-18 12:07 . 2009-11-18 12:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-18 11:59 . 2009-11-18 11:59 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2002-08-29 11:00 . 2002-08-29 11:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 . 2002-08-29 11:00 50688 --sha-w- c:\windows\twain_32.dll
2006-07-16 02:35 . 2006-02-11 15:38 848 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
2008-04-14 00:12 . 2002-08-29 11:00 57344 --sha-w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2002-08-29 11:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-02-14_15.38.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-14 18:13 . 2010-02-14 18:13 16384 c:\windows\temp\Perflib_Perfdata_874.dat
+ 2010-02-14 18:12 . 2010-02-14 18:12 16384 c:\windows\temp\Perflib_Perfdata_5f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 20:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Michael Sherman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-14 133104]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-02-08 2343632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
"VX3000"="c:\windows\vVX3000.exe" [2009-07-24 762208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]

c:\documents and settings\Michael Sherman\Start Menu\Programs\Startup\
HotSync Manager.LNK - c:\program files\Palm\HOTSYNC.EXE [2003-2-28 299008]
Launch Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2009-6-22 196424]
Winter Fun Wallpaper Changer.lnk - c:\documents and settings\Michael Sherman\Application Data\Microsoft\Installer\{347D1603-FA83-4B2C-B504-8BC1FF59DB50}\Icon347D1603.exe [2006-12-29 7168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-7-16 221295]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-11 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-24 12:03 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-15 22:15 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-02 10:39 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Yahoo! Autosync.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Yahoo! Autosync.lnk
backup=c:\windows\pss\Yahoo! Autosync.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael Sherman^Start Menu^Programs^Startup^MEMonitor.lnk]
path=c:\documents and settings\Michael Sherman\Start Menu\Programs\Startup\MEMonitor.lnk
backup=c:\windows\pss\MEMonitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
2001-08-09 22:06 45056 ----a-w- c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
2002-04-03 07:01 135264 ----a-w- c:\program files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-11 21:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 21:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 01:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 18:01 1630208 ----a-w- c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 01:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
2003-07-09 17:07 77887 ----a-w- c:\program files\WordPerfect Office 11\Programs\QFSCHD110.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2009-03-10 18:57 1553920 ----a-w- c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Brother XP spl Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE\\EregEng\\NAVBrowser.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqiscfg.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [11/23/2008 9:10 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [4/21/2009 5:52 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/1/2009 10:04 AM 297752]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 3:09 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\SYSTEM32\DRIVERS\LMIRfsDriver.sys [11/26/2007 6:16 PM 47640]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 5:59 PM 135664]
S3 CamdDriverV32;CamdDriverV32;c:\windows\SYSTEM32\DRIVERS\CamdDriverV32.sys [9/6/2008 5:10 PM 23096]
S3 CamdVideo32;CamdVideo32;c:\windows\SYSTEM32\DRIVERS\CamdVideo32.sys [9/6/2008 5:10 PM 3768]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 22:59]

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 22:59]

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-135888775-303427709-2599636237-1009Core.job
- c:\documents and settings\Michael Sherman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 10:56]

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-135888775-303427709-2599636237-1009UA.job
- c:\documents and settings\Michael Sherman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 10:56]

