Solved Help needed to determine if my machine is infected..

[bobbygeorge]

Help needed to determine if my machine is infected...(kind of urgent,playing up alot)

I am using vista, 64 bit.
I believe my machine was deliberately infected with malware, but unsure how bad it is. I will include some logs below:


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5448

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

03/01/2011 18:32:31
mbam-log-2011-01-03 (18-32-31).txt

Scan type: Quick scan
Objects scanned: 157630
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Shaun\downloads\setupcasino_10fec3.exe (PUP.Casino) -> Quarantined and deleted successfully.

-----------------------------------------------------------------------------------------------------

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-03 19:28:51
Windows 6.0.6002 Service Pack 2
Running: bym2ebeo.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBA 0xB5 0x60 0x8C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBA 0xB5 0x60 0x8C ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4BF5041B-071B-2CB2-14D0-D9F88302CA33}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4BF5041B-071B-2CB2-14D0-D9F88302CA33}@jamgffmgahcacledlfic 0x6F 0x61 0x6D 0x67 ...

---- EOF - GMER 1.0.15 ----

--------------------------------------------------------------------------------------------------------



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 01/10/2009 02:24:41
System Uptime: 03/01/2011 18:33:55 (1 hours ago)

Motherboard: PEGATRON CORPORATION | | NARRA5
Processor: AMD Phenom(tm) 9650 Quad-Core Processor | Socket AM2 | 1200/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 451 GiB total, 79.303 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 2.133 GiB free.
E: is CDROM ()
J: is Removable
K: is Removable
L: is Removable
N: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

AAA Logo 2008 2.10
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Any Video Converter 3.0.5
ArcSoft VideoImpression 2
µTorrent
AVG 9.0
AVS Audio Converter version 6.2
AVS Update Manager 1.0
AVS4YOU Software Navigator 1.4
Belkin Wireless USB Adapter Setup
Bing Bar
Bing Bar Platform
Blaze Media Pro
Casino.com
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
Compatibility Pack for the 2007 Office system
Conduit Engine
Convert WAV To MP3 1.0
CyberLink DVD Suite Deluxe
D3DX10
DirectX for Managed Code Update (Summer 2004)
DVDVideoSoftTB Toolbar
Free Video to MP3 Converter version 4.2.12
Free WMA to MP3 Converter 1.16
FreeRIP v3.42
Google Chrome
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Advisor
HP Customer Experience Enhancements
HP Games
HP MediaSmart Demo
HP MediaSmart DVD
HP MediaSmart Music/Photo/Video
HP Odometer
HP Picasso Media Center Add-In
HP Recovery Manager RSS
HP Support Information
HP Total Care Setup
HP Update
HPAsset component for HP Active Support Library
Huawei modem
Java(TM) 6 Update 16
Junk Mail filter update
K-Lite Codec Pack 5.1.0 (Full)
LabelPrint
LG PC Suite II
LG USB Modem driver
LightScribe System Software
Live 7.0.14
Magic Desktop
Magic DVD Copier Version 5.0.0
Malwarebytes' Anti-Malware
Microsoft Office Live Add-in 1.5
Microsoft Office Outlook Connector
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.8)
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 7 Ultra Edition
neroxml
PC VGA Camer@ Plus
PokerStars
Power Structure
Power2Go
PowerDirector
PowerISO
Pro Evolution Soccer 2009
Python 2.6 pywin32-212
Python 2.6.1
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.0
Reason 4.0.1
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Segoe UI
Skins
Skype™ Beta 4.2
Spybot - Search & Destroy
SpyShelter Premium 4.55
Steinberg Cubase 5
Steinberg Drum Loop Expansion 01
Steinberg Groove Agent ONE Content
Steinberg HALionOne
Steinberg HALionOne Additional Content Set 01
Steinberg HALionOne Expression Set
Steinberg HALionOne GM Drum Set
Steinberg HALionOne GM Set
Steinberg HALionOne Pro Set
Steinberg HALionOne Studio Drum Set
Steinberg HALionOne Studio Set
Steinberg LoopMash Content
Steinberg REVerence Content 01
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
uTorrentBar Toolbar
Visual C++ 8.0 Runtime Setup Package (x64)
Wav2MP3 Wizard v3.2 (Build 354)
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Player Firefox Plugin
Word to PDF Converter

==== End Of File ===========================


--------------------------------------------------------------------------------------------------------



DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Shaun at 19:33:21.31 on 03/01/2011
Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.353.1033.18.4094.2142 [GMT 0:00]

AV: AVG Internet Security 3-pack *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Internet Security 3-pack *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\a-squared Free\a2service.exe
C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
C:\Program Files (x86)\AVG\AVG9\avgfws9.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Blaze Media Pro\NMSAccess32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\AVG\AVG9\avgam.exe
C:\Program Files (x86)\AVG\AVG9\avgnsa.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files (x86)\AVG\AVG9\avgtray.exe
C:\Program Files (x86)\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Shaun\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Shaun\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Shaun\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Shaun\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2269050
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = Preserve
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
mURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
TB: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Google Update] "C:\Users\Shaun\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [SpyShelter] C:\Program Files (x86)\SpyShelter Premium\SpyShelter.exe
uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
mRun: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 0 (0x0)
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: EasyBits ShellExecute Hook: {e54729e8-bb3d-4270-9d49-7389ea579090} - C:\Windows\SysWow64\EZUPBH~1.DLL
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: {872B5B88-9DB5-4310-BDD0-AC189557E5F5} - No File
mRun-x64: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
AppInit_DLLs-X64: avgrssta.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Shaun\AppData\Roaming\Mozilla\Firefox\Profiles\omm3n6o8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&q=
FF - component: C:\Program Files (x86)\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: C:\Program Files (x86)\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: C:\Program Files (x86)\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: C:\Program Files (x86)\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: C:\Program Files (x86)\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: C:\Users\Shaun\AppData\Roaming\Mozilla\Firefox\Profiles\omm3n6o8.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}\components\FFExternalAlert.dll
FF - component: C:\Users\Shaun\AppData\Roaming\Mozilla\Firefox\Profiles\omm3n6o8.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}\components\RadioWMPCore.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\Shaun\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - C:\Program Files (x86)\AVG\AVG9\Firefox
FF - Ext: AVG Security Toolbar em:version=6.010.006.004 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - C:\Program Files (x86)\AVG\AVG9\Toolbar\Firefox\avg@igeared
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrvta;AVG9IDSErHr;C:\Windows\System32\drivers\AVGIDSva.sys [2010-6-14 27216]
R0 AvgRkx64;avgrkx64.sys;C:\Windows\System32\drivers\avgrkx64.sys [2010-6-14 56008]
R1 Avgfwfd;AVG network filter service;C:\Windows\System32\drivers\avgfwd6a.sys [2010-6-14 29976]
R1 AvgLdx64;AVG AVI Loader Driver x64;C:\Windows\System32\drivers\avgldx64.sys [2010-6-14 269904]
R1 AvgMfx64;AVG On-access Scanner Minifilter Driver x64;C:\Windows\System32\drivers\avgmfx64.sys [2010-6-14 35536]
R1 AvgTdiA;AVG Network Redirector x64;C:\Windows\System32\drivers\avgtdia.sys [2010-6-14 317520]
R1 SpyShelter;SpyShelter;C:\Program Files (x86)\SpyShelter Premium\SpyShelter.sys [2010-10-6 178624]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2010/06/17 03:51:03];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2010-6-17 146928]
R2 a2free;a-squared Free Service;C:\Program Files (x86)\a-squared Free\a2service.exe [2010-6-14 1872320]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-3-10 202752]
R2 avg9wd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe [2010-6-23 308136]
R2 avgfws9;AVG Firewall;C:\Program Files (x86)\AVG\AVG9\avgfws9.exe [2010-6-23 2331544]
R2 AVGIDSAgent;AVG9IDSAgent;C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2010-6-23 5897808]
R2 ezSharedSvc;Easybits Shared Services for Windows;C:\Windows\system32\svchost.exe -k netsvcs [2008-1-21 27648]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-1-26 1153368]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atipmdag.sys [2010-3-10 6403072]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-3-10 188928]
R3 AVGIDSDrivervta;AVG9IDSDriver;C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista64\AVGIDSDriver.sys [2010-6-14 132688]
R3 AVGIDSFiltervta;AVG9IDSFilter;C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista64\AVGIDSFilter.sys [2010-6-14 35920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 RelevantKnowledge;RelevantKnowledge;C:\Program Files (x86)\RelevantKnowledge\rlservice.exe /service --> C:\Program Files (x86)\RelevantKnowledge\rlservice.exe [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;C:\Program Files (x86)\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-10-26 517448]
S3 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 27648]
S3 fssfltr;FssFltr;C:\Windows\System32\drivers\fssfltr.sys [2010-11-10 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;C:\Windows\System32\drivers\netr28ux.sys [2011-1-2 804864]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-21 19968]
S3 SWNC8U90;Sierra Wireless MUX NDIS Driver (UMTS90);C:\Windows\System32\drivers\swnc8u90.sys [2008-12-2 206848]
S3 SWUMX90;Sierra Wireless USB MUX Driver (UMTS90);C:\Windows\System32\drivers\swumx90.sys [2008-11-17 194944]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2010-4-1 89920]

=============== File Associations ===============

JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*

=============== Created Last 30 ================

2011-01-02 21:48:53 804864 ----a-w- C:\Windows\System32\drivers\netr28ux.sys
2011-01-02 21:48:53 305664 ----a-w- C:\Windows\System32\RaCoInstx.dll
2011-01-02 21:48:53 -------- d-----w- C:\Program Files (x86)\Belkin
2010-12-15 13:34:44 -------- d-----w- C:\fb09c73799e3104f11c2afcb
2010-12-15 13:19:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2010-12-15 13:19:53 2048 ----a-w- C:\Windows\System32\tzres.dll
2010-12-15 13:19:37 7680 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2010-12-15 13:19:37 7680 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
2010-12-15 13:19:36 87552 ----a-w- C:\Windows\System32\consent.exe
2010-12-15 13:19:35 68096 ----a-w- C:\Program Files\Windows Mail\wabmig.exe
2010-12-15 13:19:35 66048 ----a-w- C:\Program Files (x86)\Windows Mail\wabmig.exe
2010-12-15 13:19:35 516096 ----a-w- C:\Program Files\Windows Mail\wab.exe
2010-12-15 13:19:35 515584 ----a-w- C:\Program Files (x86)\Windows Mail\wab.exe
2010-12-15 13:19:35 35328 ----a-w- C:\Program Files\Windows Mail\wabfind.dll
2010-12-15 13:19:35 33280 ----a-w- C:\Program Files (x86)\Windows Mail\wabfind.dll
2010-12-09 19:00:11 34304 ----a-w- C:\Windows\System32\drivers\swmsflt.sys
2010-12-09 19:00:07 -------- d-----w- C:\Users\Shaun\AppData\Roaming\Sierra Wireless
2010-12-09 19:00:07 -------- d-----w- C:\Program Files (x86)\Sierra Wireless Inc
2010-12-05 17:27:16 -------- d-----w- C:\Program Files (x86)\ConduitEngine
2010-12-05 17:27:10 -------- d-----w- C:\Program Files (x86)\uTorrentBar
2010-12-05 17:26:36 -------- d-----w- C:\Program Files (x86)\uTorrent
2010-12-05 17:25:46 -------- d-----w- C:\Users\Shaun\AppData\Roaming\uTorrent
2010-12-05 17:24:38 -------- d-----w- C:\Users\Shaun\AppData\Roaming\GetRightToGo
2010-12-04 20:35:56 -------- d-----w- C:\Casino

