Browser Redirect

[RichmondGuy]

Help my browser is randomly being redirected. I read in another post that I should only have 1 entry under C:\WINDOWS\system32\drivers\etc\hosts and that it should be 127.0.0.1 localhost. Can anyone help me?
Because there are to many charactors I can only post a sample of what is contained in the above mentioned folder.



127.0.0.1 localhost
::1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
127.0.0.1 123topsearch.com
127.0.0.1 www.132.com
127.0.0.1 132.com
127.0.0.1 www.136136.net
127.0.0.1 136136.net
127.0.0.1 www.163ns.com
127.0.0.1 163ns.com
127.0.0.1 171203.com
127.0.0.1 17-plus.com
127.0.0.1 www.1800searchonline.com
127.0.0.1 1800searchonline.com
127.0.0.1 www.180searchassistant.com
127.0.0.1 180searchassistant.com
127.0.0.1 www.180solutions.com
127.0.0.1 180solutions.com
127.0.0.1 www.181.365soft.info
127.0.0.1 181.365soft.info
127.0.0.1 www.1987324.com
127.0.0.1 1987324.com
127.0.0.1 www.1-domains-registrations.com
127.0.0.1 1-domains-registrations.com
127.0.0.1 www.1sexparty.com
127.0.0.1 1sexparty.com
127.0.0.1 www.1stantivirus.com
127.0.0.1 1stantivirus.com

# End of entries inserted by Spybot - Search & Destroy

 

[johnb35]

Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

If you continue to experience problems after doing this, please post a HijackThis log by doing the following:

Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log

 

[RichmondGuy]

Thanks, It looks like Malwarebytes to care of the problem. I am posting the scan log just in case you see something else I need to do.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4078

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18904

5/8/2010 11:54:53 AM
mbam-log-2010-05-08 (11-54-53).txt

Scan type: Quick scan
Objects scanned: 156512
Time elapsed: 9 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{0d1dbfee-0c43-4223-8b3e-a56fb3c5c87d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{0d1dbfee-0c43-4223-8b3e-a56fb3c5c87d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cd30b357-f8f7-4ad1-bf68-04a219d21a69} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8d187dff-423f-41d3-a331-a60de5886675} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AV1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\System\CurrentControlSet\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[RichmondGuy]

I spoke to soon. Below is the HijackThis log.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:12:22 PM, on 5/8/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\ScanSoft\OmniForm 5.1\OFPA.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Users\Jay\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [OmniForm OFPA] C:\Program Files\ScanSoft\OmniForm 5.1\OFPA.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKLM\..\Policies\Explorer\Run: [GZZQndCz0R] C:\ProgramData\tsledodc\fwpuxyli.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe (User 'Default user')
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} (SonyOnlineInstallerX) - http://www-cdn.freerealms.com/gamedata/FreeRealmsInstaller.cab?v=1029
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Windows\System32\hsppp.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10966 bytes

 

[gamblingman]

You're definitely still infected.

* Remember in vista to run these programs as administrator.
* Put all downloads on your desktop or in another location you can access quickly and easily.
* Print these instructions for use while operating in safe mode

--- DOWNLOAD STEP ---

-- RKill
Download all these RKill types. Don't run any of them yet, we'll get to that in a moment.
Download Rkill:
- RKill.exe from Bleeping Computer
- RKill.com from Bleeping Computer
- RKill.scr from Bleeping Computer


-- SuperAntiSpyware
Now download SuperAntiSpyware, install it and update it but dont run any scans with it just yet.

Download here: SuperAntiSpyware Free Version
(SAS's homepage: SuperAntiSpyware.com/)


-- Malwarebytes
Since you already have Malwarebytes, just go into it and update the program and make sure that you have deleted all found infections.

Just don't run any scans with Malwarebytes yet.


-- Flash Disinfector
If you have flash drives they may be infected as well, so here is the tool to clean them as well. Download it, but don't do anything more with it. If you have any flash drives plugged in, take the chance now to unplug them so that they can't reinfect you.
Download: sUBs Flash Disinfector.exe


--- Running ---
* Remember in vista to run these programs as ADMINISTRATOR.

Reboot into "Safe Mode" (without networking) and wait until your computer is running stable. Once running smoothly as possible follow the instructions below very closely.

1. Begin by running RKill.exe as administrator. If the .exe save will not activate, then use the .com save, and if the .com does not activate then run the .scr save

NOTE: Do not reboot until we are completely finished with the malware removal as rebooting will de-activate RKill.


2. Run Malwarebytes and then delete all infections found. Close program once finished with it.


3. Run SuperAntiSpyware and then delete all infections found. Close program once finished with it.


4.
A) Before you run Flash Disinfector turn off your anti-virus software and close all malware removal programs.
B) Click the downloaded Flash_Disinfector file and follow any steps it gives you.
C) When it asks you to insert flash drives, do so while holding down the SHIFT key so that the Windows auto-play feature is disabled. Hold the shift key while inserting the flash drive until the flash drive is found by Vista and the "Options" menu appears.
D) Flash Disinfector will scan and complete.


5. Restart Windows Vista Normally.


6. Once Vista is stable in normal mode, re-run HiJackThis and post the log, also post the logs from Malwarebytes and Superantispyware. Then tell us how the computer is running.

 

[Ambushed]

Dam, I've had this virus before. Let us know how it goes.

 

[RichmondGuy]

Problem still exists. Below are the logs you asked me to post.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:25:48 PM, on 5/8/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\ScanSoft\OmniForm 5.1\OFPA.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Jay\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [OmniForm OFPA] C:\Program Files\ScanSoft\OmniForm 5.1\OFPA.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [GZZQndCz0R] C:\ProgramData\tsledodc\fwpuxyli.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe (User 'Default user')
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} (SonyOnlineInstallerX) - http://www-cdn.freerealms.com/gamedata/FreeRealmsInstaller.cab?v=1029
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Windows\System32\hsppp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11954 bytes

 

[RichmondGuy]

I had to post separately due to the number of charactors.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/08/2010 at 08:12 PM

Application Version : 4.37.1000

Core Rules Database Version : 4908
Trace Rules Database Version: 2720

Scan type : Quick Scan
Total Scan Time : 00:36:34

Memory items scanned : 303
Memory threats detected : 0
Registry items scanned : 802
Registry threats detected : 1
File items scanned : 37095
File threats detected : 470