2003-12-09 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2010-02-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2010-02-14 c:\windows\Tasks\User_Feed_Synchronization-{76548F64-C2BB-4246-BD00-619A8410E91C}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: MasterCook: Select Image - c:\program files\MasterCook 9\Web\MCIEContext.hta
Trusted Zone: sarasotaorchestra.org\tickets
TCP: {255F4A49-1AFF-452A-BC3D-600E3EAF53A8} = 93.188.163.32,93.188.166.77
TCP: {5381BB17-BF4D-455D-A4C4-783FD999BA85} = 93.188.163.32,93.188.166.77
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
DPF: {02466323-75ED-11CF-A267-0020AF2546EA} - hxxp://www.iicm.edu/hw_mm/data/vivo/vvweb.cab
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://bbtraining.blackbaud.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {0F026C11-5A66-4C2B-87B5-88DDEBAE72A1} - hxxps://tickets.fwcs.org/admin/OCX/VSFLEX8L.OCX
FF - ProfilePath - c:\documents and settings\Michael Sherman\Application Data\Mozilla\Firefox\Profiles\08jcqc98.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Michael Sherman\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 14:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8A60D8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a3b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf787fbb0
PacketIndicateHandler -> NDIS.sys @ 0xf786ea0d
SendHandler -> NDIS.sys @ 0xf7882b40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{28E9A2DF-E65E-D85A-85759F1A85229B2E}\{8098DB1F-177D-3A31-208A24FCBB357FA9}\{15CEB269-F259-C879-5DE6F8EB9C542703}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2F2ED127-9180-E0E9-DD82A3EA97D23C2D}\{BC7AD397-E62C-4E1A-5A858785C5B4F8B7}\{1CB4FE78-537A-1AF0-DBD366375A0DFAF2}*]
"2EQJ2Z3RJDTDB2HBN4IWIN4ITC1"=hex:01,00,01,00,00,00,00,00,50,18,12,ae,1d,3d,93,
38,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{40886FA5-87BC-FDA7-0C1FAC01C243999B}\{19E564B2-522B-7AA8-1ACCCD0705265332}\{1F2DE655-6E2E-2DD5-8638E8D01A513D14}*]
"QR1ILJL5ACMYH2P3FXOAHPVAQE1"=hex:01,00,01,00,00,00,00,00,e3,c2,76,29,f1,92,b8,
65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{48FFDBC0-65F5-8101-E6A5E6DD5D6987D3}\{27CA9EF6-7C20-BA5C-F1E964FD391A5DCD}\{EF53C495-2C8A-F63D-BE87F6505A64DD38}*]
"AXBBEZDR5GG1RHH1SV4GCUI36H1"=hex:01,00,01,00,00,00,00,00,ea,70,b2,10,82,71,5d,
44,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5B0B6C35-3AEA-9EAE-179EBB09B20EA2F1}\{75565C86-DCE5-4077-B0F3502E93E7104E}\{6B409343-0D15-4A1C-46DBD99A1375331F}*]
"TU4WOU1J6ARI5KX1FANSH3C1OF1"=hex:01,00,01,00,00,00,00,00,3d,cd,b7,46,4e,75,8f,
24,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}*]
"LQP5ZPUUKXNMDKQUSVXO5P66YE1"=hex:01,00,01,00,00,00,00,00,14,69,e6,a8,43,8f,2a,
a0,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9F5A92A2-B329-46CC-1B7090FE4262F142}\{3D41E9B5-DA3D-E370-0314048CD4A11D7E}\{F612533D-2F2D-C745-8F22D9CBAAB0FDB6}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,c2,ae,a4,
08,47,09,f7,67,a9,4c,9b,bf,8e,5c,2f,c9,53,6b,1c,a0,11,92,2f,5e,81,48,a4,aa,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(2660)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-02-14 14:58:56
ComboFix-quarantined-files.txt 2010-02-14 19:58
ComboFix2.txt 2010-02-14 18:26
ComboFix3.txt 2010-02-14 17:27
ComboFix4.txt 2010-02-14 16:16
ComboFix5.txt 2010-02-14 19:45

Pre-Run: 71,940,546,560 bytes free
Post-Run: 71,920,685,056 bytes free

- - End Of File - - 3C4480FA082C0B20B692E0EB189FB124

Hello.

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   DDS::
   uStart Page = about:blank
   
   RegNull::
   [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{28E9A2DF-E65E-D85A-85759F1A85229B2E}\{8098DB1F-177D-3A31-208A24FCBB357FA9}\{15CEB269-F259-C879-5DE6F8EB9C542703}*]
   [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2F2ED127-9180-E0E9-DD82A3EA97D23C2D}\{BC7AD397-E62C-4E1A-5A858785C5B4F8B7}\{1CB4FE78-537A-1AF0-DBD366375A0DFAF2}*]
   [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{40886FA5-87BC-FDA7-0C1FAC01C243999B}\{19E564B2-522B-7AA8-1ACCCD0705265332}\{1F2DE655-6E2E-2DD5-8638E8D01A513D14}*]
   [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{48FFDBC0-65F5-8101-E6A5E6DD5D6987D3}\{27CA9EF6-7C20-BA5C-F1E964FD391A5DCD}\{EF53C495-2C8A-F63D-BE87F6505A64DD38}*]
   [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5B0B6C35-3AEA-9EAE-179EBB09B20EA2F1}\{75565C86-DCE5-4077-B0F3502E93E7104E}\{6B409343-0D15-4A1C-46DBD99A1375331F}*]
   [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}*]
   [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9F5A92A2-B329-46CC-1B7090FE4262F142}\{3D41E9B5-DA3D-E370-0314048CD4A11D7E}\{F612533D-2F2D-C745-8F22D9CBAAB0FDB6}*]
   
   

   
   
4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.
   

ComboFix 10-02-12.01 - Michael Sherman 02/14/2010 16:16:17.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.821 [GMT -5:00]
Running from: c:\documents and settings\Michael Sherman\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Michael Sherman\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))
.