==================== Find3M ====================

2010-12-20 18:08:40 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-12-06 13:44:16 71279 ----a-w- C:\Windows\Huawei ModemsUninstall.exe
2010-11-22 14:33:08 99384 ----a-w- C:\Users\Shaun\AppData\Roaming\inst.exe
2010-11-22 14:33:08 82816 ----a-w- C:\Windows\System32\drivers\pcouffin.sys
2010-11-22 14:33:08 82816 ----a-w- C:\Users\Shaun\AppData\Roaming\pcouffin.sys
2010-11-10 00:46:45 269904 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
2010-11-06 11:18:48 500224 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2010-11-06 11:18:27 655872 ----a-w- C:\Windows\System32\taskschd.dll
2010-11-06 11:18:27 410112 ----a-w- C:\Windows\System32\taskcomp.dll
2010-11-06 11:18:13 855040 ----a-w- C:\Windows\System32\schedsvc.dll
2010-11-04 23:58:17 267776 ----a-w- C:\Windows\System32\taskeng.exe
2010-11-04 18:55:38 352768 ----a-w- C:\Windows\SysWow64\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- C:\Windows\SysWow64\taskcomp.dll
2010-11-04 16:34:06 171520 ----a-w- C:\Windows\SysWow64\taskeng.exe
2010-11-02 06:27:41 1147904 ----a-w- C:\Windows\System32\wininet.dll
2010-11-02 06:24:01 56832 ----a-w- C:\Windows\System32\licmgr10.dll
2010-11-02 06:23:47 1538560 ----a-w- C:\Windows\System32\inetcpl.cpl
2010-11-02 06:23:35 77312 ----a-w- C:\Windows\System32\iesetup.dll
2010-11-02 06:23:35 132096 ----a-w- C:\Windows\System32\iesysprep.dll
2010-11-02 06:01:54 916480 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- C:\Windows\SysWow64\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2010-11-02 05:25:33 479232 ----a-w- C:\Windows\System32\html.iec
2010-11-02 05:01:31 385024 ----a-w- C:\Windows\SysWow64\html.iec
2010-11-02 04:45:37 162816 ----a-w- C:\Windows\System32\ieUnatt.exe
2010-11-02 04:44:24 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-11-02 04:26:10 133632 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-10-28 16:29:18 48128 ----a-w- C:\Windows\System32\atmlib.dll
2010-10-28 15:44:56 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2010-10-28 14:05:21 367104 ----a-w- C:\Windows\System32\atmfd.dll
2010-10-28 13:27:47 292352 ----a-w- C:\Windows\SysWow64\atmfd.dll
2010-10-18 15:25:36 2753536 ----a-w- C:\Windows\System32\win32k.sys

============= FINISH: 19:34:06.36 ===============



Hope these logs are sufficient to help determine any infections.

Thanks,

BobbyGeorge

 

[Bobbye]

Welcome to TechSpot! Can you tell me what problems you are experiencing that lead you to believe the system has a malware infection? It would also be helpful if you know what method someone used to infect the system. I'm checking these logs now and I see several potential problem areas- so while I finish checking these logs, please run the following:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

===============================================
Note: you will have to uninstall AVG to run the following program:
Download Combofix to your desktop from one of these locations:
Link 1
Link 2http://www.forospyware.com/sUBs/ComboFix.exe

• Double click combofix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Query- Recovery Console image
  
  
  
  

  WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes it will open a text window. Please paste that log in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
===============================================
Please uninstall or disable the following while I am helping you:
µTorrent
uTorrentBar Toolbar
FreeRIP v3.42
If you choose not to uninstall them, do not allow use while we're cleaning.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[bobbygeorge]

Well to start with, OSD Lockout keeps popping up and seems to be controlled by someone else.
Also, someone mentioned the blue screen of death to me, and said if it happened you have to press ctrl 5 times to get rid of it. The same evening it happened....too much of a coincidence for me.
All this started happening after a guy shared some files with me and installed a game.


Ran as you suggested, logs below:

ComboFix 11-01-04.01 - Shaun 04/01/2011 20:36:36.1.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.353.1033.18.4094.2506 [GMT 0:00]
Running from: c:\users\Shaun\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Shaun\AppData\Roaming\.#
c:\users\Shaun\AppData\Roaming\inst.exe
c:\windows\system32\Memman.vxd
c:\windows\system32\skinboxer43.dll
c:\windows\system32\system
c:\windows\SysWow64\Memman.vxd
c:\windows\SysWow64\skinboxer43.dll
c:\windows\SysWow64\system

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_RelevantKnowledge


((((((((((((((((((((((((( Files Created from 2010-12-04 to 2011-01-04 )))))))))))))))))))))))))))))))
.

2011-01-04 18:05 . 2011-01-04 18:05 -------- d-----w- c:\program files (x86)\ESET
2011-01-04 02:30 . 2011-01-04 02:34 -------- d-----r- c:\users\Shaun\Music Production Videos
2011-01-04 01:11 . 2011-01-04 14:42 -------- d-----r- c:\users\Shaun\Documentaries
2011-01-03 20:16 . 2011-01-03 20:16 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2011-01-03 20:08 . 2011-01-03 20:08 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-01-03 20:08 . 2010-11-12 18:53 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-01-03 20:08 . 2010-11-12 18:53 472808 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
2011-01-02 21:48 . 2011-01-02 21:48 -------- d-----w- c:\program files (x86)\Belkin
2010-12-15 13:34 . 2010-12-15 13:40 -------- d-----w- C:\fb09c73799e3104f11c2afcb
2010-12-15 13:19 . 2010-10-28 13:20 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2010-12-15 13:19 . 2010-10-19 04:56 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-12-15 13:19 . 2010-10-19 04:27 7680 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
2010-12-15 13:19 . 2010-10-12 17:43 35328 ----a-w- c:\program files\Windows Mail\wabfind.dll
2010-12-15 13:19 . 2010-10-12 15:53 33280 ----a-w- c:\program files (x86)\Windows Mail\wabfind.dll
2010-12-15 13:19 . 2010-10-12 15:19 516096 ----a-w- c:\program files\Windows Mail\wab.exe
2010-12-15 13:19 . 2010-10-12 15:19 68096 ----a-w- c:\program files\Windows Mail\wabmig.exe
2010-12-15 13:19 . 2010-10-12 13:41 66048 ----a-w- c:\program files (x86)\Windows Mail\wabmig.exe
2010-12-15 13:19 . 2010-10-12 13:41 515584 ----a-w- c:\program files (x86)\Windows Mail\wab.exe
2010-12-09 19:00 . 2010-12-09 19:04 -------- d-----w- c:\users\Shaun\AppData\Roaming\Sierra Wireless
2010-12-09 19:00 . 2010-12-09 19:01 -------- d-----w- c:\program files (x86)\Sierra Wireless Inc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 18:09 . 2010-07-05 02:29 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2010-11-22 14:33 . 2010-11-22 14:33 82816 ----a-w- c:\users\Shaun\AppData\Roaming\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files (x86)\DVDVideoSoftTB\tbDVDV.dll" [2010-04-27 2393184]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\tbuTor.dll" [2010-11-13 3913000]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-11-13 21:58 3913000 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
2010-04-27 10:08 2393184 ----a-w- c:\program files (x86)\DVDVideoSoftTB\tbDVDV.dll

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-11-13 21:58 3913000 ----a-w- c:\program files (x86)\uTorrentBar\tbuTor.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files (x86)\DVDVideoSoftTB\tbDVDV.dll" [2010-04-27 2393184]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\tbuTor.dll" [2010-11-13 3913000]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngine.dll" [2010-11-13 3913000]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Shaun\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-08-24 136176]
"SpyShelter"="c:\program files (x86)\SpyShelter Premium\SpyShelter.exe" [2010-09-20 2233792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 0 (0x0)

[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\windows\10127553.exe \??\c:\windows\10127553.dat

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [x]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [x]
R3 SWNC8U90;Sierra Wireless MUX NDIS Driver (UMTS90);c:\windows\system32\DRIVERS\swnc8u90.sys [2008-12-02 206848]
R3 SWUMX90;Sierra Wireless USB MUX Driver (UMTS90);c:\windows\system32\DRIVERS\swumx90.sys [2008-11-17 194944]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-09 834544]
S1 SpyShelter;SpyShelter;c:\program files (x86)\SpyShelter Premium\SpyShelter.sys [2010-09-20 178624]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2010/06/17 03:51];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-09-09 13:26 146928]
S2 a2free;a-squared Free Service;c:\program files (x86)\a-squared Free\a2service.exe [2010-06-14 1872320]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-03-10 202752]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 27648]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2010-03-10 6403072]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-03-10 188928]
S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [2008-09-26 804864]


HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2692080489-224753940-1066125639-1000Core.job
- c:\users\Shaun\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-24 20:40]

2011-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2692080489-224753940-1066125639-1000UA.job
- c:\users\Shaun\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-24 20:40]

2010-12-12 c:\windows\Tasks\HPCeeScheduleForShaun.job
- c:\program files (x86)\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2009-06-11 17:17]
.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\combofix\CF5231.cfxxe" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2269050
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\users\Shaun\AppData\Roaming\Mozilla\Firefox\Profiles\omm3n6o8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{872B5B88-9DB5-4310-BDD0-AC189557E5F5} - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
HKLM-Run-SmartMenu - %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
AddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exe



[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2692080489-224753940-1066125639-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4BF5041B-071B-2CB2-14D0-D9F88302CA33}*]
"jamgffmgahcacledlfic"=hex:6f,61,6d,67,63,68,62,67,6c,61,67,6c,65,68,66,66,62,
6e,6b,6f,6b,61,6c,68,64,6c,66,6d,66,64,00,9b

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Blaze Media Pro\NMSAccess32.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
.
**************************************************************************
.
Completion time: 2011-01-04 20:57:05 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-04 20:57

Pre-Run: 172,647,124,992 bytes free
Post-Run: 191,246,274,560 bytes free

- - End Of File - - E1A11076021B5A9049683D134BBD97A6



C:\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe Win32/Toolbar.AskSBar application
C:\Windows\System32\ezShellStart.exe probably unknown NewHeur_PE virus
C:\Windows\SysWOW64\ezShellStart.exe probably unknown NewHeur_PE virus



_________________________________________________________________

Thanks!

 

[Bobbye]

You also have an active thread for the same problem here: http://www.gadgetechie.com/computers/active-help-needed-to-determine-if-my-machine-is-infected.html

And you even refer them to our site for 'the original'. I am not familiar with this site- do they offer computer help?

We do not take kindly to posting on multiple forums for the same problem. It is unreasonable to expect multiple helpers to work on your problem while having others wait.

 

[bobbygeorge]

hey

I am not familiar with that site either....I did not post that thread, probably posted by those who have infected my computer.

This is the only site I am using and will be using to sort out the difficulties I am facing.

So your help is much appreciated, you can be sure of that much.

Thanks again.

P.S. How did you even find that site? I tried searching google for my title....and it did not show up....


Also, shall I run eset again and delete those viruses.....they look feckin nasty?

And I have also installed avg 2011 since.....but have not run it yet.

 

[bobbygeorge]

Help needed to determine if my machine is infected...(kind of urgent,playing up alot)

Help please......

 

[Bobbye]

Sorry- got snowed yesterday.
Regarding Computer Monitor OSD Lockout?

OSD= On screen display. It acts as a quick way to access your monitor and make adjustments.Note some OSD's may actually have a feature known as "OSD lockout" to prevent accidental changes to the screen. The OSD allows the user to change monitor setting using this display instead of pushing buttons.