Adware.Tracking Cookie
C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Cookies\jay@tribalfusion[3].txt
C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Cookies\jay@invitemedia[1].txt
C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Cookies\jay@atdmt[4].txt
C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Cookies\jay@ru4[3].txt
C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Cookies\jay@collective-media[4].txt
C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Local\Temp\Low\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@collective-media[7].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@collective-media[6].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@collective-media[5].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@collective-media[8].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@jarmediatrack[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@media6degrees[4].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@media6degrees[8].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@media6degrees[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@media6degrees[5].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@media6degrees[9].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@hotels-and-discounts[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@interclick[3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@interclick[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@creativekidsexpress[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@interclick[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@media6degrees[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@media6degrees[3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@media6degrees[7].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@media303[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@admarketplace[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@teenhelp[3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@teenhelp[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@azjmp[10].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@interclick[9].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@interclick[8].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@interclick[7].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@interclick[6].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@interclick[5].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@interclick[4].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@shakiramedia[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][4].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@flashtrackz[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][4].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][5].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][5].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][6].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@azjmp[11].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@imediablast[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][6].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@xiti[3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@xiti[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@xiti[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][7].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@teenbootcamps[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][10].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@trafficmp[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@discountschoolsupply[3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@discountschoolsupply[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][11].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@trafficmp[3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@lfstmedia[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@media6degrees[10].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@trafficmp[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@superstats[3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@superstats[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][4].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@teencentral[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][5].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@legolas-media[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@findarticles[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@adcentriconline[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@mywebsearch[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@intermundomedia[3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@teenhelponline[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@adcentriconline[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@intermundomedia[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@tacoda[4].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@tacoda[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@tacoda[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@chitika[3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@adbrite[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@chitika[7].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@chitika[4].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@motorbanner256[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@nextag[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@nextag[3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][4].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@ C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@azjmp[3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@ticketsnow[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@atdmt[3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@azjmp[4].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@azjmp[8].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@tribalfusion[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@tribalfusion[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@atdmt[4].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@azjmp[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@azjmp[5].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@azjmp[9].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@questionpro[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@atdmt[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@atdmt[5].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@azjmp[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@azjmp[6].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@questionpro[3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@hookedmediagroup[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@hookedmediagroup[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@socialmedia[3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@ticketsnow[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@consumergain[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@tribalfusion[4].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][4].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@yieldmanager[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@yieldmanager[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@socialmedia[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@questionmarket[4].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@questionmarket[3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@questionmarket[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@collective-media[3].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@collective-media[2].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@collective-media[1].txt
C:\Users\Adriana\AppData\Roaming\Microsoft\Windows\Cookies\adriana@collective-media[4].txt
C:\Users\Sarah\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Sarah\AppData\Roaming\Microsoft\Windows\Cookies\sarah@questionmarket[2].txt
C:\Users\Sarah\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Sarah\AppData\Roaming\Microsoft\Windows\Cookies\sarah@interclick[1].txt
C:\Users\Sarah\AppData\Roaming\Microsoft\Windows\Cookies\sarah@burstnet[1].txt
C:\Users\Sarah\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Sarah\AppData\Roaming\Microsoft\Windows\Cookies\sarah@realmedia[1].txt
C:\Users\Sarah\AppData\Roaming\Microsoft\Windows\Cookies\sarah@fastclick[2].txt
C:\Users\Sarah\AppData\Roaming\Microsoft\Windows\Cookies\sarah@atdmt[2].txt
C:\Users\Sarah\AppData\Roaming\Microsoft\Windows\Cookies\sarah@mediaplex[2].txt
C:\Users\Sarah\AppData\Roaming\Microsoft\Windows\Cookies\sarah@serving-sys[2].txt
C:\Users\Sarah\AppData\Roaming\Microsoft\Windows\Cookies\sarah@tribalfusion[2].txt
C:\Users\Sarah\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Cookies\sophia@pointroll[2].txt
C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Cookies\sophia@revsci[1].txt
C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Cookies\sophia@specificmedia[2].txt
C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Cookies\sophia@interclick[2].txt
C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Cookies\sophia@overture[1].txt
C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Cookies\sophia@qnsr[1].txt
C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Cookies\sophia@invitemedia[2].txt
C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Cookies\sophia@adecn[1].txt
C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Cookies\sophia@media6degrees[1].txt
C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Cookies\sophia@atdmt[1].txt
@server.cpmstar[1].txt
C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Sophia\AppData\Roaming\Microsoft\Windows\Cookies\sophia@questionmarket[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@exoclick[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bannertgt[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[6].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[4].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@trafficengine[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@trafficengine[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@legolas-media[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@realmedia[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serving-sys[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@pointroll[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@collective-media[1].txt

Trojan.DNSChanger-Codec
HKU\S-1-5-21-98606152-2322820237-3812329491-1000\Software\uninstall

 

[johnb35]

Your still infected, please run the following.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

• Download this file here :
  
  http://download.bleepingcomputer.com/sUBs/ComboFix.exe
  
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply please post:

• The ComboFix log
• A fresh HiJackThis log
• An update on how your computer is running

 

[gamblingman]

Thanks Johnb for putting the combofix post. That computer definitely needs it.

 

[RichmondGuy]

Here are the results
ComboFix 10-05-08.02 - Jay 05/09/2010 0:52.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1918.842 [GMT -5:00]
Running from: c:\users\Jay\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Jay\AppData\Roaming\inst.exe
c:\users\Jay\ComboFix.exe
c:\users\Jay\rkill.com
c:\users\Jay\rkill.exe
c:\users\Jay\rkill.scr
c:\windows\system32\AbaleZip.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))
.