2010-02-14 01:34 . 2010-02-14 01:34 -------- d-----w- c:\program files\IObit
2010-02-14 01:34 . 2010-02-14 01:34 -------- d-----w- c:\documents and settings\Michael Sherman\Application Data\IObit
2010-02-14 01:14 . 2010-02-14 01:33 -------- d-----w- c:\documents and settings\Michael Sherman\Application Data\Error Fix
2010-02-14 01:13 . 2010-02-14 01:33 -------- d-----w- c:\program files\Error Fix
2010-02-13 22:27 . 2010-02-13 22:27 -------- d-----w- c:\documents and settings\Michael Sherman\Application Data\Malwarebytes
2010-02-13 22:27 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-13 22:27 . 2010-02-13 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-13 22:27 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-13 22:27 . 2010-02-13 22:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-13 17:48 . 2010-02-13 17:48 388096 ----a-r- c:\documents and settings\Michael Sherman\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-13 17:48 . 2010-02-13 17:48 -------- d-----w- c:\program files\TrendMicro
2010-02-13 16:38 . 2010-02-13 16:40 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-27 11:36 . 2010-01-27 11:36 503808 ----a-w- c:\documents and settings\Michael Sherman\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-551d42c3-n\msvcp71.dll
2010-01-27 11:36 . 2010-01-27 11:36 499712 ----a-w- c:\documents and settings\Michael Sherman\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-551d42c3-n\jmc.dll
2010-01-27 11:36 . 2010-01-27 11:36 348160 ----a-w- c:\documents and settings\Michael Sherman\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-551d42c3-n\msvcr71.dll
2010-01-27 11:36 . 2010-01-27 11:36 61440 ----a-w- c:\documents and settings\Michael Sherman\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5ed44dd9-n\decora-sse.dll
2010-01-27 11:36 . 2010-01-27 11:36 12800 ----a-w- c:\documents and settings\Michael Sherman\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5ed44dd9-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 14:16 . 2007-11-26 23:16 -------- d-----w- c:\program files\LogMeIn
2010-02-14 02:19 . 2004-03-12 10:45 -------- d-----w- c:\program files\Google
2010-02-13 21:04 . 2003-12-02 21:10 130512 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-13 18:09 . 2007-06-12 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-13 17:26 . 2008-04-11 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-27 11:36 . 2003-12-02 20:48 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 11:36 . 2003-12-02 20:48 -------- d-----w- c:\program files\Java
2010-01-21 02:38 . 2009-06-14 13:22 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 16:12 . 2009-10-03 12:11 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-25 19:22 . 2009-12-25 19:22 -------- d-----w- c:\program files\Microsoft LifeCam
2009-12-21 19:14 . 2004-02-06 22:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 22:14 . 2008-12-19 11:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-11-26 00:35 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-11-21 15:51 . 2002-08-29 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-18 12:07 . 2009-11-18 12:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-18 11:59 . 2009-11-18 11:59 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2002-08-29 11:00 . 2002-08-29 11:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 . 2002-08-29 11:00 50688 --sha-w- c:\windows\twain_32.dll
2006-07-16 02:35 . 2006-02-11 15:38 848 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
2008-04-14 00:12 . 2002-08-29 11:00 57344 --sha-w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2002-08-29 11:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-02-14_15.38.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-14 18:13 . 2010-02-14 18:13 16384 c:\windows\temp\Perflib_Perfdata_874.dat
+ 2010-02-14 18:12 . 2010-02-14 18:12 16384 c:\windows\temp\Perflib_Perfdata_5f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 20:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Michael Sherman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-14 133104]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-02-08 2343632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
"VX3000"="c:\windows\vVX3000.exe" [2009-07-24 762208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]

c:\documents and settings\Michael Sherman\Start Menu\Programs\Startup\
HotSync Manager.LNK - c:\program files\Palm\HOTSYNC.EXE [2003-2-28 299008]
Launch Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2009-6-22 196424]
Winter Fun Wallpaper Changer.lnk - c:\documents and settings\Michael Sherman\Application Data\Microsoft\Installer\{347D1603-FA83-4B2C-B504-8BC1FF59DB50}\Icon347D1603.exe [2006-12-29 7168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-7-16 221295]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-11 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-24 12:03 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-15 22:15 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-02 10:39 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Yahoo! Autosync.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Yahoo! Autosync.lnk
backup=c:\windows\pss\Yahoo! Autosync.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael Sherman^Start Menu^Programs^Startup^MEMonitor.lnk]
path=c:\documents and settings\Michael Sherman\Start Menu\Programs\Startup\MEMonitor.lnk
backup=c:\windows\pss\MEMonitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
2001-08-09 22:06 45056 ----a-w- c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
2002-04-03 07:01 135264 ----a-w- c:\program files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-11 21:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 21:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 01:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 18:01 1630208 ----a-w- c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 01:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
2003-07-09 17:07 77887 ----a-w- c:\program files\WordPerfect Office 11\Programs\QFSCHD110.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2009-03-10 18:57 1553920 ----a-w- c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Brother XP spl Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE\\EregEng\\NAVBrowser.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqiscfg.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [11/23/2008 9:10 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [4/21/2009 5:52 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/1/2009 10:04 AM 297752]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 3:09 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\SYSTEM32\DRIVERS\LMIRfsDriver.sys [11/26/2007 6:16 PM 47640]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 5:59 PM 135664]
S3 CamdDriverV32;CamdDriverV32;c:\windows\SYSTEM32\DRIVERS\CamdDriverV32.sys [9/6/2008 5:10 PM 23096]
S3 CamdVideo32;CamdVideo32;c:\windows\SYSTEM32\DRIVERS\CamdVideo32.sys [9/6/2008 5:10 PM 3768]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 22:59]

