Inactive Search redirect malware hit PC, need help

[jbmeyer]

My PC has been afflicted with some form of search redirect malware that redirects google and other search results to load erroneous pages after clicking on a result, this occurs under IE and Crhome. I am also experienced fairly routine blue screen events on the PC now, every few hours or so of activity. Realizing that this problem will not simply go away, I found this forum to see if I could find some assistance. I have followed the 5-step malware removal instructions up thru step 3, and have posted my results below. For whatever reason, I cannot download the DDS script as suggested in step 4, the bleepingcomputer.com site just does not seem to have it available, or I am being blocked from getting it somehow -- are others having such problems???

My results up thru step 3 are shown below, any and all help in this matter is much much appreciated:

Step 1 - Utilizing Microsoft Security Essentials (definitions fully updated) - found no problems.

Step 2 - ran Malwarebytes Ant-Malware, results below:


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8021

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

10/25/2011 6:41:55 PM
mbam-log-2011-10-25 (18-41-55).txt

Scan type: Full scan (C:\|)
Objects scanned: 450762
Time elapsed: 1 hour(s), 29 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Step 3 - ran GMER, results below:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-31 11:43:01
Windows 6.1.7601 Service Pack 1
Running: 5glfh97s.exe; Driver: C:\Users\John\AppData\Local\Temp\pxloypod.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2370536414-983749384-3936569394-1001@RefCount 4

---- EOF - GMER 1.0.15 ----

 

[Bobbye]

Welcome to TechSpot! The redirect and the BSOD may or may not be related. But let's see if we can get DDS running:

Please download this file: xp_scr_fix

Unpack (unzip) the file onto your desktop and double-click it. You will be asked if you wish to merge the file with you registry, say Yes.

You should then be able to run DDS.scr. It's the .scr file extension causing the problem.

Please leave the 2 DDS log if scan proceeds. If it does not, let me know specifically what happens.
==============================================
You can also run Combofix. That isn't an either/or with DDS> both of possible:
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once installed, you should see a blue screen prompt that says:
  The Recovery Console was successfully installed.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
====================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================

 

[jbmeyer]

Solved DDS problem, posted log, still need help

Used IE instead of Chrome to download DDS script, still don't understand why this happens, but that's a small issue compared to larger problems here.