2010-05-09 06:03 . 2010-05-09 06:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-09 06:03 . 2010-05-09 06:03 -------- d-----w- c:\users\Adriana\AppData\Local\temp
2010-05-09 06:03 . 2010-05-09 06:03 -------- d-----w- c:\users\Sophia\AppData\Local\temp
2010-05-09 06:03 . 2010-05-09 06:03 -------- d-----w- c:\users\Sarah\AppData\Local\temp
2010-05-09 00:14 . 2010-05-09 00:14 63488 ----a-w- c:\users\Jay\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-09 00:14 . 2010-05-09 00:14 52224 ----a-w- c:\users\Jay\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-09 00:14 . 2010-05-09 00:14 117760 ----a-w- c:\users\Jay\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-09 00:14 . 2010-05-09 00:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-05-09 00:13 . 2010-05-09 00:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-09 00:13 . 2010-05-09 00:13 -------- d-----w- c:\users\Jay\AppData\Roaming\SUPERAntiSpyware.com
2010-05-09 00:09 . 2010-05-09 00:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-08 23:44 . 2010-05-08 23:45 8206880 ----a-w- c:\users\Jay\SUPERAntiSpyware.exe
2010-05-08 22:13 . 2010-05-08 22:13 -------- d-----w- c:\users\Sophia\AppData\Local\Mozilla
2010-05-08 22:13 . 2010-05-08 22:13 -------- d-----w- c:\users\Sophia\AppData\Roaming\CheckPoint
2010-05-08 21:16 . 2010-05-08 21:16 -------- d-----w- c:\users\Adriana\AppData\Roaming\CheckPoint
2010-05-08 20:46 . 2010-05-08 20:46 -------- d-----w- c:\users\Jay\AppData\Roaming\CheckPoint
2010-05-08 20:45 . 2010-05-08 20:45 -------- d-----w- c:\program files\CheckPoint
2010-05-08 20:45 . 2009-11-22 20:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-05-08 20:45 . 2009-11-22 20:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-05-08 20:45 . 2009-11-22 20:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-05-08 20:44 . 2009-11-22 20:44 446664 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2010-05-08 16:44 . 2010-05-08 16:44 -------- d-----w- c:\users\Jay\AppData\Roaming\Malwarebytes
2010-05-08 16:43 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-08 16:43 . 2010-05-08 16:43 -------- d-----w- c:\programdata\Malwarebytes
2010-05-08 16:43 . 2010-05-08 16:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-08 16:43 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-08 04:48 . 2010-05-08 04:48 388096 ----a-r- c:\users\Jay\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-08 04:48 . 2010-05-08 04:48 -------- d-----w- c:\program files\Trend Micro
2010-05-08 03:20 . 2010-05-08 03:20 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-08 03:20 . 2010-02-04 15:53 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-05-08 02:20 . 2010-05-08 02:20 -------- d-----w- c:\programdata\PCPitstop
2010-05-08 02:19 . 2010-05-08 02:19 -------- d-----w- c:\program files\PCPitstop
2010-05-08 02:19 . 2010-05-08 02:19 2103688 ----a-w- c:\users\Jay\extermhome-setup-0004.exe
2010-05-05 02:58 . 2010-05-07 03:36 -------- d-----w- c:\users\Jay\AppData\Local\kifrpgaah
2010-04-28 03:13 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-28 03:13 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-28 03:13 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-28 03:13 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-28 03:12 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-25 16:19 . 2010-05-04 20:17 439816 ----a-w- c:\users\Adriana\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-04-23 11:30 . 2010-04-23 11:30 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-20 20:49 . 2010-04-20 20:49 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-04-20 20:48 . 2010-04-20 20:48 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-16 23:30 . 2010-04-16 23:30 -------- d-----w- c:\users\Sarah\AppData\Local\Apple
2010-04-16 23:26 . 2010-04-16 23:26 -------- d-----w- c:\users\Sarah\AppData\Local\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-09 05:35 . 2010-05-09 05:35 36059 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2010_05_08_20_17_24_small.dmp.zip
2010-05-09 01:16 . 2010-05-09 01:16 26257 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2010_05_08_19_12_29_small.dmp.zip
2010-05-09 00:12 . 2010-05-09 00:12 47101 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2010_05_08_18_02_46_small.dmp.zip
2010-05-08 23:51 . 2009-06-01 00:22 680 ----a-w- c:\users\Jay\AppData\Local\d3d9caps.dat
2010-05-08 20:45 . 2010-05-08 20:44 422375 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2010-05-08 04:32 . 2007-02-09 14:31 -------- d-----w- c:\program files\Yahoo!
2010-05-08 03:20 . 2007-05-29 04:37 -------- d-----w- c:\program files\Lavasoft
2010-05-08 03:19 . 2008-03-15 02:10 -------- d-----w- c:\programdata\Lavasoft
2010-05-05 04:18 . 2007-02-09 14:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-20 20:49 . 2009-03-20 14:49 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-27 18:42 . 2010-03-27 18:42 -------- d-----w- c:\users\Sophia\AppData\Roaming\HP
2010-03-21 23:11 . 2010-03-21 23:11 -------- d-----w- c:\users\Sophia\AppData\Roaming\Corel
2010-03-21 23:09 . 2010-03-21 23:09 161784 ----a-w- c:\users\Sophia\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-20 17:15 . 2010-03-20 17:15 -------- d-----w- c:\users\Sarah\AppData\Roaming\Hewlett-Packard
2010-03-20 17:15 . 2010-03-20 17:15 161784 ----a-w- c:\users\Sarah\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-20 16:43 . 2010-03-20 16:43 -------- d-----w- c:\users\Sophia\AppData\Roaming\Hewlett-Packard
2010-03-16 17:24 . 2010-03-16 17:24 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-16 17:24 . 2007-12-17 04:46 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-16 17:23 . 2009-03-20 14:49 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-14 17:56 . 2007-10-07 04:17 -------- d-----w- c:\programdata\NVIDIA
2010-03-14 17:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-03-14 17:45 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-14 17:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-03-14 17:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-03-14 17:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-03-14 17:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-03-14 17:44 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-03-14 17:28 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-05 14:01 . 2010-04-28 03:14 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 04:23 . 2009-12-10 23:24 439816 ----a-w- c:\users\Adriana\AppData\Roaming\Real\Update\setup3.09\setup.exe
2010-02-26 04:23 . 2009-11-19 22:20 439816 ----a-w- c:\users\Adriana\AppData\Roaming\Real\Update\recsetup\setup.exe
2010-02-26 04:23 . 2009-11-19 22:20 118784 ----a-w- c:\users\Adriana\AppData\Roaming\Real\Update\recsetup\install.dll
2010-02-23 06:39 . 2010-04-28 03:14 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-28 03:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-04-28 03:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-04-28 03:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-21 17:14 . 2010-02-21 17:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-20 23:39 . 2010-03-14 17:01 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37 . 2010-03-14 17:01 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:18 . 2010-03-14 17:01 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-18 17:36 . 2010-04-28 03:14 902024 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-18 17:36 . 2010-04-28 03:14 220040 ----a-w- c:\windows\system32\drivers\netio.sys
2010-02-18 17:36 . 2010-04-28 03:14 98192 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2010-02-18 14:49 . 2010-04-28 03:14 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 14:49 . 2010-04-28 03:14 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-18 14:11 . 2010-04-28 03:14 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-02-18 13:59 . 2010-04-28 03:14 438272 ----a-w- c:\windows\system32\IKEEXT.DLL
2010-02-18 13:59 . 2010-04-28 03:14 595456 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2010-02-18 13:57 . 2010-04-28 03:14 328704 ----a-w- c:\windows\system32\BFE.DLL
2010-02-18 11:52 . 2010-04-28 03:14 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-02-14 20:23 . 2010-02-14 20:23 15602656 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2007-09-14 15:52 . 2007-05-26 03:13 168 --sha-r- c:\windows\System32\463E71A001.sys
2007-09-26 22:28 . 2007-09-26 22:28 8 --sha-r- c:\windows\System32\62EDB37D45.sys
2007-11-10 03:20 . 2007-05-26 03:13 5586 --sha-w- c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-08 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-01-18 135664]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-06 2017280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2006-11-20 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"OmniForm OFPA"="c:\program files\ScanSoft\OmniForm 5.1\OFPA.exe" [2004-10-22 40960]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-09 185896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-05-23 526880]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-09-12 160160]
"hpqSRMon"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe" [2006-11-02 156160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-25 44136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-07 8720384]

c:\users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote Table Of Contents.onetoc2 [2007-4-23 3656]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2007-12-30 629248]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^File Equalization.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\File Equalization.lnk
backup=c:\windows\pss\File Equalization.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Connections.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Connections.lnk
backup=c:\windows\pss\HP Connections.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Jay^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2006-10-05 21:00 976472 ----a-w- c:\program files\Common Files\Adobe\Updater\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPADVISOR]
2009-08-05 17:27 1644088 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2006-12-08 15:16 65536 ----a-w- c:\hp\KBD\KbdStub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2007-12-07 07:33 8720384 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 11:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-15 16:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 22:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2008-09-12 23:46 160160 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001
"VistaSp2"=hex(b):df,97,e9,2b,9f,ad,ca,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R3 vsdatant7;vsdatant7;c:\windows\system32\drivers\vsdatant.win7.sys [x]
R4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [2008-10-21 77312]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-16 216200]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-04-20 242896]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-06 68168]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-16 308064]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2009-10-14 25208]
S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2009-10-14 476528]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-05-08 1285864]
S3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2009-03-20 391168]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:30]