Lockouts occur when the software driving the OSD encounters a problem or conflict--similar to your PC's operating system freezing. Locked out OSD's mean you can't access the monitor's various controls, or it can even render the screen unusable, as in the incompatible resolution. If you accidentally engage a screen's "OSD lockout" feature, long-pressing the menu or power button should clear it up. Check the manual for specifics and Make sure you know your monitor's specifications--resolution, sound support and refresh rates. As the most likely cause of your lockout is incompatibility with the computer connected to the monitor, the best solution would be prevention.
Source: eHow
My guess is that your friend may have changed the resolution for the game and it wasn't compatible on the monitor.
====================================================
Regarding a BSOD and 5 hits on Ctrl:
Since there are many reasons for a BSOD, there is no one fix for it. And I have never heard of using multiple Ctrl keystrokes to resolve it.
===================================================
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processe
  :Files  
  C:\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe 
  C:\Windows\System32\ezShellStart.exe 
  C:\Windows\SysWOW64\ezShellStart.exe 
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
====================================
Regarding the unknown NewHeur_PE virus in Eset:
I have some concern about this. There are 2 file infectors that are found under this name by AVG. We may have to look further for this.
======================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.

File::
c:\windows\system32\DRIVERS\ewusbnet.sys
c:\windows\system32\DRIVERS\ewusbdev.sys
c:\windows\system32\DRIVERS\ewusbfake.sys

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=-
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=-
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru nOnce]
"AvgUninstallURL"=-
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\ex plorer\ShellExecuteHooks]

Driver::
ewusbnet
hwusbdev
hwusbfake

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
========================================
Edit: Regarding gadgetechie.com/computers...-infected.html Apparently this is yet another web crawler that happened to pull your thread out for reference. I hadn't come across that one before. We sometimes have to search to identify an entry in a log. If the entry is unusual or not found any other place, we see your thread or others with same entry. I don't remember what I was searching for when I saw this.
(http://en.wikipedia.org/wiki/Web_crawler)

 

[bobbygeorge]

I may have done a silly thing....

Firstly, thanks Bob for your help thus far.

Yesterday, out of curiosity, I wanted some info on the probable viruses. I could not remember the exact name of them so I scanned until the first 1 was found. I entered it into google, and pressed finish on the scan.
But, the scan deleted the files. I forgot to uncheck the appropriate box, and although I did not let the scan finish it still deleted the files it found.
So, sorry if this f**ks things up a bit.

What I found out about the viruses is that they originate from china, and are passed through usb keys.

When I read this, I suddenly remembered, that OSD problem among others actually started when I got a loan of a friends mobile broadband key.
I even got a warning that someone on my network was using my IP address, even though I was not on a network.

So, question, are my usb keys, mp3 player and mobile phone also infected? If so, can they be cleaned?
And what typically are the purpose of these viruses, identity theft?

I will add the logs below:

All processes killed
Error: Unable to interpret <rocesse> in the current context!
========== FILES ==========
File/Folder C:\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe not found.
File/Folder C:\Windows\System32\ezShellStart.exe not found.
File/Folder C:\Windows\SysWOW64\ezShellStart.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: AppData
->Temp folder emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Shaun
->Temp folder emptied: 35782 bytes
->Temporary Internet Files folder emptied: 69053 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 82904190 bytes
->Flash cache emptied: 1812 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2057050 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 81.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 01062011_160539

Files moved on Reboot...

Registry entries deleted on Reboot...


_______________________________________________________________


ComboFix 11-01-04.01 - Shaun 06/01/2011 16:49:11.2.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.353.1033.18.4094.2633 [GMT 0:00]
Running from: c:\users\Shaun\Desktop\ComboFix.exe
Command switches used :: c:\users\Shaun\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\DRIVERS\ewusbdev.sys"
"c:\windows\system32\DRIVERS\ewusbfake.sys"
"c:\windows\system32\DRIVERS\ewusbnet.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ewusbnet
-------\Service_hwusbdev
-------\Service_hwusbfake


((((((((((((((((((((((((( Files Created from 2010-12-06 to 2011-01-06 )))))))))))))))))))))))))))))))
.

2011-01-06 16:55 . 2011-01-06 16:58 -------- d-----w- c:\users\Shaun\AppData\Local\temp
2011-01-06 16:55 . 2011-01-06 16:55 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-01-06 16:55 . 2011-01-06 16:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-06 16:05 . 2011-01-06 16:05 -------- d-----w- C:\_OTM
2011-01-04 21:28 . 2011-01-04 21:28 -------- d-----w- c:\users\Shaun\AppData\Roaming\AVG10
2011-01-04 21:27 . 2011-01-04 21:27 -------- d--h--w- c:\programdata\Common Files
2011-01-04 21:26 . 2011-01-06 16:26 -------- d-----w- c:\programdata\AVG10
2011-01-04 21:22 . 2011-01-04 21:25 -------- d-----w- c:\programdata\MFAData
2011-01-04 18:05 . 2011-01-04 18:05 -------- d-----w- c:\program files (x86)\ESET
2011-01-04 02:30 . 2011-01-04 02:34 -------- d-----r- c:\users\Shaun\Music Production Videos
2011-01-04 01:11 . 2011-01-04 14:42 -------- d-----r- c:\users\Shaun\Documentaries
2011-01-03 20:16 . 2011-01-03 20:16 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2011-01-03 20:08 . 2011-01-03 20:08 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-01-03 20:08 . 2010-11-12 18:53 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-01-03 20:08 . 2010-11-12 18:53 472808 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
2011-01-02 21:48 . 2011-01-02 21:48 -------- d-----w- c:\program files (x86)\Belkin
2010-12-15 13:34 . 2010-12-15 13:40 -------- d-----w- C:\fb09c73799e3104f11c2afcb
2010-12-15 13:19 . 2010-10-28 13:20 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2010-12-15 13:19 . 2010-10-19 04:56 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-12-15 13:19 . 2010-10-19 04:27 7680 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
2010-12-15 13:19 . 2010-10-12 17:43 35328 ----a-w- c:\program files\Windows Mail\wabfind.dll
2010-12-15 13:19 . 2010-10-12 15:53 33280 ----a-w- c:\program files (x86)\Windows Mail\wabfind.dll
2010-12-15 13:19 . 2010-10-12 15:19 516096 ----a-w- c:\program files\Windows Mail\wab.exe
2010-12-15 13:19 . 2010-10-12 15:19 68096 ----a-w- c:\program files\Windows Mail\wabmig.exe
2010-12-15 13:19 . 2010-10-12 13:41 66048 ----a-w- c:\program files (x86)\Windows Mail\wabmig.exe
2010-12-15 13:19 . 2010-10-12 13:41 515584 ----a-w- c:\program files (x86)\Windows Mail\wab.exe
2010-12-09 19:00 . 2010-12-09 19:04 -------- d-----w- c:\users\Shaun\AppData\Roaming\Sierra Wireless
2010-12-09 19:00 . 2010-12-09 19:01 -------- d-----w- c:\program files (x86)\Sierra Wireless Inc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 18:09 . 2010-07-05 02:29 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2010-11-22 14:33 . 2010-11-22 14:33 82816 ----a-w- c:\users\Shaun\AppData\Roaming\pcouffin.sys
.

((((((((((((((((((((((((((((( SnapShot@2011-01-04_20.45.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 03:20 . 2011-01-06 15:59 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2010-12-31 14:01 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2010-12-31 14:01 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:20 . 2011-01-06 15:59 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2011-01-06 16:20 77074 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-10-01 01:34 . 2011-01-06 16:47 24914 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2692080489-224753940-1066125639-1000_UserData.bin
+ 2010-07-12 04:34 . 2010-07-12 04:34 57696 c:\windows\system32\DriverStore\FileRepository\avgfwfd6.inf_48f314d4\avgfwd6a.sys
+ 2010-07-12 04:34 . 2010-07-12 04:34 57696 c:\windows\system32\drivers\avgfwd6a.sys
+ 2009-10-01 01:30 . 2011-01-06 15:57 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-10-01 01:30 . 2011-01-04 08:48 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-01-03 19:29 . 2011-01-04 08:48 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-01-03 19:29 . 2011-01-06 15:57 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-01 01:30 . 2011-01-06 15:57 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-01 01:30 . 2011-01-04 08:48 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-02-23 09:27 . 2011-01-04 20:27 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-02-23 09:27 . 2011-01-06 04:55 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-02-23 09:27 . 2011-01-06 04:55 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-02-23 09:27 . 2011-01-04 20:27 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-02-23 09:27 . 2011-01-04 20:27 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-23 09:27 . 2011-01-06 04:55 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-02-23 09:27 . 2011-01-04 20:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-02-23 09:27 . 2011-01-06 00:27 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-02-23 09:27 . 2011-01-06 00:27 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-02-23 09:27 . 2011-01-04 20:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-01-04 21:24 . 2011-01-04 21:24 80384 c:\windows\Installer\251be1.msi
- 2010-09-15 11:54 . 2010-09-29 14:57 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2010-09-15 11:54 . 2011-01-06 16:03 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2006-11-02 12:40 . 2011-01-04 20:05 51200 c:\windows\inf\infpub.dat
+ 2006-11-02 12:40 . 2011-01-04 21:26 51200 c:\windows\inf\infpub.dat
- 2011-01-04 20:44 . 2011-01-04 20:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-01-06 16:57 . 2011-01-06 16:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-01-04 20:44 . 2011-01-04 20:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-01-06 16:57 . 2011-01-06 16:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-10-01 18:31 . 2011-01-06 04:55 641110 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 15:45 . 2011-01-06 16:47 129056 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 12:46 . 2011-01-06 16:48 608760 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2011-01-06 16:48 108268 c:\windows\system32\perfc009.dat
+ 2011-01-04 21:24 . 2011-01-04 21:24 219648 c:\windows\Installer\251bdd.msi
+ 2006-11-02 12:40 . 2011-01-04 21:26 143360 c:\windows\inf\infstrng.dat
- 2006-11-02 12:40 . 2011-01-04 20:05 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 12:40 . 2011-01-04 21:26 143360 c:\windows\inf\infstor.dat
- 2006-11-02 12:40 . 2011-01-04 20:05 143360 c:\windows\inf\infstor.dat
+ 2010-04-01 02:17 . 2011-01-06 16:56 2629720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2010-04-01 02:17 . 2011-01-04 20:43 2629720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-01-04 21:27 . 2011-01-04 21:27 4779008 c:\windows\Installer\251be9.msi
+ 2011-01-04 21:24 . 2011-01-04 21:24 1940480 c:\windows\Installer\251be5.msi
+ 2006-11-02 12:33 . 2011-01-04 21:28 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
- 2006-11-02 12:33 . 2010-12-16 02:06 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2011-01-06 16:02 . 2011-01-06 16:02 20304384 c:\windows\Installer\625ed.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files (x86)\DVDVideoSoftTB\tbDVDV.dll" [2010-04-27 2393184]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-11-13 21:58 3913000 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
2010-04-27 10:08 2393184 ----a-w- c:\program files (x86)\DVDVideoSoftTB\tbDVDV.dll

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-11-13 21:58 3913000 ----a-w- c:\program files (x86)\uTorrentBar\tbuTor.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files (x86)\DVDVideoSoftTB\tbDVDV.dll" [2010-04-27 2393184]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngine.dll" [2010-11-13 3913000]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Shaun\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-08-24 136176]
"SpyShelter"="c:\program files (x86)\SpyShelter Premium\SpyShelter.exe" [2010-09-20 2233792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 0 (0x0)

[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\windows\10127553.exe \??\c:\windows\10127553.dat