See DDS.log below:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by John at 13:50:41 on 2011-10-31
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2047.1031 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Bandoo\Bandoo.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Live\Family Safety\fsui.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Windows\vsnpstd3.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\PixArt\PAC7302\Monitor.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPage.dll
mURLSearchHooks: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPage.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPage.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers\YontooIEClient.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPage.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [TivoServer] c:\program files\tivo\desktop\TiVoServer.exe /service /registry
uRun: [TivoTransfer] c:\program files\tivo\desktop\TiVoTransfer.exe
uRun: [TivoNotify] c:\program files\tivo\desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
uRun: [TranscodingService] c:\program files\tivo\desktop\plus\\TranscodingService.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [fssui] "c:\program files\windows live\family safety\fsui.exe" -autorun
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DATAMNGR] c:\progra~1\wi3c8a~1\datamngr\DATAMN~1.EXE
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNTkzNjMyMzQ5LUZQOSs2LVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMS1MSUMrNzctU1AxKzEtU1AxVEIrMS1TVUQrMS1TMUkrMS1TVTMrMS1GTDEwKzEtRERUKzA"&"prod=90"&"ver=10.0.1391
StartupFolder: c:\users\john\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3EA3B73C-52E7-4632-9399-71C3A80B61CC} : NameServer = 192.168.2.1,8.8.4.4,8.8.4.4
TCP: Interfaces\{3EA3B73C-52E7-4632-9399-71C3A80B61CC} : DhcpNameServer = 192.168.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: c:\progra~1\wi3c8a~1\datamngr\datamngr.dll c:\progra~1\wi3c8a~1\datamngr\iebho.dll c:\progra~1\bandoo\bndhook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKslab02c74c;MpKslab02c74c;c:\programdata\microsoft\microsoft antimalware\definition updates\{ad553876-bd1e-41ac-8560-cfdefb5d5db5}\MpKslab02c74c.sys [2011-10-31 28752]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-7-28 176128]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\common files\epson\epw!3 ssrp\E_S50ST7.EXE [2011-2-21 153600]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\common files\epson\epw!3 ssrp\E_S50RP7.EXE [2011-2-21 121856]
R2 FlipShareServer;FlipShare Server;c:\program files\flip video\flipshareserver\FlipShareServer.exe [2010-12-15 1085440]
R2 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-11-27 39272]
R2 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-10-23 1153368]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-7-28 8396800]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-7-28 247296]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-3-30 100880]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
R3 pxloypod;pxloypod;c:\users\john\appdata\local\temp\pxloypod.sys [2011-10-31 100864]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-3-15 183560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-5-20 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-20 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-30 1343400]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\tivo\desktop\TiVoBeacon.exe [2010-8-24 1104656]
.
=============== Created Last 30 ================
.
2011-10-31 16:52:41 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ad553876-bd1e-41ac-8560-cfdefb5d5db5}\MpKslab02c74c.sys
2011-10-31 16:52:40 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ad553876-bd1e-41ac-8560-cfdefb5d5db5}\offreg.dll
2011-10-31 16:52:37 6668624 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ad553876-bd1e-41ac-8560-cfdefb5d5db5}\mpengine.dll
2011-10-31 16:02:33 -------- d-----w- c:\users\john\appdata\local\{E6FF941F-06D0-4A50-9513-333D263A386C}
2011-10-31 16:02:18 -------- d-----w- c:\users\john\appdata\local\{5958497D-ADAD-4D25-8D02-A4FC886DF598}
2011-10-30 15:12:06 -------- d-----w- c:\users\john\appdata\local\{C45AB9A6-0240-4BF4-8254-F1A2A183B485}
2011-10-30 15:11:54 -------- d-----w- c:\users\john\appdata\local\{755C0C83-ADF5-4792-B7D2-3FEC0C0F6689}
2011-10-30 02:21:15 -------- d-----w- c:\users\john\appdata\local\{D6C8C450-F1EC-4BB3-B068-DA85DB9A26D3}
2011-10-30 02:21:04 -------- d-----w- c:\users\john\appdata\local\{07FF8BE1-A8FE-4F4D-94E9-0F288C7C9E21}
2011-10-29 12:58:11 -------- d-----w- c:\users\john\appdata\local\{57E21ACE-9E96-4E51-BFF3-F959F76C665D}
2011-10-29 12:58:00 -------- d-----w- c:\users\john\appdata\local\{8F33B3F3-1E51-47F6-9F9D-71621120354A}
2011-10-29 00:57:22 -------- d-----w- c:\users\john\appdata\local\{6CC01C18-2E1F-4933-9861-57E6B3726B48}
2011-10-29 00:57:11 -------- d-----w- c:\users\john\appdata\local\{3D680668-D658-4FE4-8200-0BDE762B3A51}
2011-10-28 12:56:35 -------- d-----w- c:\users\john\appdata\local\{103BD07D-31D4-4E43-9BEF-A49367B3B927}
2011-10-28 12:56:24 -------- d-----w- c:\users\john\appdata\local\{61F2241C-0343-47E3-85AB-650287A91D25}
2011-10-28 00:11:29 -------- d-----w- c:\users\john\appdata\local\{C38FC954-78B5-4C57-A131-441CD9CA31D8}
2011-10-28 00:11:18 -------- d-----w- c:\users\john\appdata\local\{06A6D127-FA0B-4C62-893C-E510026DDE3A}
2011-10-27 12:10:42 -------- d-----w- c:\users\john\appdata\local\{C86794CF-1FC3-4561-9570-96C1A1671C0F}
2011-10-27 12:10:31 -------- d-----w- c:\users\john\appdata\local\{78A531AB-2C75-416B-B8F2-84C63ABF7C3D}
2011-10-27 00:09:54 -------- d-----w- c:\users\john\appdata\local\{3B78D9E0-49BD-45DA-A1B8-0F1C5119541C}
2011-10-27 00:09:43 -------- d-----w- c:\users\john\appdata\local\{AA3DB2EC-9475-4ABD-B33A-21E50C28098D}
2011-10-26 12:09:08 -------- d-----w- c:\users\john\appdata\local\{2542908E-D4D7-4338-94C0-F46EBAF73356}
2011-10-26 12:08:57 -------- d-----w- c:\users\john\appdata\local\{8627EA74-9A73-42DB-AAEC-7BED9C9D2000}
2011-10-26 12:08:46 -------- d-----w- c:\users\john\appdata\local\{FFBE2B2D-1700-4D47-967D-1F2F70ACB502}
2011-10-26 12:08:35 -------- d-----w- c:\users\john\appdata\local\{AF8B243C-F9D4-46CA-8451-8998AFE4C0C8}
2011-10-26 00:08:10 -------- d-----w- c:\users\john\appdata\local\{20B27EC2-5BC4-4666-B674-9927ADDC6AEB}
2011-10-26 00:07:58 -------- d-----w- c:\users\john\appdata\local\{FCA695B5-F96B-478D-9A70-9988B488C324}
2011-10-25 21:42:40 -------- d-----w- c:\users\john\appdata\roaming\Malwarebytes
2011-10-25 21:42:25 -------- d-----w- c:\programdata\Malwarebytes