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:30]

2010-05-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-98606152-2322820237-3812329491-1000Core.job
- c:\users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-18 00:24]

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-98606152-2322820237-3812329491-1000UA.job
- c:\users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-18 00:24]

2010-05-09 c:\windows\Tasks\User_Feed_Synchronization-{A33FFD7E-FEBA-4F4C-B531-771E4DA0075F}.job
- c:\windows\system32\msfeedssync.exe [2010-04-28 04:54]

2010-05-09 c:\windows\Tasks\User_Feed_Synchronization-{BF3CA32A-137A-48CC-BECC-909820732A8B}.job
- c:\windows\system32\msfeedssync.exe [2010-04-28 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: microsoft.com\office
FF - ProfilePath - c:\users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\7ls655jk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&amp;source=iglk
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Sony Online Entertainment\npsoe.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Jay\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil9f.exe
HKLM-Explorer_Run-GZZQndCz0R - c:\programdata\tsledodc\fwpuxyli.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-gyhcdnsr - c:\users\Jay\AppData\Local\kifrpgaah\wphaftwtssd.exe
MSConfigStartUp-osCheck - c:\program files\Norton Internet Security\osCheck.exe
MSConfigStartUp-Symantec PIF AlertEng - c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
AddRemove-_{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91} - c:\program files\Corel\CorelDRAW Graphics Suite 13\Programs\MSILauncher {7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-09 01:07
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84FDBEE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x87d9d322
\Driver\ACPI -> acpi.sys @ 0x82c0ad4c
\Driver\atapi -> ataport.SYS @ 0x82d199a8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{02e6cba4-8781-47f5-a589-bf56c1769b39}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0c001a92
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{9c642153-bfe0-4511-a0b6-e778ddd5ea9e}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:07001422
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{9ced5a61-193c-44b3-aab6-903d2dcb8256}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:09020054
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{f50c0996-5b4a-4c6a-a322-6e991d4caa0e}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:06001422
"Dhcpv6State"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(608)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2010-05-09 01:11:31
ComboFix-quarantined-files.txt 2010-05-09 06:11

Pre-Run: 395,874,205,696 bytes free
Post-Run: 397,026,394,112 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 2C5CB63957791F26B323BAE9BA7FA3AA

 

[RichmondGuy]

I almost forgot. Here's the new hijack This log.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:51:51 AM, on 5/9/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\ScanSoft\OmniForm 5.1\OFPA.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Users\Jay\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [OmniForm OFPA] C:\Program Files\ScanSoft\OmniForm 5.1\OFPA.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fsejfqln] C:\Windows\system32\config\systemprofile\AppData\Local\fgahubprm\mfqjhrvtssd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} (SonyOnlineInstallerX) - http://www-cdn.freerealms.com/gamedata/FreeRealmsInstaller.cab?v=1029
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Windows\System32\hsppp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10213 bytes

 

[johnb35]

Please rerun hijackthis and place a check next to the following entries.

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [fsejfqln] C:\Windows\system32\config\systemprofile\AppData\L ocal\fgahubprm\mfqjhrvtssd.exe (User 'SYSTEM') Nasty here
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Windows\System32\hsppp.dll

Then click on fix checked at the bottom.

Please move the combofix file to your desktop so we may perform the next step.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Dirlook::
C:\Windows\system32\config\systemprofile\AppData\Local\fgahubprm


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.


A few things I see in your log, that concern me.

1. You have no active virus program loading at bootup. You have remnants of having AVG installed. You really need to uninstall whats left by seeing if its still showing up in add/remove programs. Then go here to download the latest version and do a full scan on your system.

http://download.cnet.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10320142.html

2. You have adaware, spybot, windows defender running. Adaware and Spybot used to be good in their day, but not any longer. Malwarebytes and Superantispyware are much better then those two. I would suggest unistalling adaware and spybot.

When you come back to reply I need to know what avg found when you did a full scan and the new combofix log with a fresh hijackthis log.

 

[gamblingman]

Hey Johnb, this message is for you. I noticed some symantec entries that had been disabled (registry), and other symantec combofix removals (regloadpts). Would seem to me that the computer had symantec but user didnt know-to/how-to remove it fully. Could this system still have traces of that program left now? I'm sure you saw them, so I am not listing them here.

I also noticed "R4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [2008-10-21 77312]". I dont like the service cause I fix things myself, but curious what you think on it.

 

[RichmondGuy]

Below are the results after running ComboFix. I will add the Hijackthis log in another post so I do not exceed the allowed charactors.
ComboFix 10-05-09.04 - Jay 05/09/2010 23:27:27.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1918.1156 [GMT -5:00]
Running from: c:\users\Jay\Desktop\ComboFix.exe
Command switches used :: c:\users\Jay\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-04-10 to 2010-05-10 )))))))))))))))))))))))))))))))
.