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [2008-09-26 804864]
R3 SWNC8U90;Sierra Wireless MUX NDIS Driver (UMTS90);c:\windows\system32\DRIVERS\swnc8u90.sys [2008-12-02 206848]
R3 SWUMX90;Sierra Wireless USB MUX Driver (UMTS90);c:\windows\system32\DRIVERS\swumx90.sys [2008-11-17 194944]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-09 834544]
S1 SpyShelter;SpyShelter;c:\program files (x86)\SpyShelter Premium\SpyShelter.sys [2010-09-20 178624]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2010/06/17 03:51];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-09-09 13:26 146928]
S2 a2free;a-squared Free Service;c:\program files (x86)\a-squared Free\a2service.exe [2010-06-14 1872320]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-03-10 202752]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 27648]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2010-03-10 6403072]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-03-10 188928]


HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2692080489-224753940-1066125639-1000Core.job
- c:\users\Shaun\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-24 20:40]

2011-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2692080489-224753940-1066125639-1000UA.job
- c:\users\Shaun\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-24 20:40]

2010-12-12 c:\windows\Tasks\HPCeeScheduleForShaun.job
- c:\program files (x86)\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2009-06-11 17:17]
.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\combofix\CF647.cfxxe" [X]
"SmartMenu"="%ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2269050
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\users\Shaun\AppData\Roaming\Mozilla\Firefox\Profiles\omm3n6o8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{872B5B88-9DB5-4310-BDD0-AC189557E5F5} - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2692080489-224753940-1066125639-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4BF5041B-071B-2CB2-14D0-D9F88302CA33}*]
"jamgffmgahcacledlfic"=hex:6f,61,6d,67,63,68,62,67,6c,61,67,6c,65,68,66,66,62,
6e,6b,6f,6b,61,6c,68,64,6c,66,6d,66,64,00,9b

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Blaze Media Pro\NMSAccess32.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
.
**************************************************************************
.
Completion time: 2011-01-06 17:16:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-06 17:16
ComboFix2.txt 2011-01-04 20:57

Pre-Run: 181,726,384,128 bytes free
Post-Run: 181,562,843,136 bytes free

- - End Of File - - AD66A17A6BC3AEC6CACC1C8A3D412C39


___________________________________________________________


About the BSOD.....it may have been to press shift 5 times, either way I pressed whatever it was and it disappeared.

Also, since the first time I ran CombiFix, I get this message upon boot-up:

PEV.cfxxe encountered a problem
Check online for a solution
Close the program

Again thanks, and sorry if I messed things up.

Bobby

 

[bobbygeorge]

other symptoms

also, i believe I've been experiencing pharming problems.

When I would purchase something online, the paypal page appeared to be a clone.

I would also get google pages in german, even though I am in ireland.

I believe there is definitely a keylogger on my machine, but finding it or a good free anti-keylogger has proved difficult.

Thanks again.

 

[Bobbye]

You were specifically asked not to run any scans or cleaning programs other than those I direct you to do while I am helping you. When you do it anyway, you change the contents of logs I'm working with.

Let's talk about what I'm seeing-
Mbam: c:\Users\Shaun\downloads\setupcasino_10fec3.exe (PUP.Casino) removed. A potentially unwanted program (PUP) in the setup for Casino. Nothing else.
GMER: no evidence of rootkit.

Combofix deleted a process named Menman>>>

Troj/Goldax-C is a password-stealing Trojan for the Windows platform
Troj/Goldax-C steals confidential information by spying on internet browsing and displaying fake login interfaces for certain internet banking websites.
Troj/Goldax-C includes functionality to:
- stealth its files, processes, registry entries and services
- prevent itself being terminated
- prevent itself being deleted
- disable other software, including anti-virus, firewall and security related applications

Source: Sophos

Combofix removed skinboxer43.dll

Skinboxer43.dll is a Spyware.CMK.
Skinboxer43.dll tries to terminate antiviral programs installed on a user computer.
Skinboxer43.dll monitors user Internet activity and private information.
It sends stolen data to a hacker site.

Source: Gratis

"I even got a warning that someone on my network was using my IP address, even though I was not on a network."
At this point, you should have shut down and reformatted/reinstalled the OS. Your computer has been compromised.

I would advise you to wipe the drive, reformat and reinstall. The system has been compromised and if most likely no safe to use. Cleaning is not recommended as there is no way to assure what information has been stolen.
================================================
P2P/ File Sharing Warning- this includes sharing flash drives:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
Allowing a 'friend' to put their file on your computer is foolish. Sharing a USB drive with anyone is foolish. When you share files, you also share the malware.

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• File sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

 

[bobbygeorge]

Thanks mate!

Appreciate your help Bob.

I knew all along I had been compromised, but just had so much work on here that was hesitant to format. Anyway, job is done now.

The mad thing about this is, the guy is a moderator on one of these sites.....can't believe he wasn't to be trusted. Already can't trust very many here, if only ya knew....

But he can't be blamed for all the trouble I have had, anyway it is in the past now.

The only thing that is still weighing on my shoulders, is that is my machine infected again?

You see, I have to use a wireless dongle at the moment.....and I am just thinking, is it possible for it to carry the viruses too?

Without it I could not connect to the internet to write this so you see my perdicament.

Also, about my phone, usb key and mp3 player......are they all compromised also? What shall I do? (Burn them? )

Thanks again for your help and time Bob.

All the Best for now!

 

[bobbygeorge]

Here we go again

Eset has picked up same threats again......will do all scans and post them when finished.

 

[bobbygeorge]

Ok....

...not sure where I stand now but the logs are below anyway:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5474

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

07/01/2011 04:17:11
mbam-log-2011-01-07 (04-17-11).txt

Scan type: Quick scan
Objects scanned: 150236
Time elapsed: 1 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


_______________________________________________________________



DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Seano at 4:40:35.23 on 07/01/2011
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.353.1033.18.4094.2528 [GMT 0:00]

AV: Norton Internet Security *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
AV: AVG Internet Security 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Internet Security 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
FW: AVG Firewall *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}

============== Running Processes ===============

C:\PROGRA~2\AVG\AVG10\avgchsva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\AVG\AVG10\avgfws.exe
C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\AVG\AVG10\avgam.exe
C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\16.0.0.125\InstStub.exe
C:\Program Files (x86)\AVG\AVG10\avgnsa.exe
C:\Program Files (x86)\AVG\AVG10\avgemca.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\AVG\AVG10\avgtray.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\PROGRA~1\HEWLET~1\HPREMO~1\HPREMO~1.EXE
c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\conime.exe
C:\Program Files (x86)\Internet Explorer\ieuser.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
c:\program files (x86)\aol\aol toolbar 5.0\AolTbServer.exe
C:\PROGRA~2\AVG\AVG10\avgrsa.exe
C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
C:\Program Files (x86)\AVG\AVG10\avgsystx.exe
C:\Program Files (x86)\AVG\AVG10\avgsysta.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Seano\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
mWinlogon: Userinit=C:\WINDOWS\system32\userinit.exe
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\IPSBHO.DLL
BHO: AOL Toolbar BHO: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - C:\Program Files (x86)\AOL\AOL Toolbar 5.0\aoltb.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - C:\Program Files (x86)\AOL\AOL Toolbar 5.0\aoltb.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY
uRun: [Google Update] "C:\Users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [UpdateP2GoShortCut] "c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [UpdateLBPShortCut] "c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun: [UpdatePDIRShortCut] "c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
mRun: [UpdatePSTShortCut] "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun: [TSMAgent] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun: [DVDAgent] "c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AOL Toolbar Search - C:\ProgramData\AOL\ieToolbar\resources\en-IE\local\search.html
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
SEH: EasyBits ShellExecute Hook: {e54729e8-bb3d-4270-9d49-7389ea579090} - C:\Windows\SysWow64\EZUPBH~1.DLL
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssiea.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
TB-X64: AOL Toolbar: {DE9C389F-3316-41A7-809B-AA305ED9D922} -
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [HP Remote Software] C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe
mRun-x64: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;C:\Windows\System32\drivers\AVGIDSEH.sys [2010-9-13 27216]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2010-9-7 30288]
R1 Avgfwfd;AVG network filter service;C:\Windows\System32\drivers\avgfwd6a.sys [2010-7-12 57696]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2010-12-8 308304]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2010-9-7 41040]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2010-11-12 382032]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/06/11 16:30:21];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-6-11 146928]
R2 avgfws;AVG Firewall;C:\Program Files (x86)\AVG\AVG10\avgfws.exe [2010-11-22 3226632]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2010-10-22 265400]
R2 ezSharedSvc;Easybits Shared Services for Windows;C:\Windows\system32\svchost.exe -k netsvcs [2008-1-21 27648]
R2 Norton Internet Security;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [2009-6-11 115560]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\AVGIDSDriver.sys [2010-8-19 133712]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\System32\drivers\AVGIDSFilter.sys [2010-8-19 35920]
R3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;C:\Windows\System32\drivers\netr28ux.sys [2011-1-7 804864]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-1-7 517448]
S3 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2010-11-23 6128208]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2008-1-21 93696]
S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\PC-Doctor for Windows\pcdsrvc_x64.pkms [2009-2-2 23536]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-21 19968]

=============== Created Last 30 ================

2011-01-07 03:59:48 -------- d-----w- C:\Users\Seano\AppData\Roaming\Malwarebytes
2011-01-07 03:59:43 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-07 03:59:43 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-01-07 03:59:40 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-01-07 03:59:40 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-01-07 02:52:12 -------- d-----w- C:\Program Files (x86)\ESET
2011-01-07 02:39:27 -------- d-----w- C:\Users\Seano\AppData\Local\Google
2011-01-07 02:39:10 -------- d-----w- C:\Users\Seano\AppData\Local\Deployment
2011-01-07 02:39:10 -------- d-----w- C:\Users\Seano\AppData\Local\Apps
2011-01-07 02:07:03 -------- d-----w- C:\Users\Seano\AppData\Roaming\AVG10
2011-01-07 02:06:41 -------- d--h--w- C:\PROGRA~3\Common Files
2011-01-07 02:06:31 -------- d-----w- C:\PROGRA~3\AVG Security Toolbar
2011-01-07 02:06:16 -------- d-----w- C:\Windows\SysWow64\drivers\AVG
2011-01-07 02:05:03 -------- d-----w- C:\Windows\System32\drivers\AVG
2011-01-07 02:05:02 -------- d-----w- C:\PROGRA~3\AVG10
2011-01-07 02:04:14 -------- d-----w- C:\Program Files (x86)\AVG
2011-01-07 01:39:02 -------- d-----w- C:\PROGRA~3\MFAData
2011-01-07 01:34:55 98304 ----a-w- C:\Windows\SysWow64\cabview.dll
2011-01-07 01:34:55 104960 ----a-w- C:\Windows\System32\cabview.dll
2011-01-07 01:34:53 218112 ----a-w- C:\Windows\System32\wintrust.dll
2011-01-07 01:34:53 171520 ----a-w- C:\Windows\SysWow64\wintrust.dll
2011-01-07 01:21:01 2621440 ----a-w- C:\Windows\System32\wucltux.dll
2011-01-07 01:20:50 98816 ----a-w- C:\Windows\System32\wudriver.dll
2011-01-07 01:20:50 87552 ----a-w- C:\Windows\SysWow64\wudriver.dll
2011-01-07 01:20:45 36864 ----a-w- C:\Windows\System32\wuapp.exe
2011-01-07 01:20:45 33792 ----a-w- C:\Windows\SysWow64\wuapp.exe
2011-01-07 01:20:45 185416 ----a-w- C:\Windows\System32\wuwebv.dll
2011-01-07 01:20:45 171608 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2011-01-07 01:19:51 -------- d-----w- C:\Users\Seano\AppData\Local\AOL
2011-01-07 00:17:20 804864 ----a-w- C:\Windows\System32\drivers\netr28ux.sys
2011-01-07 00:17:20 305664 ----a-w- C:\Windows\System32\RaCoInstx.dll
2011-01-07 00:15:41 -------- d-----w- C:\Users\Seano\AppData\Local\ATI
2011-01-07 00:14:44 -------- d-----w- C:\Users\Seano\AppData\Local\Hewlett-Packard
2011-01-07 00:14:19 -------- d-----w- C:\Users\Seano\AppData\Local\VirtualStore
2011-01-07 00:08:32 -------- d-----w- C:\Users\Seano\AppData\Roaming\HP TCS
2011-01-07 00:02:36 -------- d-sh--we C:\Documents and Settings