2011-10-25 21:42:20 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-25 21:42:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-25 12:07:30 -------- d-----w- c:\users\john\appdata\local\{BA546490-C10A-4409-A69C-EA6C7C3D900D}
2011-10-25 12:07:17 -------- d-----w- c:\users\john\appdata\local\{BBDC40BE-020B-4815-8A6E-53C8F7C9B28F}
2011-10-25 12:06:59 -------- d-----w- c:\users\john\appdata\local\{70B645DC-775C-4B06-9C3B-D7335BCB44FD}
2011-10-25 12:06:45 -------- d-----w- c:\users\john\appdata\local\{44E59FCD-0732-4D4C-B492-C5ACE393BEB2}
2011-10-24 14:02:31 -------- d-----w- c:\users\john\appdata\local\{6EDE0F1F-F493-422D-9FEF-98EC9E41FB5A}
2011-10-24 14:02:20 -------- d-----w- c:\users\john\appdata\local\{0D0E38E2-9688-4E90-9325-195E357111F3}
2011-10-23 23:42:53 -------- d-----w- c:\users\john\appdata\local\{B352F5C9-6F13-432C-BFFA-76DD02C145CC}
2011-10-23 23:42:43 -------- d-----w- c:\users\john\appdata\local\{A32D6A7F-0176-46FB-857F-9429B8204F8E}
2011-10-23 23:42:32 -------- d-----w- c:\users\john\appdata\local\{BA9C61BB-B71A-4A01-8D67-351CE7BBEA60}
2011-10-23 23:42:21 -------- d-----w- c:\users\john\appdata\local\{10308935-7290-48B5-B1F4-92F202C7C8FF}
2011-10-23 19:00:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-10-23 19:00:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-23 18:52:26 -------- d-sh--w- C:\$RECYCLE.BIN
2011-10-23 17:28:37 -------- d-----w- c:\users\john\appdata\local\temp
2011-10-23 15:12:37 -------- d-----w- C:\Combo-Fix.exe29559C
2011-10-23 11:41:55 -------- d-----w- c:\users\john\appdata\local\{AD624341-0269-4C12-AFB5-28E7D311577B}
2011-10-23 11:41:44 -------- d-----w- c:\users\john\appdata\local\{74C4707D-F0E6-481A-B909-38DDC4B60961}
2011-10-22 16:16:53 -------- d-----w- c:\users\john\appdata\local\{9C157157-4D7D-4FD4-B207-C7E1081894BB}
2011-10-22 16:16:19 -------- d-----w- c:\users\john\appdata\local\{B29ACD72-9A68-4DEA-988B-1684CF1897D0}
2011-10-22 16:15:54 -------- d-----w- c:\users\john\appdata\local\{FF911891-B2D8-4D4E-A9B9-71EBA2C46F88}
2011-10-22 02:18:15 -------- d-----w- c:\program files\iTunes
2011-10-22 02:18:15 -------- d-----w- c:\program files\iPod
2011-10-22 02:15:22 -------- d-----w- c:\program files\Bonjour
2011-10-22 02:14:19 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-10-22 02:14:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-10-22 02:14:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-10-22 02:14:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-10-22 02:14:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-10-22 02:14:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-10-22 02:14:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-10-22 01:49:06 -------- d-----w- c:\users\john\appdata\local\{94EB172A-8EE6-4910-84D3-8785C49F0FB9}
2011-10-22 01:48:53 -------- d-----w- c:\users\john\appdata\local\{EA227192-9E0C-4418-A10C-A6A4E9783FDB}
2011-10-21 04:57:37 98816 ----a-w- c:\windows\sed.exe
2011-10-21 04:57:37 518144 ----a-w- c:\windows\SWREG.exe
2011-10-21 04:57:37 256000 ----a-w- c:\windows\PEV.exe
2011-10-21 04:57:37 208896 ----a-w- c:\windows\MBR.exe
2011-10-21 04:19:02 -------- d-----w- c:\users\john\appdata\local\{FF3DEC86-FB1F-4686-BA8C-AADB55197A86}
2011-10-21 04:18:50 -------- d-----w- c:\users\john\appdata\local\{CE3132B7-1BB1-4B4F-BF48-B3405C78C256}
2011-10-21 04:18:34 -------- d-----w- c:\users\john\appdata\local\{00BC2FB7-0621-4BC0-9F53-839A853BD34F}
2011-10-20 15:10:21 -------- d-----w- c:\users\john\appdata\local\{95BEE55A-BA96-4EA9-BA58-525DAB1DF664}
2011-10-20 15:10:05 -------- d-----w- c:\users\john\appdata\local\{7EE83231-AE47-4AD5-BF24-DAEBF6148A3E}
2011-10-20 12:00:00 184 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{DDCA8712-1E21-66EB-F588-330BE1C2C51E}-tmp41f69acf.bat
2011-10-13 11:32:00 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-13 11:32:00 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-13 11:31:58 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-13 11:31:58 233472 ----a-w- c:\windows\system32\oleacc.dll
2011-10-13 11:31:51 2334720 ----a-w- c:\windows\system32\win32k.sys
2011-10-11 11:46:54 703824 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e509b4f9-c7bb-48ec-bc0b-0ddb365714dd}\gapaengine.dll
2011-10-09 04:55:56 -------- d-----w- c:\users\john\appdata\local\{F1D3B49B-42D5-4DC1-A612-6989114C39CC}
2011-10-09 04:55:46 -------- d-----w- c:\users\john\appdata\local\{21BEA239-7C88-4040-8C3D-88E9919B4EAA}
2011-10-08 15:52:14 -------- d-----w- c:\users\john\appdata\local\{94BA274A-5ED3-4D4D-82FE-A89E7E3CBA20}
2011-10-08 15:52:03 -------- d-----w- c:\users\john\appdata\local\{E3F36717-0EB3-4FAD-A2E3-467C210E11F0}
2011-10-08 03:51:25 -------- d-----w- c:\users\john\appdata\local\{BB3764E3-032C-4DF1-B8DE-B174146F9D6F}
2011-10-08 03:51:11 -------- d-----w- c:\users\john\appdata\local\{CCBDC31F-A86F-4E56-8D85-3D767DE4B808}
2011-10-08 03:50:57 -------- d-----w- c:\users\john\appdata\local\{A0219028-3D3C-4D43-B64F-03D043EF1AC9}
2011-10-06 21:19:16 -------- d-----w- c:\users\john\appdata\local\{FE1A3194-C9B8-4127-B8A5-808DC7839558}
2011-10-06 09:18:47 -------- d-----w- c:\users\john\appdata\local\{872A40D8-9EF8-4BB8-B5F8-8BDC879386A1}
2011-10-05 21:18:19 -------- d-----w- c:\users\john\appdata\local\{F3AD100F-2D19-4266-93BF-04CAE530EAE8}
2011-10-05 09:17:50 -------- d-----w- c:\users\john\appdata\local\{405364C1-8145-491E-BBE3-6133B3DA987F}
2011-10-04 21:17:20 -------- d-----w- c:\users\john\appdata\local\{59526DE9-3ECA-4FE8-AF49-084A1A32E468}
2011-10-04 09:16:49 -------- d-----w- c:\users\john\appdata\local\{3FDBA441-EAAD-4F7D-B561-4143ED9B7746}
2011-10-03 21:16:21 -------- d-----w- c:\users\john\appdata\local\{CD8DA331-FF77-4DED-8C95-41BD88959835}
2011-10-03 09:15:51 -------- d-----w- c:\users\john\appdata\local\{ADCF4020-5A82-46F6-9EDF-5772AE841CDE}
2011-10-02 21:15:19 -------- d-----w- c:\users\john\appdata\local\{B38C5243-E798-4DCC-B007-018B8D77BCB8}
2011-10-02 09:14:46 -------- d-----w- c:\users\john\appdata\local\{F8896B95-DFF1-4E6B-B657-EEBF0761A3FE}
2011-10-01 21:10:28 -------- d-----w- c:\users\john\appdata\local\{237AB358-2678-482F-8702-86EC2EB550E5}
2011-10-01 21:10:16 -------- d-----w- c:\users\john\appdata\local\{4D806884-0562-47F2-9CC5-3FBB86C6D707}
.
==================== Find3M ====================
.
2011-10-24 02:33:04 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-14 16:47:40 53760 ----a-w- c:\windows\system32\OVDecode.dll
2011-09-14 16:46:58 13625856 ----a-w- c:\windows\system32\amdocl.dll
2011-09-14 16:38:28 37376 ----a-w- c:\windows\system32\amdoclcl.dll
2011-09-01 02:35:59 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-08-31 04:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 04:05:04 178536 ----a-w- c:\windows\system32\dnssdX.dll
.
============= FINISH: 13:57:36.34 ===============