2010-05-10 04:36 . 2010-05-10 04:36 -------- d-----w- c:\users\Jay\AppData\Local\temp
2010-05-10 04:36 . 2010-05-10 04:36 -------- d-----w- c:\users\Sophia\AppData\Local\temp
2010-05-10 04:36 . 2010-05-10 04:36 -------- d-----w- c:\users\Sarah\AppData\Local\temp
2010-05-10 04:36 . 2010-05-10 04:36 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-10 04:36 . 2010-05-10 04:36 -------- d-----w- c:\users\Profiles\AppData\Local\temp
2010-05-10 04:36 . 2010-05-10 04:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-10 04:36 . 2010-05-10 04:36 -------- d-----w- c:\users\Adriana\AppData\Local\temp
2010-05-09 15:42 . 2010-05-09 15:42 -------- d-----w- c:\windows\Internet Logs
2010-05-09 00:14 . 2010-05-09 00:14 63488 ----a-w- c:\users\Jay\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-09 00:14 . 2010-05-09 00:14 52224 ----a-w- c:\users\Jay\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-09 00:14 . 2010-05-09 00:14 117760 ----a-w- c:\users\Jay\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-09 00:14 . 2010-05-09 00:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-05-09 00:13 . 2010-05-09 00:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-09 00:13 . 2010-05-09 00:13 -------- d-----w- c:\users\Jay\AppData\Roaming\SUPERAntiSpyware.com
2010-05-09 00:09 . 2010-05-09 00:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-08 23:44 . 2010-05-08 23:45 8206880 ----a-w- c:\users\Jay\SUPERAntiSpyware.exe
2010-05-08 22:13 . 2010-05-08 22:13 -------- d-----w- c:\users\Sophia\AppData\Local\Mozilla
2010-05-08 22:13 . 2010-05-08 22:13 -------- d-----w- c:\users\Sophia\AppData\Roaming\CheckPoint
2010-05-08 21:16 . 2010-05-08 21:16 -------- d-----w- c:\users\Adriana\AppData\Roaming\CheckPoint
2010-05-08 20:46 . 2010-05-08 20:46 -------- d-----w- c:\users\Jay\AppData\Roaming\CheckPoint
2010-05-08 16:44 . 2010-05-08 16:44 -------- d-----w- c:\users\Jay\AppData\Roaming\Malwarebytes
2010-05-08 16:43 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-08 16:43 . 2010-05-08 16:43 -------- d-----w- c:\programdata\Malwarebytes
2010-05-08 16:43 . 2010-05-08 16:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-08 16:43 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-08 16:43 . 2010-05-08 16:43 6153352 ----a-w- c:\users\Jay\mbam-setup-1.46.exe
2010-05-08 04:48 . 2010-05-08 04:48 388096 ----a-r- c:\users\Jay\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-08 04:48 . 2010-05-08 04:48 -------- d-----w- c:\program files\Trend Micro
2010-05-08 03:20 . 2010-05-08 03:20 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-08 03:20 . 2010-02-04 15:53 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-05-08 02:20 . 2010-05-08 02:20 -------- d-----w- c:\programdata\PCPitstop
2010-05-08 02:19 . 2010-05-08 02:19 -------- d-----w- c:\program files\PCPitstop
2010-05-08 02:19 . 2010-05-08 02:19 2103688 ----a-w- c:\users\Jay\extermhome-setup-0004.exe
2010-05-05 02:58 . 2010-05-07 03:36 -------- d-----w- c:\users\Jay\AppData\Local\kifrpgaah
2010-04-28 03:13 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-28 03:13 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-28 03:13 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-28 03:13 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-28 03:12 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-25 16:19 . 2010-05-04 20:17 439816 ----a-w- c:\users\Adriana\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-04-23 11:30 . 2010-04-23 11:30 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-20 20:49 . 2010-04-20 20:49 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-04-20 20:48 . 2010-04-20 20:48 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-16 23:30 . 2010-04-16 23:30 -------- d-----w- c:\users\Sarah\AppData\Local\Apple
2010-04-16 23:26 . 2010-04-16 23:26 -------- d-----w- c:\users\Sarah\AppData\Local\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 23:51 . 2009-06-01 00:22 680 ----a-w- c:\users\Jay\AppData\Local\d3d9caps.dat
2010-05-08 04:32 . 2007-02-09 14:31 -------- d-----w- c:\program files\Yahoo!
2010-05-08 03:20 . 2007-05-29 04:37 -------- d-----w- c:\program files\Lavasoft
2010-05-08 03:19 . 2008-03-15 02:10 -------- d-----w- c:\programdata\Lavasoft
2010-05-05 04:18 . 2007-02-09 14:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-20 20:49 . 2009-03-20 14:49 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-27 18:42 . 2010-03-27 18:42 -------- d-----w- c:\users\Sophia\AppData\Roaming\HP
2010-03-21 23:11 . 2010-03-21 23:11 -------- d-----w- c:\users\Sophia\AppData\Roaming\Corel
2010-03-21 23:09 . 2010-03-21 23:09 161784 ----a-w- c:\users\Sophia\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-20 17:15 . 2010-03-20 17:15 -------- d-----w- c:\users\Sarah\AppData\Roaming\Hewlett-Packard
2010-03-20 17:15 . 2010-03-20 17:15 161784 ----a-w- c:\users\Sarah\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-20 16:43 . 2010-03-20 16:43 -------- d-----w- c:\users\Sophia\AppData\Roaming\Hewlett-Packard
2010-03-16 17:24 . 2010-03-16 17:24 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-16 17:24 . 2007-12-17 04:46 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-16 17:23 . 2009-03-20 14:49 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-14 17:56 . 2007-10-07 04:17 -------- d-----w- c:\programdata\NVIDIA
2010-03-14 17:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-03-14 17:45 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-14 17:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-03-14 17:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-03-14 17:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-03-14 17:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-03-14 17:44 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-03-14 17:28 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-05 14:01 . 2010-04-28 03:14 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 04:23 . 2009-12-10 23:24 439816 ----a-w- c:\users\Adriana\AppData\Roaming\Real\Update\setup3.09\setup.exe
2010-02-26 04:23 . 2009-11-19 22:20 439816 ----a-w- c:\users\Adriana\AppData\Roaming\Real\Update\recsetup\setup.exe
2010-02-26 04:23 . 2009-11-19 22:20 118784 ----a-w- c:\users\Adriana\AppData\Roaming\Real\Update\recsetup\install.dll
2010-02-23 06:39 . 2010-04-28 03:14 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-28 03:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-04-28 03:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-04-28 03:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-21 17:14 . 2010-02-21 17:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-20 23:39 . 2010-03-14 17:01 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37 . 2010-03-14 17:01 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:18 . 2010-03-14 17:01 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-18 17:36 . 2010-04-28 03:14 902024 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-18 17:36 . 2010-04-28 03:14 220040 ----a-w- c:\windows\system32\drivers\netio.sys
2010-02-18 17:36 . 2010-04-28 03:14 98192 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2010-02-18 14:49 . 2010-04-28 03:14 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 14:49 . 2010-04-28 03:14 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-18 14:11 . 2010-04-28 03:14 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-02-18 13:59 . 2010-04-28 03:14 438272 ----a-w- c:\windows\system32\IKEEXT.DLL
2010-02-18 13:59 . 2010-04-28 03:14 595456 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2010-02-18 13:57 . 2010-04-28 03:14 328704 ----a-w- c:\windows\system32\BFE.DLL
2010-02-18 11:52 . 2010-04-28 03:14 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-02-14 20:23 . 2010-02-14 20:23 15602656 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2007-09-14 15:52 . 2007-05-26 03:13 168 --sha-r- c:\windows\System32\463E71A001.sys
2007-09-26 22:28 . 2007-09-26 22:28 8 --sha-r- c:\windows\System32\62EDB37D45.sys
2007-11-10 03:20 . 2007-05-26 03:13 5586 --sha-w- c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-05-09_06.07.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-02-09 14:44 . 2010-05-10 04:26 70430 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-05-10 04:26 76366 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-04-16 00:23 . 2010-05-10 04:26 16194 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-98606152-2322820237-3812329491-1000_UserData.bin
+ 2010-05-09 06:14 . 2010-05-09 06:14 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
- 2007-04-16 00:30 . 2010-05-09 05:34 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-04-16 00:30 . 2010-05-10 03:58 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-09 06:14 . 2010-05-09 06:14 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
+ 2010-05-09 06:14 . 2010-05-09 06:14 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
+ 2010-05-09 06:14 . 2010-05-09 06:12 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010050920100510\index.dat
+ 2007-04-16 00:30 . 2010-05-10 03:58 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-04-16 00:30 . 2010-05-09 05:34 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-06-13 21:31 . 2010-05-09 05:34 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-06-13 21:31 . 2010-05-10 03:58 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-06-13 21:31 . 2010-05-09 05:34 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-06-13 21:31 . 2010-05-10 03:58 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-13 21:31 . 2010-05-09 05:34 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-06-13 21:31 . 2010-05-10 03:58 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 10:25 . 2010-05-09 15:27 51200 c:\windows\inf\infpub.dat
- 2006-11-02 10:25 . 2010-05-08 20:45 51200 c:\windows\inf\infpub.dat
+ 2005-03-21 16:00 . 2005-03-21 16:00 4096 c:\windows\System32\sabprocenum.sys
- 2010-05-09 05:34 . 2010-05-09 05:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-05-10 04:22 . 2010-05-10 04:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-05-09 05:34 . 2010-05-09 05:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-05-10 04:22 . 2010-05-10 04:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 10:33 . 2010-05-09 05:41 600026 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-05-10 04:31 600026 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-05-09 05:41 102704 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-05-10 04:31 102704 c:\windows\System32\perfc009.dat
- 2009-05-02 22:04 . 2010-05-09 05:34 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-05-02 22:04 . 2010-05-10 03:58 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2006-11-02 10:25 . 2010-05-08 20:45 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2010-05-09 15:27 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2010-05-09 15:27 143360 c:\windows\inf\infstor.dat
- 2006-11-02 10:25 . 2010-05-08 20:45 143360 c:\windows\inf\infstor.dat
+ 2009-05-14 20:41 . 2009-05-14 20:41 380144 c:\windows\Downloaded Program Files\sabspx.dll
+ 2007-04-16 00:30 . 2010-05-10 03:58 2375680 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-04-16 00:30 . 2010-05-09 05:34 2375680 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-08 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-01-18 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2006-11-20 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"OmniForm OFPA"="c:\program files\ScanSoft\OmniForm 5.1\OFPA.exe" [2004-10-22 40960]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-05-23 526880]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-09-12 160160]
"hpqSRMon"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe" [2006-11-02 156160]