==================== Find3M ====================

2011-01-07 02:00:26 588472 ----a-w- C:\Windows\SysWow64\ezsvc7x.dll
2010-12-08 04:12:36 308304 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
2010-11-12 13:19:38 382032 ----a-w- C:\Windows\System32\drivers\avgtdia.sys

============= FINISH: 4:41:00.33 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 06/01/2011 23:55:08
System Uptime: 07/01/2011 04:05:37 (0 hours ago)

Motherboard: PEGATRON CORPORATION | | NARRA5
Processor: AMD Phenom(tm) 9650 Quad-Core Processor | Socket AM2 | 1200/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 451 GiB total, 417.292 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 2.133 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP6: 07/01/2011 00:17:20 - Device Driver Package Install: Ralink Network adapters
RP7: 07/01/2011 01:20:34 - Windows Update
RP8: 07/01/2011 01:34:56 - Windows Update
RP9: 07/01/2011 01:40:35 - Installed
RP10: 07/01/2011 01:40:59 - Installed
RP11: 07/01/2011 01:59:18 - Scripted restore
RP12: 07/01/2011 02:04:00 - Installed AVG 2011
RP13: 07/01/2011 02:04:30 - Installed AVG 2011

==== Installed Programs ======================

ActiveCheck component for HP Active Support Library
Adobe Flash Player 10 ActiveX
AOL Toolbar 5.0
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Compatibility Pack for the 2007 Office system
CyberLink DVD Suite Deluxe
DirectX for Managed Code Update (Summer 2004)
ESET Online Scanner v3
Google Chrome
HP Active Support Library
HP Advisor
HP Customer Experience Enhancements
HP Games
HP MediaSmart Demo
HP MediaSmart DVD
HP MediaSmart Music/Photo/Video
HP Odometer
HP Picasso Media Center Add-In
HP Recovery Manager RSS
HP Support Information
HP Total Care Setup
HP Update
HPAsset component for HP Active Support Library
LabelPrint
LightScribe System Software
Magic Desktop
Malwarebytes' Anti-Malware
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Norton Internet Security
Power2Go
PowerDirector
Python 2.6 pywin32-212
Python 2.6.1
Realtek High Definition Audio Driver
Skins
Visual Studio 2008 x64 Redistributables

==== Event Viewer Messages From Past Week ========

07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-zh-tw-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-zh-hk-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-zh-cn-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-uk-ua-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-tr-tr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-th-th-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sv-se-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sr-latn-cs-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sl-si-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sk-sk-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ru-ru-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ro-ro-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-pt-pt-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-pt-br-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ps-ps-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-pl-pl-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-nl-nl-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-Neutral from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-nb-no-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-lv-lv-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-lt-lt-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ko-kr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ja-jp-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-it-it-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-hu-hu-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-hr-hr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-he-il-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-fr-fr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-fi-fi-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-et-ee-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-es-es-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-en-us-LP from package WUClient-SelfUpdate-Aux-Package-en-us-MiniLP(Feature Pack) into Staged(Staged) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-en-us-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-el-gr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-de-de-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-da-dk-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-cs-cz-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-bg-bg-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ar-sa-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update AuxResourcesLP from package WindowsUpdateClient-SelfUpdate-Aux-Package(Language Pack) into Staged(Staged) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update AuxComp from package WindowsUpdateClient-SelfUpdate-Aux-Package(Update) into Staged(Staged) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update Aux32 from package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package_en-US(Language Pack) into Staged(Staged) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update Aux32 from package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package(Update) into Staged(Staged) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update Aux from package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package_en-US(Language Pack) into Staged(Staged) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update Aux from package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package(Update) into Staged(Staged) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WUClient-SelfUpdate-Aux-Package-en-us-MiniLP (Feature Pack) into Install Requested(Install Requested) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-Package (Update) into Install Requested(Install Requested) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-Package (Language Pack) into Install Requested(Install Requested) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package_en-US (Language Pack) into Install Requested(Install Requested) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package (Update) into Install Requested(Install Requested) state
07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KBWUClient-SelfUpdate-Aux (Feature Pack) into Install Requested(Install Requested) state
07/01/2011 00:01:49, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt

==== End Of File ===========================


GMER came back clean


_____________________________________________________________

C:\Windows\System32\ezShellStart.exe probably unknown NewHeur_PE virus
C:\Windows\SysWOW64\ezShellStart.exe probably unknown NewHeur_PE virus


_______________________________________________________________

ComboFix 11-01-06.03 - Seano 07/01/2011 5:06.1.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.353.1033.18.4094.2897 [GMT 0:00]
Running from: c:\users\Seano\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-12-07 to 2011-01-07 )))))))))))))))))))))))))))))))
.

2011-01-07 05:10 . 2011-01-07 05:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-07 05:05 . 2011-01-07 05:05 -------- d-----w- C:\32788R22FWJFW
2011-01-07 03:59 . 2011-01-07 03:59 -------- d-----w- c:\programdata\Malwarebytes
2011-01-07 03:59 . 2010-12-20 18:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-07 03:59 . 2011-01-07 03:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-01-07 02:52 . 2011-01-07 02:52 -------- d-----w- c:\program files (x86)\ESET
2011-01-07 02:06 . 2011-01-07 02:06 -------- d--h--w- c:\programdata\Common Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-07 02:00 . 2009-06-11 15:53 588472 ----a-w- c:\windows\SysWow64\ezsvc7x.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-04-04 1644088]
"Google Update"="c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe" [2011-01-07 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-01-27 61440]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-12-04 75016]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2009-04-09 1328424]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2009-04-09 185640]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-03-19 1148200]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 27648]
R2 Norton Internet Security;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
R3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [2009-02-02 23536]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/06/11 16:30];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-03-19 09:54 146928]
S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [2008-09-26 804864]


HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139329902-3773949464-2642598458-1000Core.job
- c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-07 02:39]

2011-01-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139329902-3773949464-2642598458-1000UA.job
- c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-07 02:39]

2011-01-07 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-02-02 18:59]
.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="%ProgramFiles%\Windows Defender\MSASCui.exe -hide" [X]
"HP Remote Software"="c:\program files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe" [2009-02-06 172032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
mLocal Page = %SystemRoot%\system32\blank.htm
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-IE\local\search.html
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SmartMenu - %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
AddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exe



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@SACL=
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
@SACL=
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10a.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@SACL=
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@SACL=
@="IFlashBroker2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@SACL=
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@SACL=
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@SACL=
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@SACL=
@="FlashBroker"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2011-01-07 05:12:50
ComboFix-quarantined-files.txt 2011-01-07 05:12

Pre-Run: 453,089,615,872 bytes free
Post-Run: 453,012,672,512 bytes free

- - End Of File - - 79FA2EF1F61720046FBA78DE72392042to be continued

to be continued...........

 

[bobbygeorge]

.....continued.

All processes killed
Error: Unable to interpret <rocesse> in the current context!
========== FILES ==========
File/Folder C:\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe not found.
C:\Windows\System32\ezShellStart.exe moved successfully.
File/Folder C:\Windows\SysWOW64\ezShellStart.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Seano
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 4728837 bytes
->Google Chrome cache emptied: 856432 bytes
->Flash cache emptied: 405 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 5.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 01072011_051843

Files moved on Reboot...
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YS080EZK\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MDOBNGAZ\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KGIPAM2I\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8GEEZJ12\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini scheduled to be moved on reboot.

Registry entries deleted on Reboot...


_______________________________________________________________


ComboFix 11-01-06.03 - Seano 07/01/2011 5:29.2.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.353.1033.18.4094.2851 [GMT 0:00]
Running from: c:\users\Seano\Desktop\ComboFix.exe
Command switches used :: c:\users\Seano\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\windows\system32\DRIVERS\ewusbdev.sys"
"c:\windows\system32\DRIVERS\ewusbfake.sys"
"c:\windows\system32\DRIVERS\ewusbnet.sys"
.

((((((((((((((((((((((((( Files Created from 2010-12-07 to 2011-01-07 )))))))))))))))))))))))))))))))
.

2011-01-07 05:33 . 2011-01-07 05:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-07 05:18 . 2011-01-07 05:18 -------- d-----w- C:\_OTM
2011-01-07 03:59 . 2011-01-07 03:59 -------- d-----w- c:\programdata\Malwarebytes
2011-01-07 03:59 . 2010-12-20 18:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-07 03:59 . 2011-01-07 03:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-01-07 02:52 . 2011-01-07 02:52 -------- d-----w- c:\program files (x86)\ESET
2011-01-07 02:06 . 2011-01-07 02:06 -------- d--h--w- c:\programdata\Common Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-07 02:00 . 2009-06-11 15:53 588472 ----a-w- c:\windows\SysWow64\ezsvc7x.dll
.

((((((((((((((((((((((((((((( SnapShot@2011-01-07_05.10.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 02:23 . 2011-01-07 05:23 29956 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2011-01-07 05:23 52916 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2011-01-07 00:07 . 2011-01-07 05:23 2932 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-139329902-3773949464-2642598458-1000_UserData.bin
- 2011-01-07 05:02 . 2011-01-07 05:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-01-07 05:20 . 2011-01-07 05:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-01-07 05:20 . 2011-01-07 05:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-01-07 05:02 . 2011-01-07 05:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 12:46 . 2011-01-07 05:08 599942 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2011-01-07 05:26 599942 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2011-01-07 05:26 105448 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2011-01-07 05:08 105448 c:\windows\system32\perfc009.dat
- 2009-06-11 16:02 . 2011-01-07 05:01 393952 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-06-11 16:02 . 2011-01-07 05:19 393952 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-04-04 1644088]
"Google Update"="c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe" [2011-01-07 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-01-27 61440]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-12-04 75016]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2009-04-09 1328424]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2009-04-09 185640]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-03-19 1148200]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 27648]
R2 Norton Internet Security;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
R3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [2009-02-02 23536]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/06/11 16:30];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-03-19 09:54 146928]
S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [2008-09-26 804864]


HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139329902-3773949464-2642598458-1000Core.job
- c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-07 02:39]

2011-01-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139329902-3773949464-2642598458-1000UA.job
- c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-07 02:39]

2011-01-07 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-02-02 18:59]
.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Remote Software"="c:\program files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe" [2009-02-06 172032]
"SmartMenu"="%ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
mLocal Page = %SystemRoot%\system32\blank.htm
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-IE\local\search.html
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@SACL=
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
@SACL=
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10a.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@SACL=
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@SACL=
@="IFlashBroker2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@SACL=
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@SACL=
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@SACL=
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@SACL=
@="FlashBroker"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2011-01-07 05:35:47
ComboFix-quarantined-files.txt 2011-01-07 05:35
ComboFix2.txt 2011-01-07 05:12

Pre-Run: 449,897,967,616 bytes free
Post-Run: 449,868,423,168 bytes free

- - End Of File - - 0ADD97B0F4136628B4BF77E35BFA7495


Thats them all done there now........chat later Bob, Thanks!