 

[jbmeyer]

and here is Attach.txt

See Attach.txt below:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 1/9/2010 4:44:51 PM
System Uptime: 10/31/2011 10:42:18 AM (3 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | M2N68-AM SE2
Processor: AMD Athlon(tm) II X2 250 Processor | AM2 | 3000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 4.445 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 373 GiB total, 110.085 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: MpKsl8590d562
Device ID: ROOT\LEGACY_MPKSL8590D562\0000
Manufacturer:
Name: MpKsl8590d562
PNP Device ID: ROOT\LEGACY_MPKSL8590D562\0000
Service: MpKsl8590d562
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: MpKsl912937b0
Device ID: ROOT\LEGACY_MPKSL912937B0\0000
Manufacturer:
Name: MpKsl912937b0
PNP Device ID: ROOT\LEGACY_MPKSL912937B0\0000
Service: MpKsl912937b0
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: NVIDIA nForce Networking Controller
Device ID: PCI\VEN_10DE&DEV_03EF&SUBSYS_83A41043&REV_A2\3&267A616A&0&38
Manufacturer: NVIDIA
Name: NVIDIA nForce 10/100 Mbps Ethernet
PNP Device ID: PCI\VEN_10DE&DEV_03EF&SUBSYS_83A41043&REV_A2\3&267A616A&0&38
Service: NVNET
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: MpKsl0f087856
Device ID: ROOT\LEGACY_MPKSL0F087856\0000
Manufacturer:
Name: MpKsl0f087856
PNP Device ID: ROOT\LEGACY_MPKSL0F087856\0000
Service: MpKsl0f087856
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: MpKsl49eafb6b
Device ID: ROOT\LEGACY_MPKSL49EAFB6B\0000
Manufacturer:
Name: MpKsl49eafb6b
PNP Device ID: ROOT\LEGACY_MPKSL49EAFB6B\0000
Service: MpKsl49eafb6b
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: AODDriver4.01
Device ID: ROOT\LEGACY_AODDRIVER4.01\0000
Manufacturer:
Name: AODDriver4.01
PNP Device ID: ROOT\LEGACY_AODDRIVER4.01\0000
Service: AODDriver4.01
.
==== System Restore Points ===================
.
RP305: 10/31/2011 12:21:52 PM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
3ivx MPEG-4 5.0.3 (remove only)
Acrobat.com
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 9.4.6
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
Amazon MP3 Downloader 1.0.10
AMD Catalyst Install Manager
Any Video Converter 3.2.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Application Profiles
Audacity 1.2.6
AVG PC Tuneup 2011
Bandoo
Batman: Arkham Asylum
Bing Bar
BioShock
Bonjour
Catalyst Control Center InstallProxy
CDex - Open Source Digital Audio CD Extractor
Conduit Engine
D3DX10
Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dual-Core Optimizer
Epson Event Manager
EPSON NX620 Series Printer Uninstall
EPSON Scan
ExtractNow
EZNEC Demo v. 5.0
Facebook Plug-In
FlipShare
GameSpy Arcade
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
iLivid
iTunes
Java Auto Updater
Java(TM) 6 Update 29
Junk Mail filter update
Logitech Gaming Software 5.02
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Expression Web
Microsoft Expression Web MUI (English)
Microsoft Expression Web Service Pack 1 (SP1)
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft IntelliType Pro 8.1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2010 Language Pack Service Pack 1 (SP1)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2007
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (English) 2010
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office SharePoint Designer 2007
Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
Microsoft Office SharePoint Designer MUI (English) 2007
Microsoft Office Visio 2010
Microsoft Office Visio MUI (English) 2010
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visio 2010 Service Pack 1 (SP1)
Microsoft Visio Professional 2010
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft WorldWide Telescope
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
NVIDIA Drivers
NVIDIA PhysX
OGA Notifier 2.0.0048.0
PageRage Toolbar
PC Camera
Photo Resizer
PVSonyDll
QuickPar 0.9
QuickTime
REA's TESTware for the AP World History
Red Faction: Guerrilla
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553074)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2584066)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2553073)
Security Update for Microsoft Office Groove 2007 (KB2552997)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Microsoft Visio 2010 (KB2553008)
Skype Toolbars
Skype™ 5.3
Spybot - Search & Destroy
Steam
Team Fortress 2
TileGem
TiVo Desktop 2.8.2
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Sharepoint Designer 2007 Help (KB963675)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2596560)
Windows iLivid Toolbar
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
.
==== Event Viewer Messages From Past Week ========
.
10/31/2011 12:15:43 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
10/31/2011 10:42:56 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000076 (0x00000000, 0x855d0030, 0x000007d1, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 103111-23899-01.
10/31/2011 10:42:44 AM, Error: Service Control Manager [7000] - The AODDriver4.01 service failed to start due to the following error: The system cannot find the path specified.
10/30/2011 8:01:12 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000076 (0x00000000, 0x856b3440, 0x000007d1, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 103011-19780-01.
10/30/2011 1:51:02 PM, Error: Service Control Manager [7016] - The NVIDIA Display Driver Service service has reported an invalid current state 32.
10/30/2011 1:44:33 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the RemoteAccess service.
10/27/2011 6:32:37 AM, Error: RemoteAccess [20013] - The communication device attached to port VPN3-1 is not functioning.
10/27/2011 6:32:37 AM, Error: RemoteAccess [20013] - The communication device attached to port VPN3-0 is not functioning.
10/27/2011 6:32:37 AM, Error: RemoteAccess [20013] - The communication device attached to port VPN0-1 is not functioning.
10/27/2011 6:32:37 AM, Error: RemoteAccess [20013] - The communication device attached to port VPN0-0 is not functioning.
10/25/2011 7:05:44 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000076 (0x00000000, 0x85d50030, 0x000007d1, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 102511-16832-01.
10/25/2011 10:44:29 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the FlipShare Service service.
10/24/2011 2:09:00 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000076 (0x00000000, 0x88459c30, 0x000007d1, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 102411-36847-01.
.
==== End Of File ===========================