c:\users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote Table Of Contents.onetoc2 [2007-4-23 3656]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2007-12-30 629248]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^File Equalization.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\File Equalization.lnk
backup=c:\windows\pss\File Equalization.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Connections.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Connections.lnk
backup=c:\windows\pss\HP Connections.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Jay^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2006-10-05 21:00 976472 ----a-w- c:\program files\Common Files\Adobe\Updater\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPADVISOR]
2009-08-05 17:27 1644088 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2006-12-08 15:16 65536 ----a-w- c:\hp\KBD\KbdStub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2007-12-07 07:33 8720384 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 11:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-15 16:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 22:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2008-09-12 23:46 160160 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001
"VistaSp2"=hex(b):df,97,e9,2b,9f,ad,ca,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [2008-10-21 77312]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-16 216200]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-04-20 242896]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-06 68168]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-16 308064]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-05-08 1285864]
S3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2009-03-20 391168]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-05-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:22]

2010-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:30]

2010-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:30]

2010-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-98606152-2322820237-3812329491-1000Core.job
- c:\users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-18 00:24]

2010-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-98606152-2322820237-3812329491-1000UA.job
- c:\users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-18 00:24]

2010-05-10 c:\windows\Tasks\User_Feed_Synchronization-{A33FFD7E-FEBA-4F4C-B531-771E4DA0075F}.job
- c:\windows\system32\msfeedssync.exe [2010-04-28 04:54]

2010-05-10 c:\windows\Tasks\User_Feed_Synchronization-{BF3CA32A-137A-48CC-BECC-909820732A8B}.job
- c:\windows\system32\msfeedssync.exe [2010-04-28 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: microsoft.com\office
FF - ProfilePath - c:\users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\7ls655jk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&amp;source=iglk
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Sony Online Entertainment\npsoe.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Jay\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-09 23:36
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-05-09 23:39:16
ComboFix-quarantined-files.txt 2010-05-10 04:39
ComboFix2.txt 2010-05-09 06:11

Pre-Run: 396,095,438,848 bytes free
Post-Run: 396,027,858,944 bytes free

- - End Of File - - 2C8604022A3A639A51762D6BD5F93BA2

 

[RichmondGuy]

Below is the Hijackthis log. I will run AVG after I post this.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:46:49 PM, on 5/9/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\explorer.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [OmniForm OFPA] C:\Program Files\ScanSoft\OmniForm 5.1\OFPA.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} (SonyOnlineInstallerX) - http://www-cdn.freerealms.com/gamedata/FreeRealmsInstaller.cab?v=1029
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8347 bytes

 

[RichmondGuy]

From the AVG Virus scan.
"C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N3UIRG2W\n008106201304r0409J11000601Rbd7db872Wb5175ccdXb6cce796Yfd290850Z0100f0800[1]";"Trojan horse Cryptic.ND";"Moved to Virus Vault"

 

[johnb35]

Ok lets try this again but this time lets run ccleaner first. Download it from here.

http://www.filehippo.com/download_ccleaner/

Install it and then set it with the options that are in the attached image and then click on run cleaner.

Then lets try that cfscript again, it didn't work for some reason.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Dirlook::
c:\users\Jay\AppData\Local\kifrpgaah
C:\Windows\system32\config\systemprofile\AppData\Local\fgahubprm

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

 

[RichmondGuy]

Thanks for being so patient. Here's the new Combo log.

