Solved Svchost spawning iexplore.exe, virus phoning home?

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Whew! That took a while. I've attached my combofix log.

How are the issues?

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

They haven't gone away. There are still multiple instances of iexplore.exe.

That's fine. Go ahead with Security Check.

Also...

Download Bootkit Remover to your Desktop.

• You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
• After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

Security Check Results
Results of screen317's Security Check version 0.99.4
Windows 7 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Out of date HijackThis installed!
Malwarebytes' Anti-Malware
HijackThis 1.99.1
CCleaner (remove only)
Java(TM) 6 Update 20
Adobe Flash Player 10.1.53.64
Mozilla Firefox (3.5.9) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 8cedfa5de235f2c6eceb00dafafd92fd
\\.\D: -> \\.\PhysicalDrive0
\\.\E: -> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
93 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...

OK. We found the culprit.

Open Notepad
Copy and paste following text into Notepad:
Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat.
Save fix.bat to your Desktop.

Run fix.bat by double clicking.
You may see a black box appear; this is normal.

When done, run remover.exe again and post its output.

Restart computer and check for iexplore.exe presence.

Hi, got this message:
0xc000000e
boot selection failed because a required device is inaccessible

Currently repairing using the Windows disk. I'll keep you updated.

OK........

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: bb4f1627d8b9beda49ac0d010229f3ff
\\.\D: -> \\.\PhysicalDrive0
\\.\E: -> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
93 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Press any key to quit...

No more iexplore.exe!!!
Seems to have worked! Anything else I need to do?

Very good

I'm concerned about your security programs.
I can see some elements of IObit Security 360 AND COMODO Internet Security running.
What's the situation here?

I normally just run Comodo only. I downloaded IOS in desperation after I couldn't find anything xD I'm guessing I should remove it now?

Yes, please.

When done....

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

====================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

OTL was too big, so I attached it.