 

[jbmeyer]

Combofix log

ComboFix 11-10-30.04 - John 10/31/2011 16:58:38.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2047.1062 [GMT -5:00]
Running from: c:\users\John\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Rina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore
c:\users\Rina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore\System Restore.lnk
c:\users\Rina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore\Uninstall System Restore.lnk
.
---- Previous Run -------
.
C:\Combo-Fix.exe
c:\combo-fix.exe\CF18500.3XE
c:\combo-fix.exe\en-US\CF18500.3XE.mui
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-31 )))))))))))))))))))))))))))))))
.
.
2011-10-31 22:42 . 2011-10-31 22:45 -------- d-----w- c:\users\John\AppData\Local\temp
2011-10-31 22:42 . 2011-10-31 22:42 -------- d-----w- c:\users\Rina\AppData\Local\temp
2011-10-31 22:42 . 2011-10-31 22:42 -------- d-----w- c:\users\Jack\AppData\Local\temp
2011-10-31 22:42 . 2011-10-31 22:42 -------- d-----w- c:\users\Elisa\AppData\Local\temp
2011-10-31 22:42 . 2011-10-31 22:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-31 22:42 . 2011-10-31 22:42 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-10-31 19:07 . 2011-10-31 19:07 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4B54A1D9-7ED4-431B-BE6C-040306A877B5}\MpKslea8eee3c.sys
2011-10-31 19:07 . 2011-10-31 19:07 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4B54A1D9-7ED4-431B-BE6C-040306A877B5}\offreg.dll
2011-10-31 19:07 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4B54A1D9-7ED4-431B-BE6C-040306A877B5}\mpengine.dll
2011-10-25 21:42 . 2011-10-25 21:42 -------- d-----w- c:\users\John\AppData\Roaming\Malwarebytes
2011-10-25 21:42 . 2011-10-25 21:42 -------- d-----w- c:\programdata\Malwarebytes
2011-10-25 21:42 . 2011-10-25 21:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-25 21:42 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-23 19:00 . 2011-10-23 20:20 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-10-23 19:00 . 2011-10-23 19:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-22 02:18 . 2011-10-22 02:18 -------- d-----w- c:\program files\iTunes
2011-10-22 02:18 . 2011-10-22 02:18 -------- d-----w- c:\program files\iPod
2011-10-22 02:15 . 2011-10-22 02:15 -------- d-----w- c:\program files\Bonjour
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2011-10-20 12:00 . 2011-10-20 12:00 184 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{DDCA8712-1E21-66EB-F588-330BE1C2C51E}-tmp41f69acf.bat
2011-10-20 11:56 . 2011-10-20 12:16 -------- d--h--w- c:\users\Rina\AppData\Roaming\Hage
2011-10-20 11:56 . 2011-10-20 19:54 -------- d--h--w- c:\users\Rina\AppData\Roaming\Ozrai
2011-10-17 02:28 . 2011-10-17 03:28 -------- d-----w- c:\users\Jack\AppData\Roaming\Skype
2011-10-13 11:32 . 2011-08-17 04:24 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-13 11:32 . 2011-08-17 04:19 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-13 11:31 . 2011-08-27 04:26 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-13 11:31 . 2011-08-27 04:26 233472 ----a-w- c:\windows\system32\oleacc.dll
2011-10-13 11:31 . 2011-09-06 02:28 2334720 ----a-w- c:\windows\system32\win32k.sys
2011-10-11 11:46 . 2011-10-11 11:46 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E509B4F9-C7BB-48EC-BC0B-0DDB365714DD}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-24 02:33 . 2011-05-17 01:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-07 03:48 . 2011-08-06 12:19 6668624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-03 10:06 . 2011-05-08 01:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-14 16:47 . 2011-09-14 16:47 53760 ----a-w- c:\windows\system32\OVDecode.dll
2011-09-14 16:46 . 2011-09-14 16:46 13625856 ----a-w- c:\windows\system32\amdocl.dll
2011-09-14 16:38 . 2011-09-14 16:38 37376 ----a-w- c:\windows\system32\amdoclcl.dll
2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 04:05 . 2011-08-31 04:05 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-05 23:33 . 2010-11-28 04:57 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-08-05 03:10 . 2011-08-11 08:38 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-21_05.54.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-10 02:48 . 2011-10-24 02:31 36162 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2011-10-31 15:44 41022 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 04:50 . 2011-10-06 03:22 86016 c:\windows\System32\DriverStore\infpub.dat
+ 2009-07-14 04:50 . 2011-10-24 02:24 86016 c:\windows\System32\DriverStore\infpub.dat
+ 2011-05-10 13:06 . 2011-05-10 13:06 42496 c:\windows\System32\DriverStore\FileRepository\usbaapl.inf_x86_neutral_f4beb178c072c664\usbaapl.sys
+ 2011-05-10 13:06 . 2011-05-10 13:06 18432 c:\windows\System32\DriverStore\FileRepository\netaapl.inf_x86_neutral_9a884b80d653b7cf\netaapl.sys
+ 2010-01-10 00:28 . 2011-10-31 15:42 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-10 00:28 . 2011-10-21 04:44 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-10 00:28 . 2011-10-31 15:42 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-10 00:28 . 2011-10-21 04:44 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:41 . 2011-10-21 04:44 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2011-10-31 15:42 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-25 02:26 . 2011-07-28 20:54 13312 c:\windows\System32\atiglpxx.dll