ComboFix 10-05-10.02 - Jay 05/10/2010 23:02:02.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1918.840 [GMT -5:00]
Running from: c:\users\Jay\Desktop\ComboFix.exe
Command switches used :: c:\users\Jay\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-05-11 04:10 . 2010-05-11 04:10 -------- d-----w- c:\users\Jay\AppData\Local\temp
2010-05-11 04:10 . 2010-05-11 04:10 -------- d-----w- c:\users\Sophia\AppData\Local\temp
2010-05-11 04:10 . 2010-05-11 04:10 -------- d-----w- c:\users\Sarah\AppData\Local\temp
2010-05-11 04:10 . 2010-05-11 04:10 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-11 04:10 . 2010-05-11 04:10 -------- d-----w- c:\users\Profiles\AppData\Local\temp
2010-05-11 04:10 . 2010-05-11 04:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-11 04:10 . 2010-05-11 04:10 -------- d-----w- c:\users\Adriana\AppData\Local\temp
2010-05-09 15:42 . 2010-05-09 15:42 -------- d-----w- c:\windows\Internet Logs
2010-05-09 00:14 . 2010-05-09 00:14 63488 ----a-w- c:\users\Jay\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-09 00:14 . 2010-05-09 00:14 52224 ----a-w- c:\users\Jay\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-09 00:14 . 2010-05-09 00:14 117760 ----a-w- c:\users\Jay\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-09 00:14 . 2010-05-09 00:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-05-09 00:13 . 2010-05-09 00:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-09 00:13 . 2010-05-09 00:13 -------- d-----w- c:\users\Jay\AppData\Roaming\SUPERAntiSpyware.com
2010-05-09 00:09 . 2010-05-09 00:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-08 23:44 . 2010-05-08 23:45 8206880 ----a-w- c:\users\Jay\SUPERAntiSpyware.exe
2010-05-08 22:13 . 2010-05-08 22:13 -------- d-----w- c:\users\Sophia\AppData\Local\Mozilla
2010-05-08 22:13 . 2010-05-08 22:13 -------- d-----w- c:\users\Sophia\AppData\Roaming\CheckPoint
2010-05-08 21:16 . 2010-05-08 21:16 -------- d-----w- c:\users\Adriana\AppData\Roaming\CheckPoint
2010-05-08 20:46 . 2010-05-08 20:46 -------- d-----w- c:\users\Jay\AppData\Roaming\CheckPoint
2010-05-08 16:44 . 2010-05-08 16:44 -------- d-----w- c:\users\Jay\AppData\Roaming\Malwarebytes
2010-05-08 16:43 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-08 16:43 . 2010-05-08 16:43 -------- d-----w- c:\programdata\Malwarebytes
2010-05-08 16:43 . 2010-05-08 16:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-08 16:43 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-08 16:43 . 2010-05-08 16:43 6153352 ----a-w- c:\users\Jay\mbam-setup-1.46.exe
2010-05-08 04:48 . 2010-05-08 04:48 388096 ----a-r- c:\users\Jay\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-08 04:48 . 2010-05-08 04:48 -------- d-----w- c:\program files\Trend Micro
2010-05-08 03:22 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-08 03:20 . 2010-05-08 03:20 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-08 03:20 . 2010-02-04 15:53 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-05-08 02:20 . 2010-05-08 02:20 -------- d-----w- c:\programdata\PCPitstop
2010-05-08 02:19 . 2010-05-08 02:19 -------- d-----w- c:\program files\PCPitstop
2010-05-08 02:19 . 2010-05-08 02:19 2103688 ----a-w- c:\users\Jay\extermhome-setup-0004.exe
2010-05-05 02:58 . 2010-05-07 03:36 -------- d-----w- c:\users\Jay\AppData\Local\kifrpgaah
2010-04-28 03:13 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-28 03:13 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-28 03:13 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-28 03:13 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-28 03:12 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-25 16:19 . 2010-05-04 20:17 439816 ----a-w- c:\users\Adriana\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-04-23 11:30 . 2010-04-23 11:30 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-20 20:49 . 2010-04-20 20:49 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-04-20 20:48 . 2010-04-20 20:48 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-16 23:30 . 2010-04-16 23:30 -------- d-----w- c:\users\Sarah\AppData\Local\Apple
2010-04-16 23:26 . 2010-04-16 23:26 -------- d-----w- c:\users\Sarah\AppData\Local\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 03:45 . 2009-09-09 02:19 -------- d-----w- c:\program files\CCleaner
2010-05-08 23:51 . 2009-06-01 00:22 680 ----a-w- c:\users\Jay\AppData\Local\d3d9caps.dat
2010-05-08 04:32 . 2007-02-09 14:31 -------- d-----w- c:\program files\Yahoo!
2010-05-08 03:20 . 2007-05-29 04:37 -------- d-----w- c:\program files\Lavasoft
2010-05-08 03:19 . 2008-03-15 02:10 -------- d-----w- c:\programdata\Lavasoft
2010-05-05 04:18 . 2007-02-09 14:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-20 20:49 . 2009-03-20 14:49 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-27 18:42 . 2010-03-27 18:42 -------- d-----w- c:\users\Sophia\AppData\Roaming\HP
2010-03-21 23:11 . 2010-03-21 23:11 -------- d-----w- c:\users\Sophia\AppData\Roaming\Corel
2010-03-21 23:09 . 2010-03-21 23:09 161784 ----a-w- c:\users\Sophia\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-20 17:15 . 2010-03-20 17:15 -------- d-----w- c:\users\Sarah\AppData\Roaming\Hewlett-Packard
2010-03-20 17:15 . 2010-03-20 17:15 161784 ----a-w- c:\users\Sarah\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-20 16:43 . 2010-03-20 16:43 -------- d-----w- c:\users\Sophia\AppData\Roaming\Hewlett-Packard
2010-03-16 17:24 . 2010-03-16 17:24 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-16 17:24 . 2007-12-17 04:46 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-16 17:23 . 2009-03-20 14:49 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-14 17:56 . 2007-10-07 04:17 -------- d-----w- c:\programdata\NVIDIA
2010-03-14 17:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-03-14 17:45 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-14 17:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-03-14 17:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-03-14 17:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-03-14 17:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-03-14 17:44 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-03-14 17:28 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-05 14:01 . 2010-04-28 03:14 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 04:23 . 2009-12-10 23:24 439816 ----a-w- c:\users\Adriana\AppData\Roaming\Real\Update\setup3.09\setup.exe
2010-02-26 04:23 . 2009-11-19 22:20 439816 ----a-w- c:\users\Adriana\AppData\Roaming\Real\Update\recsetup\setup.exe
2010-02-26 04:23 . 2009-11-19 22:20 118784 ----a-w- c:\users\Adriana\AppData\Roaming\Real\Update\recsetup\install.dll
2010-02-23 06:39 . 2010-04-28 03:14 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-28 03:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-04-28 03:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-04-28 03:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-21 17:14 . 2010-02-21 17:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-20 23:39 . 2010-03-14 17:01 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37 . 2010-03-14 17:01 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:18 . 2010-03-14 17:01 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-18 17:36 . 2010-04-28 03:14 902024 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-18 17:36 . 2010-04-28 03:14 220040 ----a-w- c:\windows\system32\drivers\netio.sys
2010-02-18 17:36 . 2010-04-28 03:14 98192 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2010-02-18 14:49 . 2010-04-28 03:14 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 14:49 . 2010-04-28 03:14 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-18 14:11 . 2010-04-28 03:14 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-02-18 13:59 . 2010-04-28 03:14 438272 ----a-w- c:\windows\system32\IKEEXT.DLL
2010-02-18 13:59 . 2010-04-28 03:14 595456 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2010-02-18 13:57 . 2010-04-28 03:14 328704 ----a-w- c:\windows\system32\BFE.DLL
2010-02-18 11:52 . 2010-04-28 03:14 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-02-14 20:23 . 2010-02-14 20:23 15602656 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2007-09-14 15:52 . 2007-05-26 03:13 168 --sha-r- c:\windows\System32\463E71A001.sys
2007-09-26 22:28 . 2007-09-26 22:28 8 --sha-r- c:\windows\System32\62EDB37D45.sys
2007-11-10 03:20 . 2007-05-26 03:13 5586 --sha-w- c:\windows\System32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Jay\AppData\Local\kifrpgaah ----