OTL Extras logfile created on: 7/9/2010 12:02:21 AM - Run 1
OTL by OldTimer - Version 3.2.8.1 Folder = E:\ssallain\Downloads
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 37.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 44.00% Paging File free
Paging file location(s): c:\pagefile.sys 512 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = E:\Program Files
Drive C: | 25.20 Gb Total Space | 7.83 Gb Free Space | 31.06% Space Free | Partition Type: NTFS
Drive D: | 13.89 Gb Total Space | 1.46 Gb Free Space | 10.49% Space Free | Partition Type: NTFS
Drive E: | 54.07 Gb Total Space | 19.96 Gb Free Space | 36.91% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SSA8JS
Current User Name: ssallain
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- E:\Program Files\Internet Explorer\IEXPLORE.EXE File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- Reg Error: Key error. File not found
.cmd [@ = cmdfile] -- Reg Error: Key error. File not found
.com [@ = comfile] -- Reg Error: Key error. File not found
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = Opera.HTML] -- Reg Error: Key error. File not found
.pif [@ = piffile] -- Reg Error: Key error. File not found
.vbs [@ = VBSFile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "E:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "E:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome File not found
htmlfile [opennew] -- "E:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 File not found
http [open] -- "E:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome File not found
https [open] -- "E:\Program Files\Opera\opera.exe" (Opera Software)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "E:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "E:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{015C5B35-B678-451C-9AEE-821E8D69621C}_is1" = PeerBlock 1.0+ (r320)
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{0868BB9D-5EA0-40AF-A1CC-A38ED4E5BC67}" = 32 Bit HP CIO Components Installer
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{139B0FFA-187E-4BA1-BCA6-6B56B2B6AB8C}" = ATK Media
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1C4551A6-4743-4093-91E4-1477CD655043}" = NVIDIA PhysX
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{20A36691-B09B-4EF2-A371-64A5BD265E20}" = UltraMon
"{21C41E31-D391-4FA1-AB63-DB4BCBF38F17}" = Copy Path Shell Extension
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2505571C-03B3-4F9F-AC35-33F1CB4B5E9E}_is1" = RescueTime 2.1.0
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 20
"{2ABC904F-6915-40AC-8CF8-B48743698CEC}" = 3132-W-R
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{34F93E31-E1A0-421C-8E86-BCF7C4193A91}" = LogMeIn
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FC03AF3-CD20-4A3A-B8A3-47FADD2B4224}" = Fresh Kitchen
"{46B65150-F8AA-42F2-94FB-2729A8AE5F7E}" = SPSS Statistics 17.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{6845255F-15CC-4DD1-94D5-D38F370118B3}_is1" = Auslogics Duplicate File Finder
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D6664A9-3342-4948-9B7E-034EFE366F0F}" = HTC Driver
"{6FC6B625-B3A9-3A0A-E8A0-27059C97FA49}" = Focus Booster
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D273DE5-ABFA-4BD0-A9D7-EE9C971438C4}_is1" = PDF-Viewer
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ULTIMATER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ULTIMATER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ULTIMATER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ULTIMATER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ULTIMATER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90BC5F99-9172-43B1-805F-77BCC800CAB7}" = Opera 10.60
"{91120000-002E-0000-0000-0000000FF1CE}" = Microsoft Office Ultimate 2007
"{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{93099B48-E36A-46C9-A03F-C85201D9B1C1}" = Foxit PDF IFilter
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{99E66BC9-E4B6-485F-ABFC-31EFCE36DFDF}" = Microsoft Keyboard Layout Creator 1.4
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{A6F25DC1-8AA8-4BD5-9007-FD82BD001356}" = Russian Dvorak Phonetic Layout
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
"{AC76BA86-1033-F400-7761-000000000004}{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
"{ADE16A9D-FBDC-4ecc-B6BD-9C31E51D0321}" = USB2.0 0.35M WebCam
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C1FCDCA1-2759-4E5E-84EE-3A665BB2F513}" = iPhoneBrowser
"{C887C75D-2636-41F6-BB7B-FD4B0314C1E1}" = Paragon Partition Manager 9.0 Professional
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D5AF36E3-D72D-4E30-AB64-48A98BDDEE73}" = HTC Sync
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D86B6C32-49BD-4A02-9C43-14E497018498}" = Windows 7 Manager
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F0E2B312-D7FD-4349-A9B6-E90B36DB1BD0}" = Paint.NET v3.5.5
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{FD6034A3-655C-49F0-B496-D4CBFD74D7A7}" = Palm Desktop by ACCESS
"7-Zip" = 7-Zip 4.65
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Alt.Binz" = Alt.Binz 0.25.0
"Anki" = Anki
"AutoHotkey" = AutoHotkey 1.0.48.05
"Brain Workshop_is1" = Brain Workshop 4.7
"CCleaner" = CCleaner (remove only)
"com.focusboosterapp.focusbooster.8E5F79C899747AD22E21DB62AA496926DA6BBC64.1" = Focus Booster
"Combat Arms" = Combat Arms
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"COMODO Internet Security" = COMODO Internet Security
"DAEMON Tools Toolbar" = DAEMON Tools Toolbar
"Defraggler" = Defraggler
"Everything" = Everything 1.2.1.371
"Foxit Reader" = Foxit Reader
"Fresh Kitchen" = Fresh Kitchen
"GPL Ghostscript 8.70" = GPL Ghostscript 8.70
"GSview 4.9" = GSview 4.9
"HControl" = ATK0100 ACPI UTILITY
"HijackThis" = HijackThis 1.99.1
"ImgBurn" = ImgBurn
"Input Director" = Input Director v1.2.1
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"IrfanView" = IrfanView (remove only)
"Lammer Context Menu" = Lammer Context Menu v1.0.1.4
"Launchy_21344213_is1" = Launchy 2.5 Beta 2
"LockHunter_is1" = LockHunter version 1.0 beta 3, 32 bit edition
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mendeley Desktop" = Mendeley Desktop 0.9.3-r21092
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MiKTeX 2.8" = MiKTeX 2.8
"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
"MyDefrag v4.2.9_is1" = MyDefrag v4.2.9
"Notebook Hardware Control" = Notebook Hardware Control 2.0 Pre-Release-06 Bugfix
"NVIDIA Drivers" = NVIDIA Drivers
"Opera" = Opera
"RealAlt_is1" = Real Alternative 2.0.0
"Revo Uninstaller" = Revo Uninstaller 1.89
"SMSERIAL" = Motorola SM56 Speakerphone Modem
"Soldat_is1" = Soldat 1.5.0
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.4
"SpeedFan" = SpeedFan (remove only)
"SpywareBlaster_is1" = SpywareBlaster 4.3
"Starcraft" = Starcraft
"StarCraft II Beta" = StarCraft II Beta
"Startup Delayer" = Startup Delayer v2.5 (build 138)
"TeamViewer 5" = TeamViewer 5
"Temptation Blocker" = Temptation Blocker
"TeraCopy_is1" = TeraCopy 2.12
"TeXnicCenter_is1" = TeXnicCenter Version 1.0 Stable RC1
"ULTIMATER" = Microsoft Office Ultimate 2007
"UN080325" = BUFFALO TurboUSB for FLASH/HDD
"Unlocker" = Unlocker 1.8.9
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.0.5
"WBFS Manager 3.0" = WBFS Manager 3.0
"WinGimp-2.0_is1" = GIMP 2.6.7
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"Yahoo! Companion" = Yahoo! Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Flux" = F.lux
"Google Chrome" = Google Chrome
"WinDirStat" = WinDirStat 1.1.2