 

[bobbygeorge]

eset results 2

C:\_OTM\MovedFiles\01072011_051843\C_Windows\System32\ezShellStart.exe probably unknown NewHeur_PE virus


Only the one now.....getting there.

Chat later, I'm done for now.

 

[bobbygeorge]

Almost done here I think.......

......but can I be guaranteed that my computer will be ok to use IF & When I get rid of the last New_Heur Virus? Or will it be a risk forever?

Next move?

Thanks!

 

[Bobbye]

Eset has picked up same threats again.

Please note the location of this file:
C:\_OTM\MovedFiles\01072011_051843\C_Windows\System32\ezShellStart.exe probably unknown NewHeur_PE virus

This file was handled in OTM and is not a threat to your system.
===============================================
If you reformatted and reinstalled, your system should be clean. If you backed up and reintroduced any infected files back into the system, they would reinfect the system. If you were using a flash drive when the computer was infected, then it will have gotten infected also. If you used it back on the clean system, you will have reinfected it.
=================================================
FlashDrive Disinfection:

• 
  [1]. Download Flash_Disinfector and save it to your Desktop.
  [2]. After downloading, double-click on Flash_Disinfector to run it.
  [3]. Just follow the prompts and continue until it begin scanning.
  
  
  
  [4]. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
  [5]. It will scan removable drives, wait for the scan to finish. Done.

What will Flash Disinfector Do
- Clean up junks created by flash malwares
- Deletes autorun.inf from every root folder
- Fix back damages done to your system
- Creates an autorun.inf folder in the root of your system drives

1. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone.
2. Please do so and allow the utility to clean up those drives as well.
3. Wait until it has finished scanning and then exit the program.
4. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
============================================
You have made the system more vulnerable by using multiple AV programs and firewalls. You should have only 1 of each:
AV: Norton Internet Security *Enabled/Updated*
AV: AVG Internet Security 2011 *Disabled/Updated*
FW: Norton Internet Security *Disabled*
FW: AVG Firewall *Disabled*
Tools to help: download only the tool for the AV you are not going to keep:
Norton Removal Tool
AVG Removal Tool
Decide which you want to keep and remove the other. Reboot the computer when finished.
==========================================
Handle the above. Then rescan with Eset and Combofix.
Post the logs back to this thread. You don't need to send a PM.

 

[bobbygeorge]

If you reformatted and reinstalled, your system should be clean. If you backed up and reintroduced any infected files back into the system, they would reinfect the system. If you were using a flash drive when the computer was infected, then it will have gotten infected also. If you used it back on the clean system, you will have reinfected it.

The only usb device I used was a wireless dongle.
I did not back up anything.
But the OS did not come on disk with this computer. It is already on the computer stored in the recovery partition. Of course, this partition does not only contain the OS, it also contains all the software that came with the computer also. e.g. Media player to play Blu-Ray.

So is it possible that the recovery partition is infected?

I will run these scans now.

 

[bobbygeorge]

Scans done + results

About the 2 AV's, 1 was installed for recovery, it was a 60 day trail. And I have already deleted it.
Also it said AVG was running, but i uninstalled it and rebooted so dont know what was wrong there.

Logs below:

Sorry: looks like AVG messed it up. will try again

 

[bobbygeorge]

Sorry: looks like AVG messed it up. will try again

 

[bobbygeorge]

Sorry: looks like AVG messed it up. will try again

 

[bobbygeorge]

ComboFix 11-01-06.03 - Seano 09/01/2011 5:44.4.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.353.1033.18.4094.2505 [GMT 0:00]
Running from: c:\users\Seano\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-12-09 to 2011-01-09 )))))))))))))))))))))))))))))))
.

2011-01-09 05:48 . 2011-01-09 05:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-08 01:04 . 2009-11-08 10:55 99176 ----a-w- c:\windows\SysWow64\PresentationHostProxy.dll
2011-01-08 01:04 . 2009-11-08 10:55 49472 ----a-w- c:\windows\SysWow64\netfxperf.dll
2011-01-08 01:04 . 2009-11-08 10:55 297808 ----a-w- c:\windows\SysWow64\mscoree.dll
2011-01-08 01:04 . 2009-11-08 10:55 295264 ----a-w- c:\windows\SysWow64\PresentationHost.exe
2011-01-08 01:04 . 2009-11-08 10:55 1130824 ----a-w- c:\windows\SysWow64\dfshim.dll
2011-01-07 21:29 . 2009-08-24 12:16 378368 ----a-w- c:\windows\SysWow64\winhttp.dll
2011-01-07 21:29 . 2010-03-05 14:01 420352 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-01-07 21:27 . 2010-10-19 04:56 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-01-07 21:27 . 2010-10-19 04:27 7680 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
2011-01-07 21:26 . 2010-09-06 16:24 9728 ----a-w- c:\windows\SysWow64\sscore.dll
2011-01-07 21:26 . 2010-09-06 16:23 17920 ----a-w- c:\windows\SysWow64\netevent.dll
2011-01-07 21:26 . 2010-05-27 19:16 738816 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-01-07 17:19 . 2011-01-07 17:19 -------- d-----w- c:\programdata\{B3C2C1CD-6B77-4A96-B670-F734AC2A1CBC}
2011-01-07 17:19 . 2011-01-07 17:19 -------- d-----w- c:\program files (x86)\Activation Assistant for the 2007 Microsoft Office suites
2011-01-07 17:17 . 2011-01-07 17:17 -------- d-----w- c:\windows\PCHEALTH
2011-01-07 17:17 . 2011-01-07 17:17 -------- d-----w- c:\program files (x86)\Microsoft.NET
2011-01-07 17:16 . 2011-01-07 17:19 -------- d-----w- c:\programdata\Microsoft Help
2011-01-07 17:15 . 2011-01-07 17:15 -------- d-----r- C:\MSOCache
2011-01-07 16:59 . 2010-09-20 09:25 231936 ----a-w- c:\windows\SysWow64\msshsq.dll
2011-01-07 16:22 . 2011-01-07 16:22 -------- d-----w- c:\program files (x86)\MSXML 4.0
2011-01-07 16:10 . 2008-06-20 01:14 37384 ----a-w- c:\windows\SysWow64\infocardcpl.cpl
2011-01-07 16:10 . 2008-06-20 01:14 11264 ----a-w- c:\windows\SysWow64\icardres.dll
2011-01-07 16:10 . 2008-06-20 01:14 781344 ----a-w- c:\windows\SysWow64\PresentationNative_v0300.dll
2011-01-07 16:10 . 2008-06-20 01:14 97800 ----a-w- c:\windows\SysWow64\infocardapi.dll
2011-01-07 16:10 . 2008-06-20 01:14 622080 ----a-w- c:\windows\SysWow64\icardagt.exe
2011-01-07 16:10 . 2008-06-20 01:14 105016 ----a-w- c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2011-01-07 16:01 . 2008-07-27 18:03 158720 ----a-w- c:\windows\SysWow64\mscorier.dll
2011-01-07 16:01 . 2008-07-27 18:03 83968 ----a-w- c:\windows\SysWow64\mscories.dll
2011-01-07 15:58 . 2010-02-20 23:39 24064 ----a-w- c:\windows\SysWow64\nshhttp.dll
2011-01-07 15:58 . 2010-02-20 23:37 31232 ----a-w- c:\windows\SysWow64\httpapi.dll
2011-01-07 15:54 . 2010-04-14 17:46 80896 ----a-w- c:\windows\SysWow64\MSNP.ax
2011-01-07 15:54 . 2010-04-14 17:45 177664 ----a-w- c:\windows\SysWow64\mpg2splt.ax
2011-01-07 15:54 . 2010-04-14 17:47 293376 ----a-w- c:\windows\SysWow64\psisdecd.dll
2011-01-07 15:54 . 2010-04-14 17:47 217088 ----a-w- c:\windows\SysWow64\psisrndr.ax
2011-01-07 15:54 . 2010-04-14 17:46 428544 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-01-07 05:18 . 2011-01-07 05:18 -------- d-----w- C:\_OTM
2011-01-07 03:59 . 2011-01-07 03:59 -------- d-----w- c:\programdata\Malwarebytes
2011-01-07 03:59 . 2010-12-20 18:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-07 03:59 . 2011-01-07 03:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-01-07 03:28 . 2010-08-31 15:41 954752 ----a-w- c:\windows\SysWow64\mfc40.dll
2011-01-07 03:28 . 2010-08-31 15:41 954288 ----a-w- c:\windows\SysWow64\mfc40u.dll
2011-01-07 03:28 . 2009-09-10 15:48 1486848 ----a-w- c:\program files\Windows Media Player\setup_wm.exe
2011-01-07 03:28 . 2009-09-10 15:21 1418752 ----a-w- c:\program files (x86)\Windows Media Player\setup_wm.exe
2011-01-07 03:28 . 2009-09-10 15:21 310784 ----a-w- c:\windows\SysWow64\unregmp2.exe
2011-01-07 03:25 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\SysWow64\msxml6.dll
2011-01-07 03:25 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\SysWow64\mstscax.dll
2011-01-07 03:25 . 2009-10-23 17:42 714240 ----a-w- c:\windows\SysWow64\timedate.cpl
2011-01-07 03:25 . 2010-09-10 15:51 171008 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2011-01-07 03:25 . 2010-09-10 16:35 168960 ----a-w- c:\program files (x86)\Windows Media Player\wmplayer.exe
2011-01-07 03:25 . 2010-09-10 16:37 8147456 ----a-w- c:\windows\SysWow64\wmploc.DLL
2011-01-07 03:24 . 2010-01-25 08:35 523776 ----a-w- c:\windows\SysWow64\RMActivate_isv.exe
2011-01-07 03:24 . 2010-01-25 08:34 511488 ----a-w- c:\windows\SysWow64\RMActivate.exe
2011-01-07 03:24 . 2010-01-25 12:48 472576 ----a-w- c:\windows\SysWow64\secproc_isv.dll
2011-01-07 03:24 . 2010-01-25 12:48 472064 ----a-w- c:\windows\SysWow64\secproc.dll
2011-01-07 03:24 . 2010-01-25 08:35 346624 ----a-w- c:\windows\SysWow64\RMActivate_ssp_isv.exe
2011-01-07 03:24 . 2010-01-25 08:34 347136 ----a-w- c:\windows\SysWow64\RMActivate_ssp.exe
2011-01-07 03:24 . 2010-01-25 12:48 151040 ----a-w- c:\windows\SysWow64\secproc_ssp_isv.dll
2011-01-07 03:24 . 2010-01-25 12:48 151040 ----a-w- c:\windows\SysWow64\secproc_ssp.dll
2011-01-07 03:24 . 2010-01-25 12:45 329216 ----a-w- c:\windows\SysWow64\msdrm.dll
2011-01-07 03:24 . 2010-01-29 16:41 2080768 ----a-w- c:\program files\Windows Mail\msoe.dll
2011-01-07 03:24 . 2010-01-29 16:22 1616384 ----a-w- c:\program files (x86)\Windows Mail\msoe.dll
2011-01-07 03:22 . 2010-06-11 15:30 1257472 ----a-w- c:\windows\SysWow64\msxml3.dll
2011-01-07 03:21 . 2009-07-14 13:00 313344 ----a-w- c:\windows\SysWow64\wmpdxm.dll
2011-01-07 02:52 . 2011-01-07 02:52 -------- d-----w- c:\program files (x86)\ESET
2011-01-07 02:06 . 2011-01-07 02:06 -------- d--h--w- c:\programdata\Common Files
2011-01-07 02:05 . 2011-01-09 04:09 -------- d-----w- c:\programdata\AVG10
2011-01-07 02:04 . 2011-01-07 02:04 -------- d-----w- c:\program files (x86)\AVG
2011-01-07 01:39 . 2011-01-07 02:04 -------- d-----w- c:\programdata\MFAData
2011-01-07 01:34 . 2010-01-15 00:04 98304 ----a-w- c:\windows\SysWow64\cabview.dll
2011-01-07 01:34 . 2009-12-23 12:43 171520 ----a-w- c:\windows\SysWow64\wintrust.dll
2011-01-07 01:20 . 2009-08-07 02:24 35552 ----a-w- c:\windows\SysWow64\wups.dll
2011-01-07 01:20 . 2009-08-07 02:23 575704 ----a-w- c:\windows\SysWow64\wuapi.dll
2011-01-07 01:20 . 2009-08-07 01:44 87552 ----a-w- c:\windows\SysWow64\wudriver.dll
2011-01-07 01:20 . 2009-08-06 19:23 171608 ----a-w- c:\windows\SysWow64\wuwebv.dll
2011-01-07 01:20 . 2009-08-06 18:44 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2011-01-07 00:07 . 2011-01-07 00:08 -------- d-----w- c:\program files (x86)\Microsoft Works
2011-01-07 00:06 . 2011-01-07 05:58 -------- d-----w- c:\users\Seano

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-07 02:00 . 2009-06-11 15:53 588472 ----a-w- c:\windows\SysWow64\ezsvc7x.dll
.