+ 2011-07-28 20:54 . 2011-07-28 20:54 13312 c:\windows\System32\atiglpxx.dll
+ 2011-07-28 20:54 . 2011-07-28 20:54 32768 c:\windows\System32\atigktxx.dll
- 2011-05-25 02:25 . 2011-07-28 20:54 32768 c:\windows\System32\atigktxx.dll
- 2009-07-14 04:34 . 2011-10-20 12:28 88720 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 04:34 . 2011-10-27 16:55 88720 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2010-01-10 00:15 . 2011-10-13 15:34 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-10 00:15 . 2011-10-25 00:46 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-10-22 01:48 . 2011-10-22 01:48 25088 c:\windows\Installer\305fd87.msi
+ 2011-10-24 01:58 . 2011-10-24 01:58 88102 c:\windows\Installer\{F940D29F-DDAB-390B-1307-B132C693DD39}\ARPPRODUCTICON.exe
+ 2011-10-24 01:58 . 2011-10-24 02:22 88102 c:\windows\Installer\{9CE4B7FA-8626-316B-B483-FCEF49E27430}\NewShortcut5_4DEA5338A7B840A3B51CDC742625BF49.exe
+ 2011-10-24 01:58 . 2011-10-24 02:22 88102 c:\windows\Installer\{9CE4B7FA-8626-316B-B483-FCEF49E27430}\NewShortcut4_4DEA5338A7B840A3B51CDC742625BF49.exe
+ 2011-10-24 01:58 . 2011-10-24 02:22 88102 c:\windows\Installer\{9CE4B7FA-8626-316B-B483-FCEF49E27430}\NewShortcut3_4DEA5338A7B840A3B51CDC742625BF49.exe
+ 2011-10-24 01:58 . 2011-10-24 02:22 88102 c:\windows\Installer\{9CE4B7FA-8626-316B-B483-FCEF49E27430}\NewShortcut2_4DEA5338A7B840A3B51CDC742625BF49.exe
+ 2011-10-24 01:58 . 2011-10-24 02:22 88102 c:\windows\Installer\{9CE4B7FA-8626-316B-B483-FCEF49E27430}\ARPPRODUCTICON.exe
+ 2010-02-07 20:49 . 2011-10-24 19:20 4464 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2370536414-983749384-3936569394-1004_UserData.bin
+ 2010-01-10 02:48 . 2011-10-30 18:54 7788 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2370536414-983749384-3936569394-1001_UserData.bin
- 2011-10-21 04:51 . 2011-10-21 04:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-10-30 18:52 . 2011-10-31 15:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-10-30 18:52 . 2011-10-31 15:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-10-21 04:51 . 2011-10-21 04:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-01-10 11:04 . 2011-10-31 14:19 289224 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2009-07-14 02:05 . 2011-10-30 15:17 626354 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2011-10-18 21:14 626354 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2011-10-18 21:14 107816 c:\windows\System32\perfc009.dat
+ 2009-07-14 02:05 . 2011-10-30 15:17 107816 c:\windows\System32\perfc009.dat
+ 2011-10-24 02:33 . 2011-10-24 02:33 247968 c:\windows\System32\Macromed\Flash\FlashUtil11c_ActiveX.exe
+ 2011-10-24 02:33 . 2011-10-24 02:33 335520 c:\windows\System32\Macromed\Flash\FlashUtil11c_ActiveX.dll
- 2011-08-29 22:59 . 2011-07-19 10:05 157472 c:\windows\System32\javaws.exe
+ 2011-10-30 15:53 . 2011-10-03 10:06 157472 c:\windows\System32\javaws.exe
- 2011-08-29 22:59 . 2011-05-08 01:16 145184 c:\windows\System32\javaw.exe
+ 2011-10-30 15:53 . 2011-10-03 10:06 145184 c:\windows\System32\javaw.exe
- 2011-08-29 22:59 . 2011-07-19 10:05 145184 c:\windows\System32\java.exe
+ 2011-10-30 15:53 . 2011-10-03 10:06 145184 c:\windows\System32\java.exe
- 2009-07-14 04:50 . 2011-10-06 03:22 143360 c:\windows\System32\DriverStore\infstrng.dat
+ 2009-07-14 04:50 . 2011-10-24 02:24 143360 c:\windows\System32\DriverStore\infstrng.dat
+ 2009-07-14 04:50 . 2011-10-24 02:24 143360 c:\windows\System32\DriverStore\infstor.dat
- 2009-07-14 04:50 . 2011-10-06 03:15 143360 c:\windows\System32\DriverStore\infstor.dat
+ 2011-03-30 18:46 . 2011-03-30 18:46 100880 c:\windows\System32\drivers\AtihdW73.sys
- 2010-09-29 01:49 . 2011-07-28 21:33 356352 c:\windows\System32\atipdlxx.dll
+ 2011-07-28 21:33 . 2011-07-28 21:33 356352 c:\windows\System32\atipdlxx.dll
- 2009-07-14 04:47 . 2011-10-21 04:50 391728 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:47 . 2011-10-30 18:51 391728 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-10-20 19:53 . 2011-10-24 02:28 513996 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1001-12288.dat
+ 2011-09-23 16:16 . 2011-09-23 16:16 628736 c:\windows\Installer\1e8ab1.msi
+ 2011-10-22 02:18 . 2011-10-22 02:18 380928 c:\windows\Installer\{29ED20C9-5E15-4969-9279-25BF3727A3DA}\iTunesIco.exe
+ 2011-09-14 09:54 . 2011-09-14 09:54 227176 c:\windows\Installer\$PatchCache$\Managed\05A9B00A0903FFC4C9AD28ADB0DEAA12\4.0.0\OutlookChangeNotifierAddIn.dll
+ 2011-05-10 13:06 . 2011-05-10 13:06 4517664 c:\windows\System32\DriverStore\FileRepository\usbaapl.inf_x86_neutral_f4beb178c072c664\usbaaplrc.dll
+ 2010-04-20 01:29 . 2010-04-20 01:29 1461992 c:\windows\System32\DriverStore\FileRepository\netaapl.inf_x86_neutral_9a884b80d653b7cf\wdfcoinstaller01009.dll
- 2011-10-06 22:38 . 2011-10-21 04:50 1569376 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-10-06 22:38 . 2011-10-24 02:28 1569376 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2010-12-14 13:41 . 2011-10-23 14:42 2840944 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1006-8192.dat
- 2011-02-07 23:08 . 2011-10-14 08:30 2993392 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1004-8192.dat