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  Code:

  :OTL
  SRV - File not found [On_Demand | Stopped] -- E:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
  SRV - File not found [Auto | Stopped] -- E:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend)
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\2DE4.tmp -- (MEMSWEEP2)
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\SSALLA~1\AppData\Local\Temp\catchme.sys -- (catchme)
  O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
  O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
  [2010/07/08 00:35:52 | 000,000,000 | ---D | C] -- C:\ProgramData\IObit
  [2010/07/08 00:35:43 | 000,000,000 | ---D | C] -- E:\Program Files\IObit
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

All processes killed
========== OTL ==========
Service WMPNetworkSvc stopped successfully!
Service WMPNetworkSvc deleted successfully!
File E:\Program Files\Windows Media Player\wmpnetwk.exe not found.
Service WinDefend stopped successfully!
Service WinDefend deleted successfully!
File E:\Program Files\Windows Defender\mpsvc.dll not found.
Service MEMSWEEP2 stopped successfully!
Service MEMSWEEP2 deleted successfully!
File C:\Windows\System32\2DE4.tmp not found.
Service catchme stopped successfully!
Service catchme deleted successfully!
File C:\Users\SSALLA~1\AppData\Local\Temp\catchme.sys not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
C:\ProgramData\IObit\IObit Security 360 folder moved successfully.
C:\ProgramData\IObit folder moved successfully.
E:\Program Files\IObit folder moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: ssallain
->Temp folder emptied: 3631728 bytes
->Temporary Internet Files folder emptied: 2978468 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 44065373 bytes
->Flash cache emptied: 700 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 50184 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 10177832 bytes

Total Files Cleaned = 58.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: ssallain
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.8.1 log created on 07092010_003647

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Thanks for the help! I'll be going to sleep. I'll check back tomorrow.

Good

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Here's my log!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, July 10, 2010
Operating system: Microsoft Professional (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, July 09, 2010 20:04:57
Records in database: 4242959
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 482242
Threats found: 12
Infected objects found: 20
Suspicious objects found: 0
Scan duration: 08:44:06