((((((((((((((((((((((((((((( SnapShot_2011-01-09_04.19.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2011-01-07 19:54 . 2011-01-08 17:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-01-07 19:54 . 2011-01-09 04:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-01-07 19:54 . 2011-01-09 04:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-01-07 19:54 . 2011-01-08 17:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-01-07 06:44 . 2011-01-09 05:36 158542 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-04-04 1644088]
"Google Update"="c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe" [2011-01-07 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-01-27 61440]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-12-04 75016]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2009-04-09 1328424]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2009-04-09 185640]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-03-19 1148200]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 27648]
R2 Norton Internet Security;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
R3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [2009-02-02 23536]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/06/11 16:30];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-03-19 09:54 146928]
S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [2008-09-26 804864]


HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139329902-3773949464-2642598458-1000Core.job
- c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-07 02:39]

2011-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139329902-3773949464-2642598458-1000UA.job
- c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-07 02:39]

2011-01-07 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-02-02 18:59]
.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Remote Software"="c:\program files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe" [2009-02-06 172032]
"SmartMenu"="%ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-IE\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@SACL=
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
@SACL=
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10a.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@SACL=
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@SACL=
@="IFlashBroker2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@SACL=
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@SACL=
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@SACL=
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@SACL=
@="FlashBroker"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2011-01-09 05:50:39
ComboFix-quarantined-files.txt 2011-01-09 05:50
ComboFix2.txt 2011-01-09 04:22
ComboFix3.txt 2011-01-07 05:35
ComboFix4.txt 2011-01-07 05:12

Pre-Run: 427,441,881,088 bytes free
Post-Run: 427,418,591,232 bytes free

- - End Of File - - ECBDF7A20348A3ABC51FAC214F9AFACD


C:\_OTM\MovedFiles\01072011_051843\C_Windows\System32\ezShellStart.exe probably unknown NewHeur_PE virus

 

[bobbygeorge]

A more recent log due to suspicious activity.....

....i.e. Suspect people trying to infect my machine again through sharing links with me on facebook.


ComboFix 11-01-11.01 - Seano 12/01/2011 5:32.5.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.353.1033.18.4094.2623 [GMT 0:00]
Running from: c:\users\Seano\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-12-12 to 2011-01-12 )))))))))))))))))))))))))))))))
.

2011-01-12 05:36 . 2011-01-12 05:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-12 05:31 . 2011-01-12 05:31 -------- d-----w- C:\32788R22FWJFW
2011-01-09 21:18 . 2010-11-16 12:01 8199504 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{74009AD9-72DC-4739-8FA7-1BFA6AB08183}\mpengine.dll
2011-01-09 21:18 . 2010-10-19 10:41 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-01-08 01:04 . 2009-11-08 10:55 99176 ----a-w- c:\windows\SysWow64\PresentationHostProxy.dll
2011-01-08 01:04 . 2009-11-08 10:55 49472 ----a-w- c:\windows\SysWow64\netfxperf.dll
2011-01-08 01:04 . 2009-11-08 10:55 48960 ----a-w- c:\windows\system32\netfxperf.dll
2011-01-08 01:04 . 2009-11-08 10:55 444752 ----a-w- c:\windows\system32\mscoree.dll
2011-01-08 01:04 . 2009-11-08 10:55 320352 ----a-w- c:\windows\system32\PresentationHost.exe
2011-01-08 01:04 . 2009-11-08 10:55 297808 ----a-w- c:\windows\SysWow64\mscoree.dll
2011-01-08 01:04 . 2009-11-08 10:55 295264 ----a-w- c:\windows\SysWow64\PresentationHost.exe
2011-01-08 01:04 . 2009-11-08 10:55 1942856 ----a-w- c:\windows\system32\dfshim.dll
2011-01-08 01:04 . 2009-11-08 10:55 1130824 ----a-w- c:\windows\SysWow64\dfshim.dll
2011-01-08 01:04 . 2009-11-08 10:55 109912 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-01-07 21:29 . 2009-08-24 12:24 442368 ----a-w- c:\windows\system32\winhttp.dll
2011-01-07 21:29 . 2009-08-24 12:16 378368 ----a-w- c:\windows\SysWow64\winhttp.dll
2011-01-07 21:29 . 2010-03-05 14:32 612864 ----a-w- c:\windows\system32\vbscript.dll
2011-01-07 21:29 . 2010-03-05 14:01 420352 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-01-07 21:28 . 2009-11-03 22:42 28160 ----a-w- c:\windows\system32\drivers\en-US\http.sys.mui
2011-01-07 21:27 . 2010-10-19 04:56 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-01-07 21:27 . 2010-10-19 04:27 7680 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
2011-01-07 21:26 . 2010-09-06 13:44 461824 ----a-w- c:\windows\system32\drivers\srv.sys
2011-01-07 21:26 . 2010-09-06 16:24 9728 ----a-w- c:\windows\SysWow64\sscore.dll
2011-01-07 21:26 . 2010-09-06 16:23 17920 ----a-w- c:\windows\SysWow64\netevent.dll
2011-01-07 21:26 . 2010-09-06 15:59 179712 ----a-w- c:\windows\system32\srvsvc.dll
2011-01-07 21:26 . 2010-09-06 15:59 12288 ----a-w- c:\windows\system32\sscore.dll
2011-01-07 21:26 . 2010-09-06 15:57 17920 ----a-w- c:\windows\system32\netevent.dll
2011-01-07 21:26 . 2010-09-06 13:44 144896 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-01-07 21:26 . 2010-09-06 13:44 175104 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-01-07 21:26 . 2010-05-27 20:01 975360 ----a-w- c:\windows\system32\inetcomm.dll
2011-01-07 21:26 . 2010-05-27 19:16 738816 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-01-07 17:19 . 2011-01-07 17:19 -------- d-----w- c:\programdata\{B3C2C1CD-6B77-4A96-B670-F734AC2A1CBC}
2011-01-07 17:19 . 2011-01-07 17:19 -------- d-----w- c:\program files (x86)\Activation Assistant for the 2007 Microsoft Office suites
2011-01-07 17:17 . 2011-01-07 17:17 -------- d-----w- c:\windows\PCHEALTH
2011-01-07 17:17 . 2011-01-07 17:17 -------- d-----w- c:\program files (x86)\Microsoft.NET
2011-01-07 17:16 . 2011-01-07 17:19 -------- d-----w- c:\programdata\Microsoft Help
2011-01-07 17:15 . 2011-01-07 17:15 -------- d-----r- C:\MSOCache
2011-01-07 16:59 . 2010-09-20 12:14 316416 ----a-w- c:\windows\system32\msshsq.dll
2011-01-07 16:59 . 2010-09-20 09:25 231936 ----a-w- c:\windows\SysWow64\msshsq.dll
2011-01-07 16:22 . 2011-01-07 16:22 -------- d-----w- c:\program files (x86)\MSXML 4.0
2011-01-07 16:10 . 2008-06-20 01:16 49160 ----a-w- c:\windows\system32\infocardcpl.cpl
2011-01-07 16:10 . 2008-06-20 01:14 37384 ----a-w- c:\windows\SysWow64\infocardcpl.cpl
2011-01-07 16:10 . 2008-06-20 01:16 11264 ----a-w- c:\windows\system32\icardres.dll
2011-01-07 16:10 . 2008-06-20 01:14 11264 ----a-w- c:\windows\SysWow64\icardres.dll
2011-01-07 16:10 . 2008-06-20 01:17 1168928 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2011-01-07 16:10 . 2008-06-20 01:14 781344 ----a-w- c:\windows\SysWow64\PresentationNative_v0300.dll
2011-01-07 16:10 . 2008-06-20 01:16 167432 ----a-w- c:\windows\system32\infocardapi.dll
2011-01-07 16:10 . 2008-06-20 01:16 1383936 ----a-w- c:\windows\system32\icardagt.exe
2011-01-07 16:10 . 2008-06-20 01:14 97800 ----a-w- c:\windows\SysWow64\infocardapi.dll
2011-01-07 16:10 . 2008-06-20 01:14 622080 ----a-w- c:\windows\SysWow64\icardagt.exe
2011-01-07 16:10 . 2008-06-20 01:17 126520 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2011-01-07 16:10 . 2008-06-20 01:14 105016 ----a-w- c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2011-01-07 16:01 . 2008-07-27 18:03 158720 ----a-w- c:\windows\SysWow64\mscorier.dll
2011-01-07 16:01 . 2008-07-27 18:01 158208 ----a-w- c:\windows\system32\mscorier.dll
2011-01-07 16:01 . 2008-07-27 18:03 83968 ----a-w- c:\windows\SysWow64\mscories.dll
2011-01-07 16:01 . 2008-07-27 18:01 76288 ----a-w- c:\windows\system32\mscories.dll
2011-01-07 15:59 . 2010-02-24 09:28 294912 ----a-w- c:\windows\system32\browserchoice.exe
2011-01-07 15:58 . 2010-02-20 23:44 32768 ----a-w- c:\windows\system32\nshhttp.dll
2011-01-07 15:58 . 2010-02-20 23:39 24064 ----a-w- c:\windows\SysWow64\nshhttp.dll
2011-01-07 15:58 . 2010-02-20 23:42 33792 ----a-w- c:\windows\system32\httpapi.dll
2011-01-07 15:58 . 2010-02-20 23:37 31232 ----a-w- c:\windows\SysWow64\httpapi.dll
2011-01-07 15:58 . 2010-02-20 21:40 610304 ----a-w- c:\windows\system32\drivers\http.sys
2011-01-07 15:54 . 2010-04-14 18:33 101376 ----a-w- c:\windows\system32\MSNP.ax
2011-01-07 15:54 . 2010-04-14 18:33 227328 ----a-w- c:\windows\system32\mpg2splt.ax
2011-01-07 15:54 . 2010-04-14 17:46 80896 ----a-w- c:\windows\SysWow64\MSNP.ax
2011-01-07 15:54 . 2010-04-14 17:45 177664 ----a-w- c:\windows\SysWow64\mpg2splt.ax
2011-01-07 15:54 . 2010-04-14 18:35 375808 ----a-w- c:\windows\system32\psisdecd.dll
2011-01-07 15:54 . 2010-04-14 17:47 293376 ----a-w- c:\windows\SysWow64\psisdecd.dll
2011-01-07 15:54 . 2010-04-14 17:47 217088 ----a-w- c:\windows\SysWow64\psisrndr.ax
2011-01-07 15:54 . 2010-04-14 18:35 289792 ----a-w- c:\windows\system32\psisrndr.ax
2011-01-07 15:54 . 2010-04-14 18:35 558592 ----a-w- c:\windows\system32\EncDec.dll
2011-01-07 15:54 . 2010-04-14 17:46 428544 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-01-07 05:18 . 2011-01-07 05:18 -------- d-----w- C:\_OTM
2011-01-07 03:59 . 2011-01-07 03:59 -------- d-----w- c:\programdata\Malwarebytes
2011-01-07 03:59 . 2010-12-20 18:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-07 03:59 . 2011-01-07 03:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-01-07 03:59 . 2010-12-20 18:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-07 03:28 . 2010-08-31 15:41 954752 ----a-w- c:\windows\SysWow64\mfc40.dll
2011-01-07 03:28 . 2010-08-31 15:41 954288 ----a-w- c:\windows\SysWow64\mfc40u.dll
2011-01-07 03:28 . 2009-09-10 15:48 1486848 ----a-w- c:\program files\Windows Media Player\setup_wm.exe
2011-01-07 03:28 . 2009-09-10 15:48 372736 ----a-w- c:\windows\system32\unregmp2.exe
2011-01-07 03:28 . 2009-09-10 15:21 1418752 ----a-w- c:\program files (x86)\Windows Media Player\setup_wm.exe
2011-01-07 03:28 . 2009-09-10 15:21 310784 ----a-w- c:\windows\SysWow64\unregmp2.exe
2011-01-07 03:25 . 2009-08-10 14:09 1794560 ----a-w- c:\windows\system32\msxml6.dll
2011-01-07 03:25 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\SysWow64\msxml6.dll
2011-01-07 03:25 . 2009-06-04 12:59 2423296 ----a-w- c:\windows\system32\mstscax.dll
2011-01-07 03:25 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\SysWow64\mstscax.dll
2011-01-07 03:25 . 2009-10-23 18:10 880640 ----a-w- c:\windows\system32\timedate.cpl
2011-01-07 03:25 . 2009-10-23 17:42 714240 ----a-w- c:\windows\SysWow64\timedate.cpl
2011-01-07 03:25 . 2010-09-10 15:51 171008 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2011-01-07 03:25 . 2010-09-10 16:35 168960 ----a-w- c:\program files (x86)\Windows Media Player\wmplayer.exe
2011-01-07 03:25 . 2010-09-10 16:37 8147456 ----a-w- c:\windows\SysWow64\wmploc.DLL
2011-01-07 03:25 . 2010-09-10 15:52 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2011-01-07 03:22 . 2010-06-11 16:08 1875456 ----a-w- c:\windows\system32\msxml3.dll
2011-01-07 03:21 . 2009-07-14 13:21 368128 ----a-w- c:\windows\system32\wmpdxm.dll
2011-01-07 02:52 . 2011-01-07 02:52 -------- d-----w- c:\program files (x86)\ESET
2011-01-07 02:06 . 2011-01-07 02:06 -------- d--h--w- c:\programdata\Common Files
2011-01-07 02:05 . 2011-01-12 00:22 -------- d-----w- c:\programdata\AVG10
2011-01-07 02:04 . 2011-01-07 02:04 -------- d-----w- c:\program files (x86)\AVG
2011-01-07 01:39 . 2011-01-07 02:04 -------- d-----w- c:\programdata\MFAData
2011-01-07 01:34 . 2010-01-15 00:04 98304 ----a-w- c:\windows\SysWow64\cabview.dll
2011-01-07 01:34 . 2010-01-13 18:34 104960 ----a-w- c:\windows\system32\cabview.dll
2011-01-07 01:34 . 2009-12-23 12:43 171520 ----a-w- c:\windows\SysWow64\wintrust.dll
2011-01-07 01:34 . 2009-12-23 12:39 218112 ----a-w- c:\windows\system32\wintrust.dll
2011-01-07 01:21 . 2009-08-07 02:24 43744 ----a-w- c:\windows\system32\wups2.dll
2011-01-07 01:21 . 2009-08-07 02:24 57560 ----a-w- c:\windows\system32\wuauclt.exe
2011-01-07 01:21 . 2009-08-07 02:24 2424024 ----a-w- c:\windows\system32\wuaueng.dll
2011-01-07 01:21 . 2009-08-07 01:59 2621440 ----a-w- c:\windows\system32\wucltux.dll
2011-01-07 01:20 . 2009-08-07 02:24 38112 ----a-w- c:\windows\system32\wups.dll
2011-01-07 01:20 . 2009-08-07 02:24 35552 ----a-w- c:\windows\SysWow64\wups.dll
2011-01-07 01:20 . 2009-08-07 02:23 700640 ----a-w- c:\windows\system32\wuapi.dll
2011-01-07 01:20 . 2009-08-07 02:23 575704 ----a-w- c:\windows\SysWow64\wuapi.dll
2011-01-07 01:20 . 2009-08-07 01:59 98816 ----a-w- c:\windows\system32\wudriver.dll
2011-01-07 01:20 . 2009-08-07 01:44 87552 ----a-w- c:\windows\SysWow64\wudriver.dll
2011-01-07 01:20 . 2009-08-06 19:23 185416 ----a-w- c:\windows\system32\wuwebv.dll
2011-01-07 01:20 . 2009-08-06 19:23 171608 ----a-w- c:\windows\SysWow64\wuwebv.dll
2011-01-07 01:20 . 2009-08-06 18:59 36864 ----a-w- c:\windows\system32\wuapp.exe
2011-01-07 01:20 . 2009-08-06 18:44 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2011-01-07 00:17 . 2008-09-26 04:31 804864 ----a-w- c:\windows\system32\drivers\netr28ux.sys
2011-01-07 00:17 . 2008-09-26 04:26 305664 ----a-w- c:\windows\system32\RaCoInstx.dll
2011-01-07 00:07 . 2011-01-07 00:08 -------- d-----w- c:\program files (x86)\Microsoft Works
2011-01-07 00:06 . 2011-01-10 00:17 -------- d-----w- c:\users\Seano