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 22:59]

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-135888775-303427709-2599636237-1009Core.job
- c:\documents and settings\Michael Sherman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 10:56]

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-135888775-303427709-2599636237-1009UA.job
- c:\documents and settings\Michael Sherman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 10:56]

2003-12-09 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2010-02-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2010-02-14 c:\windows\Tasks\User_Feed_Synchronization-{76548F64-C2BB-4246-BD00-619A8410E91C}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: MasterCook: Select Image - c:\program files\MasterCook 9\Web\MCIEContext.hta
Trusted Zone: sarasotaorchestra.org\tickets
TCP: {255F4A49-1AFF-452A-BC3D-600E3EAF53A8} = 93.188.163.32,93.188.166.77
TCP: {5381BB17-BF4D-455D-A4C4-783FD999BA85} = 93.188.163.32,93.188.166.77
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
DPF: {02466323-75ED-11CF-A267-0020AF2546EA} - hxxp://www.iicm.edu/hw_mm/data/vivo/vvweb.cab
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://bbtraining.blackbaud.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {0F026C11-5A66-4C2B-87B5-88DDEBAE72A1} - hxxps://tickets.fwcs.org/admin/OCX/VSFLEX8L.OCX
FF - ProfilePath - c:\documents and settings\Michael Sherman\Application Data\Mozilla\Firefox\Profiles\08jcqc98.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Michael Sherman\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 16:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8A60D8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a3b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf787fbb0
PacketIndicateHandler -> NDIS.sys @ 0xf786ea0d
SendHandler -> NDIS.sys @ 0xf7882b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(3784)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-02-14 16:28:16
ComboFix-quarantined-files.txt 2010-02-14 21:28
ComboFix2.txt 2010-02-14 19:58
ComboFix3.txt 2010-02-14 18:26
ComboFix4.txt 2010-02-14 17:27
ComboFix5.txt 2010-02-14 21:13

Pre-Run: 71,935,754,240 bytes free
Post-Run: 71,915,503,616 bytes free

- - End Of File - - 0DE6AA6E89F6FD9335B6C3AED79709EF

Still having problems?

Sorry, I just realized I didn't write anything. Yes, still having the same issues.
Thanks

Okay, one more time around it I think this should kill it.

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   DDS::
   TCP: {255F4A49-1AFF-452A-BC3D-600E3EAF53A8} = 93.188.163.32,93.188.166.77
   TCP: {5381BB17-BF4D-455D-A4C4-783FD999BA85} = 93.188.163.32,93.188.166.77
   
   Domains::
   

   
   
4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.
   

After I ran ComboFix with the new script I was able to update Malwarebytes and run the scan which came back clean. I then ran Window updates and my pc froze. I did a hard boot and got the Blue Screen of Death:

A problem has been detected and windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to be sure you have adequate disk space. If a driver is identified in the Stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup options, and then select Safe Mode.

Technical information:
Stop: 0x0000007E(0xC0000005, 0x8050D532, 0xF78A63B8, 0xF78A60B4)

I had to switch to a usb keyboard to attempt to boot in Safe Mode but it results in the same blue screen.

I have Microsoft Windows Recovery Console installed but don't know how to use it.

Thanks for your continued help.

Damn MS can't get anything right, this is MS's fault, see here:
http://www.theinquirer.net/inquirer/news/1591682/windows-update-causes-blue-screen-death

The article was posted only 5 days ago, recent Windows Update is causing some users BSOD.

Do you have your XP disk?

Yes, I have it.

I await your instructions

Okay, lets try a repair install.

Put the CD in and boot from it, there should be an option saying 'press R for repair install".

Press the R key to start the repair.
Guide here if needed:
http://www.michaelstevenstech.com/XPrepairinstall.htm

I turned my pc over to our tech at work.

Thank you for all your help! I would kiss you, but, your avatar is a little scary so I'm going to make a donation instead.