---- Directory of c:\windows\system32\config\systemprofile\AppData\Local\fgahubprm ----



((((((((((((((((((((((((((((( SnapShot@2010-05-09_06.07.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-02-09 14:44 . 2010-05-10 23:26 70446 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-05-10 23:26 76446 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-04-17 16:12 . 2010-05-10 23:26 20094 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-98606152-2322820237-3812329491-1001_UserData.bin
+ 2007-04-16 00:23 . 2010-05-10 04:26 16194 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-98606152-2322820237-3812329491-1000_UserData.bin
+ 2010-05-09 06:14 . 2010-05-09 06:14 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
- 2007-04-16 00:30 . 2010-05-09 05:34 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-04-16 00:30 . 2010-05-11 03:45 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-09 06:14 . 2010-05-09 06:14 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
+ 2010-05-09 06:14 . 2010-05-09 06:14 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
+ 2010-05-09 06:14 . 2010-05-09 06:12 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010050920100510\index.dat
- 2007-04-16 00:30 . 2010-05-09 05:34 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-04-16 00:30 . 2010-05-11 03:45 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-05-06 21:54 . 2010-05-10 23:28 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-05-06 21:54 . 2010-05-08 20:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-05-06 21:54 . 2010-05-10 23:28 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-06 21:54 . 2010-05-08 20:40 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-06 21:54 . 2010-05-10 23:28 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-05-06 21:54 . 2010-05-08 20:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-06-13 21:31 . 2010-05-09 05:34 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-06-13 21:31 . 2010-05-10 23:23 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-06-13 21:31 . 2010-05-09 05:34 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-06-13 21:31 . 2010-05-10 23:23 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-13 21:31 . 2010-05-09 05:34 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-06-13 21:31 . 2010-05-10 23:23 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 10:25 . 2010-05-08 20:45 51200 c:\windows\inf\infpub.dat
+ 2006-11-02 10:25 . 2010-05-09 15:27 51200 c:\windows\inf\infpub.dat
+ 2005-03-21 16:00 . 2005-03-21 16:00 4096 c:\windows\System32\sabprocenum.sys
- 2010-05-09 05:34 . 2010-05-09 05:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-05-10 23:23 . 2010-05-10 23:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-05-10 23:23 . 2010-05-10 23:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-05-09 05:34 . 2010-05-09 05:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-10-22 21:57 . 2010-05-10 12:17 224770 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 10:33 . 2010-05-09 05:41 600026 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-05-10 23:29 600026 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-05-09 05:41 102704 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-05-10 23:29 102704 c:\windows\System32\perfc009.dat
+ 2009-05-02 22:04 . 2010-05-11 03:22 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-05-02 22:04 . 2010-05-09 05:34 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2006-11-02 10:25 . 2010-05-09 15:27 143360 c:\windows\inf\infstrng.dat
- 2006-11-02 10:25 . 2010-05-08 20:45 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2010-05-09 15:27 143360 c:\windows\inf\infstor.dat
- 2006-11-02 10:25 . 2010-05-08 20:45 143360 c:\windows\inf\infstor.dat
+ 2009-05-14 20:41 . 2009-05-14 20:41 380144 c:\windows\Downloaded Program Files\sabspx.dll
- 2007-04-16 00:30 . 2010-05-09 05:34 2375680 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-04-16 00:30 . 2010-05-11 03:45 2375680 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-04-16 00:30 . 2010-05-08 02:03 3516560 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2007-04-16 00:30 . 2010-05-10 15:31 3516560 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-08 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-01-18 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2006-11-20 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"OmniForm OFPA"="c:\program files\ScanSoft\OmniForm 5.1\OFPA.exe" [2004-10-22 40960]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-05-23 526880]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-09-12 160160]
"hpqSRMon"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe" [2006-11-02 156160]

c:\users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote Table Of Contents.onetoc2 [2007-4-23 3656]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2007-12-30 629248]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^File Equalization.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\File Equalization.lnk
backup=c:\windows\pss\File Equalization.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Connections.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Connections.lnk
backup=c:\windows\pss\HP Connections.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Jay^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2006-10-05 21:00 976472 ----a-w- c:\program files\Common Files\Adobe\Updater\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPADVISOR]
2009-08-05 17:27 1644088 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2006-12-08 15:16 65536 ----a-w- c:\hp\KBD\KbdStub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2007-12-07 07:33 8720384 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 11:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-15 16:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 22:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2008-09-12 23:46 160160 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001
"VistaSp2"=hex(b):df,97,e9,2b,9f,ad,ca,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-05-08 1285864]
R4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [2008-10-21 77312]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-16 216200]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-04-20 242896]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-06 68168]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-16 308064]
S3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2009-03-20 391168]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:30]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:30]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-98606152-2322820237-3812329491-1000Core.job
- c:\users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-18 00:24]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-98606152-2322820237-3812329491-1000UA.job
- c:\users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-18 00:24]

2010-05-10 c:\windows\Tasks\User_Feed_Synchronization-{A33FFD7E-FEBA-4F4C-B531-771E4DA0075F}.job
- c:\windows\system32\msfeedssync.exe [2010-04-28 04:54]

2010-05-11 c:\windows\Tasks\User_Feed_Synchronization-{BF3CA32A-137A-48CC-BECC-909820732A8B}.job
- c:\windows\system32\msfeedssync.exe [2010-04-28 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: microsoft.com\office
FF - ProfilePath - c:\users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\7ls655jk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&amp;source=iglk
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Sony Online Entertainment\npsoe.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Jay\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-10 23:10
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-05-10 23:13:06
ComboFix-quarantined-files.txt 2010-05-11 04:13
ComboFix2.txt 2010-05-10 04:39
ComboFix3.txt 2010-05-09 06:11

Pre-Run: 396,162,977,792 bytes free
Post-Run: 396,114,362,368 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 0801F8E4797ADA3F0AA09939D1501A23

 

[johnb35]

OK, there is nothing in those folders so you can delete them. Navigate to each folder and delete it.

c:\users\Jay\AppData\Local\kifrpgaah - Delete the folder kifrpgaah

c:\windows\system32\config\systemprofile\AppData\Local\fgahubprm - Delete the folder fgahubprm

Then rerun hijackthis and place a check next to the following entries.

O4 - HKCU\..\Run: [Google Update] "C:\Users\Jay\AppData\Local\Google\Update\GoogleUp date.exe" /c
O4 - Startup: OneNote Table Of Contents.onetoc2

Then click on fix checked.

Ok, how is your system running now, anymore redirects?