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-07 02:00 . 2009-06-11 15:53 588472 ----a-w- c:\windows\SysWow64\ezsvc7x.dll
.

((((((((((((((((((((((((((((( SnapShot_2011-01-09_04.19.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 03:20 . 2011-01-11 14:23 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2011-01-08 03:51 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-01-11 14:24 . 2011-01-11 14:23 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2011-01-11 14:23 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2011-01-08 03:51 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2011-01-12 05:27 34914 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2011-01-12 05:27 58292 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2011-01-07 00:02 . 2011-01-11 14:23 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-01-07 00:02 . 2011-01-09 03:11 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-01-07 00:02 . 2011-01-09 03:11 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-01-07 00:02 . 2011-01-11 14:23 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-01-07 00:02 . 2011-01-09 03:11 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-01-07 00:02 . 2011-01-11 14:23 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-01-07 19:54 . 2011-01-08 17:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-01-07 19:54 . 2011-01-10 10:50 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-01-07 19:54 . 2011-01-08 17:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-01-07 19:54 . 2011-01-10 10:50 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 12:40 . 2011-01-08 04:11 86016 c:\windows\inf\infstor.dat
+ 2006-11-02 12:40 . 2011-01-10 00:17 86016 c:\windows\inf\infstor.dat
+ 2006-11-02 12:40 . 2011-01-10 00:17 51200 c:\windows\inf\infpub.dat
- 2006-11-02 12:40 . 2011-01-08 04:11 51200 c:\windows\inf\infpub.dat
+ 2011-01-07 00:07 . 2011-01-12 05:27 5518 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-139329902-3773949464-2642598458-1000_UserData.bin
- 2011-01-09 04:11 . 2011-01-09 04:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-01-12 05:24 . 2011-01-12 05:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-01-09 04:11 . 2011-01-09 04:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-01-12 05:24 . 2011-01-12 05:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-01-07 06:44 . 2011-01-10 20:31 192876 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 12:46 . 2011-01-09 04:17 599942 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2011-01-12 05:29 599942 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2011-01-12 05:29 105448 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2011-01-09 04:17 105448 c:\windows\system32\perfc009.dat
- 2009-06-11 16:02 . 2011-01-09 04:10 564704 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-06-11 16:02 . 2011-01-12 00:31 564704 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2006-11-02 12:40 . 2011-01-10 00:17 143360 c:\windows\inf\infstrng.dat
- 2006-11-02 12:40 . 2011-01-08 04:11 143360 c:\windows\inf\infstrng.dat
+ 2011-01-10 00:17 . 2011-01-10 00:17 4779008 c:\windows\Installer\a5c329.msi
+ 2011-01-10 00:15 . 2011-01-10 00:15 1940480 c:\windows\Installer\a5c325.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-04-04 1644088]
"Google Update"="c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe" [2011-01-07 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-01-27 61440]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-12-04 75016]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2009-04-09 1328424]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2009-04-09 185640]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-03-19 1148200]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 27648]
R2 Norton Internet Security;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
R3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [2009-02-02 23536]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/06/11 16:30];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-03-19 09:54 146928]
S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [2008-09-26 804864]


HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139329902-3773949464-2642598458-1000Core.job
- c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-07 02:39]

2011-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139329902-3773949464-2642598458-1000UA.job
- c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-07 02:39]

2011-01-07 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-02-02 18:59]
.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Remote Software"="c:\program files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe" [2009-02-06 172032]
"SmartMenu"="%ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-IE\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@SACL=
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
@SACL=
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10a.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@SACL=
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@SACL=
@="IFlashBroker2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@SACL=
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@SACL=
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@SACL=
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@SACL=
@="FlashBroker"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2011-01-12 05:38:21
ComboFix-quarantined-files.txt 2011-01-12 05:38
ComboFix2.txt 2011-01-09 05:50
ComboFix3.txt 2011-01-09 04:22
ComboFix4.txt 2011-01-07 05:35
ComboFix5.txt 2011-01-12 05:31

Pre-Run: 443,192,426,496 bytes free
Post-Run: 443,164,323,840 bytes free

- - End Of File - - A2A01C60A05B5ED4AD503945B37D6448

 

[Bobbye]

Please take a look at the Registry keys in the Combofix log and tell me why they are all using SACL
Example:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
@SACL=

Access Control: http://msdn.microsoft.com/en-us/library/aa374860(v=VS.85).aspx

What SACL is: http://msdn.microsoft.com/en-us/library/aa379321(v=vs.85).aspx
===========================================
About File Sharing: no one needs to try and infect you system. When you share files, you share whatever comes with them:
P2P or 'file sharing' Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe.

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• File sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

 

[bobbygeorge]

thanks for your reply.

I am not using, or have not downloaded a P2P program. I heeded your warning about this from earlier.

The answer to your question is, is simply do not know. I am kind of tired right now as I have been awake for quite awhile so, sorry, but what i have read in the links is like double dutch to me right now.

Files, as in links to photos and music(on youtube) have been shared with me on facebook. They are the only files I have opened.

So, have I got a serious problem again?

And do you think those links on facebook could be the source?

I'm getting kind of sick of the intrusion into my personal space, so want to get to the bottom of this once and for all.

The above line is me just blowing off steam.

Thanks Bobbye again for your time and awesome support