+ 2011-02-07 23:08 . 2011-10-24 02:28 2993392 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1004-8192.dat
+ 2010-12-05 17:26 . 2011-10-25 19:18 3448580 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1001-8192.dat
+ 2011-09-23 16:14 . 2011-09-23 16:14 5621760 c:\windows\Installer\a3e34.msi
+ 2011-10-22 02:14 . 2011-10-22 02:14 9538048 c:\windows\Installer\319eb15.msi
+ 2011-10-22 02:14 . 2011-10-22 02:14 2358784 c:\windows\Installer\319eaba.msi
+ 2010-01-10 00:08 . 2011-10-05 15:09 48324552 c:\windows\System32\MRT.exe
- 2010-01-10 00:08 . 2011-10-14 08:06 48324552 c:\windows\System32\MRT.exe
+ 2011-07-28 21:44 . 2011-07-28 21:44 18388480 c:\windows\System32\atioglxx.dll
- 2011-05-25 03:31 . 2011-07-28 21:44 18388480 c:\windows\System32\atioglxx.dll
+ 2011-10-22 02:15 . 2011-10-22 02:15 44664320 c:\windows\Installer\319f54a.msi
+ 2011-10-22 02:12 . 2011-10-22 02:12 26755072 c:\windows\Installer\319ea97.msi
+ 2011-10-22 02:10 . 2011-10-22 02:10 20311040 c:\windows\Installer\319e79f.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "c:\program files\PageRage\prxtbPage.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-03-28 16:22 176936 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
2011-03-28 16:22 176936 ----a-w- c:\program files\PageRage\prxtbPage.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-05-16 19:51 194912 ------w- c:\program files\Yontoo Layers\YontooIEClient.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "c:\program files\PageRage\prxtbPage.dll" [2011-03-28 176936]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2011-05-13 4283256]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2010-08-24 2264336]
"TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2010-08-24 608528]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2010-08-24 437520]
"TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2010-08-24 856336]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2011-05-13 884584]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 88584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-04-13 1298320]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg&inst=NzctNTkzNjMyMzQ5LUZQOSs2LVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMS1MSUMrNzctU1AxKzEtU1AxVEIrMS1TVUQrMS1TMUkrMS1TVTMrMS1GTDEwKzEtRERUKzA&prod=90&ver=10.0.1391" [?]
.
c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\WI3C8A~1\Datamngr\datamngr.dll c:\progra~1\WI3C8A~1\Datamngr\IEBHO.dll c:\progra~1\Bandoo\BndHook.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 MpKsl0f087856;MpKsl0f087856;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0209AC4E-D9C4-4289-BBC5-3CF5A16CA916}\MpKsl0f087856.sys [x]
R1 MpKsl49eafb6b;MpKsl49eafb6b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A1C08BE0-1CDF-4B13-8F5D-0CBFC2D5122F}\MpKsl49eafb6b.sys [x]
R1 MpKsl8590d562;MpKsl8590d562;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2D748FEB-2C0D-465B-BDDA-2F108C3D294F}\MpKsl8590d562.sys [x]
R1 MpKsl912937b0;MpKsl912937b0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C1D324BE-2AAC-4ACB-966F-4B91FBAE9330}\MpKsl912937b0.sys [x]
R2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 135664]
R3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [x]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-16 183560]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 135664]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-30 1343400]
R4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [2010-08-24 1104656]
S1 MpKslea8eee3c;MpKslea8eee3c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4B54A1D9-7ED4-431B-BE6C-040306A877B5}\MpKslea8eee3c.sys [2011-10-31 28752]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-07-28 176128]
S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [2009-09-14 153600]
S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [2009-09-14 121856]
S2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [2010-12-15 1085440]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-07-28 8396800]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-07-28 247296]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-03-30 100880]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
S3 pxloypod;pxloypod;c:\users\John\AppData\Local\Temp\pxloypod.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLAB02C74C
*NewlyCreated* - MPKSLEA8EEE3C
*NewlyCreated* - PXLOYPOD
*Deregistered* - MpKslab02c74c
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 01:36]
.
2011-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 01:36]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3EA3B73C-52E7-4632-9399-71C3A80B61CC}: NameServer = 192.168.2.1,8.8.4.4,8.8.4.4
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2370536414-983749384-3936569394-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:1e,2a,f6,56,c4,d2,2f,17,e5,09,82,30,67,3b,56,d5,9f,51,61,4b,86,67,17,
39,71,6e,1b,41,5d,02,5a,50,72,f9,a9,7d,6a,42,2e,a0,39,75,d8,06,f7,8d,9c,19,\
"??"=hex:cc,7c,b8,4e,21,96,58,df,52,95,ed,b3,65,f0,5c,24
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-10-31 18:06:06
ComboFix-quarantined-files.txt 2011-10-31 23:05
ComboFix2.txt 2011-10-21 06:15
.
Pre-Run: 4,659,372,032 bytes free
Post-Run: 5,283,889,152 bytes free
.
- - End Of File - - C9FA1DC35979612558EC9E59D617AC8A