File name / Threat / Threats count
C:\Windows\System32\4SI4g9S.mph Infected: Trojan-Clicker.Win32.AdClicer.d 1
C:\Windows\System32\6wkvmaDFAH.mph Infected: Trojan-Clicker.Win32.AdClicer.d 1
C:\Windows\System32\Fues7XHg1.mph Infected: Trojan-Clicker.Win32.AdClicer.d 1
C:\Windows\System32\gcosLToHtK1.mph Infected: Trojan-Clicker.Win32.AdClicer.d 1
C:\Windows\System32\IdOOmt7faH.mph Infected: Trojan-Clicker.Win32.AdClicer.d 1
C:\Windows\System32\KwTFKiJS4JeRE.mph Infected: Trojan-Clicker.Win32.AdClicer.d 1
C:\Windows\System32\N8xCWxCJSxc.mph Infected: Trojan-Clicker.Win32.AdClicer.d 1
C:\Windows\System32\R5u6ed8yDyT8g.mph Infected: Trojan-Clicker.Win32.AdClicer.d 1
C:\Windows\System32\UkXWViCR.mph Infected: Trojan-Clicker.Win32.AdClicer.d 1
C:\Windows\System32\VjNrEMF.mph Infected: Trojan-Clicker.Win32.AdClicer.d 1
C:\Windows\System32\WpWAlePy3eqbD.mph Infected: Trojan-Clicker.Win32.AdClicer.d 1
C:\Windows\System32\Wuu3O22Iw.mph Infected: Trojan-Clicker.Win32.AdClicer.d 1
C:\Windows\System32\ZRLlEfk.mph Infected: Trojan-Clicker.Win32.AdClicer.d 1
E:\ssallain\Desktop\UltraVNC_1.0.8.2_Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.gc 1
E:\ssallain\Documents\My Dropbox\Portable Apps\Utilities\nirsoft_package_beta_100\astlog.exe Infected: not-a-virusSWTool.Win32.Asterisk.c 1
E:\ssallain\Documents\My Dropbox\Portable Apps\Utilities\nirsoft_package_beta_100\mzcv.exe Infected: not-a-virusSWTool.Win32.NetPass.lm 1
E:\ssallain\Documents\My Dropbox\Portable Apps\Utilities\nirsoft_package_beta_100\produkey.exe Infected: not-a-virusSWTool.Win32.ProductKey.ar 1
E:\ssallain\Documents\My Dropbox\Portable Apps\Utilities\nirsoft_package_beta_100\recentfilesview.exe Infected: not-a-virusSWTool.Win32.WinPassViewer.k 1
E:\ssallain\Documents\My Dropbox\Portable Apps\Utilities\nirsoft_package_beta_100\sniffpass.exe Infected: not-a-virusSWTool.Win32.SniffPass.a 1
E:\Program Files\Input Director\IDHookLibrary.dll Infected: not-a-virus:Monitor.Win32.Hooker.am 1

Selected area has been scanned.

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  Code:

  :OTL
  
  :Services
  
  :Reg
  
  :Files
  C:\Windows\System32\4SI4g9S.mph 
  C:\Windows\System32\6wkvmaDFAH.mph 
  C:\Windows\System32\Fues7XHg1.mph 
  C:\Windows\System32\gcosLToHtK1.mph 
  C:\Windows\System32\IdOOmt7faH.mph 
  C:\Windows\System32\KwTFKiJS4JeRE.mph 
  C:\Windows\System32\N8xCWxCJSxc.mph 
  C:\Windows\System32\R5u6ed8yDyT8g.mph
  C:\Windows\System32\UkXWViCR.mph 
  C:\Windows\System32\VjNrEMF.mph
  C:\Windows\System32\WpWAlePy3eqbD.mph 
  C:\Windows\System32\Wuu3O22Iw.mph 
  C:\Windows\System32\ZRLlEfk.mph 
  
  
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
  

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Windows\System32\4SI4g9S.mph moved successfully.
C:\Windows\System32\6wkvmaDFAH.mph moved successfully.
C:\Windows\System32\Fues7XHg1.mph moved successfully.
C:\Windows\System32\gcosLToHtK1.mph moved successfully.
C:\Windows\System32\IdOOmt7faH.mph moved successfully.
C:\Windows\System32\KwTFKiJS4JeRE.mph moved successfully.
C:\Windows\System32\N8xCWxCJSxc.mph moved successfully.
C:\Windows\System32\R5u6ed8yDyT8g.mph moved successfully.
C:\Windows\System32\UkXWViCR.mph moved successfully.
C:\Windows\System32\VjNrEMF.mph moved successfully.
C:\Windows\System32\WpWAlePy3eqbD.mph moved successfully.
C:\Windows\System32\Wuu3O22Iw.mph moved successfully.
C:\Windows\System32\ZRLlEfk.mph moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: ssallain
->Temp folder emptied: 108334072 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 128094 bytes
->FireFox cache emptied: 52644991 bytes
->Google Chrome cache emptied: 11651729 bytes
->Flash cache emptied: 9589 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 882 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 165.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: ssallain
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.9.0 log created on 07102010_173006

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...