 

[Bobbye]

Sorry, got behind.

Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
c:\users\John\AppData\Local\Temp\pxloypod.sys
Folder::
c:\users\John\AppData\Local\temp
c:\users\Rina\AppData\Local\temp
c:\users\Jack\AppData\Local\temp
c:\users\Elisa\AppData\Local\temp
c:\users\Default\AppData\Local\temp
c:\users\Administrator\AppData\Local\temp
c:\users\Rina\AppData\Roaming\Hage
c:\users\Rina\AppData\Roaming\Ozrai
DDS::
uURLSearchHooks: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPage.dll
mURLSearchHooks: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPage.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPage.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers\YontooIEClient.dll
TB: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPage.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
AppInit_DLLs: c:\progra~1\wi3c8a~1\datamngr\datamngr.dll c:\progra~1\wi3c8a~1\datamngr\iebho.dll c:\progra~1\bandoo\bndhook.dll
mRun: [DATAMNGR] c:\progra~1\wi3c8a~1\datamngr\DATAMN~1.EXE
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"=-
[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"=-
"{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Driver::
pxloypod
FCopy::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Then please go ahead and run this online virus scan:

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESETOnlineScan
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  [o] Double click on the
  
  on your desktop.
• Check 'Yes I accept terms of use.'
• Click Start button
• Accept any security warnings from your browser.
  
  
• Uncheck 'Remove found threats'
• Check 'Scan archives/
• Leave remaining settings as is.
• Press the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
• When the scan completes, press List of found threats
• Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
• Push the Back button
• Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Leave both logs in next reply please.

 

[jbmeyer]

ran combofix with script

Here's the log:

ComboFix 11-11-05.02 - John 11/05/2011 16:38:33.5.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2047.1295 [GMT -5:00]
Running from: C:\Users\John\Desktop\ComboFix.exe
Command switches used :: C:\Users\John\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\users\John\AppData\Local\Temp\pxloypod.sys"


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


c:\users\Administrator\AppData\Local\temp
c:\users\Default\AppData\Local\temp
c:\users\Elisa\AppData\Local\temp
c:\users\Jack\AppData\Local\temp
c:\users\John\AppData\Local\temp
c:\users\John\AppData\Local\temp\~DF05BA499096FD3D13.TMP
c:\users\John\AppData\Local\temp\~DF712EE64B0C965938.TMP
c:\users\John\AppData\Local\temp\~DF7EFC63C7A410524D.TMP
c:\users\John\AppData\Local\temp\~DFAF1481E7E7903D4A.TMP
c:\users\John\AppData\Local\temp\~DFCF1EF117C6BF7EDE.TMP
c:\users\John\AppData\Local\temp\~DFF1DA2D01458724AC.TMP
c:\users\John\AppData\Local\temp\catchme.dll
c:\users\John\AppData\Local\temp\fla28FD.tmp
c:\users\John\AppData\Local\temp\FXSAPIDebugLogFile.txt
c:\users\Rina\AppData\Local\temp
c:\users\Rina\AppData\Local\temp\AdobeARM.log
c:\users\Rina\AppData\Local\temp\FXSAPIDebugLogFile.txt
c:\users\Rina\AppData\Local\temp\jusched.log
c:\users\Rina\AppData\Local\temp\TWAIN.LOG
c:\users\Rina\AppData\Local\temp\Twain001.Mtx
c:\users\Rina\AppData\Local\temp\Twunk001.MTX
c:\users\Rina\AppData\Local\temp\Twunk002.MTX


((((((((((((((((((((((((( Files Created from 2011-10-05 to 2011-11-05 )))))))))))))))))))))))))))))))


2011-11-05 19:50:35 . 2011-11-05 19:50:35 -------- d-----w- C:\Program Files\ESET
2011-11-05 19:47:11 . 2011-11-05 21:17:26 56200 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{79873F72-825F-4B4C-B4C3-FF8FCE6EC9A8}\offreg.dll
2011-11-04 22:44:30 . 2011-10-07 03:48:07 6668624 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{79873F72-825F-4B4C-B4C3-FF8FCE6EC9A8}\mpengine.dll
2011-11-03 00:47:31 . 2011-11-03 00:47:31 -------- d-----w- C:\Program Files\ADLSoft UnCompressor
2011-11-03 00:47:15 . 2011-11-03 00:47:26 -------- d-----w- C:\Program Files\Incredibar.com
2011-11-03 00:39:13 . 2011-11-03 00:39:13 -------- d-----w- C:\Program Files\Yontoo Layers Runtime
2011-11-03 00:38:33 . 2011-11-03 00:39:10 -------- d-----w- C:\Users\Jack\PDFReader
2011-10-25 21:42:40 . 2011-10-25 21:42:40 -------- d-----w- C:\Users\John\AppData\Roaming\Malwarebytes
2011-10-25 21:42:25 . 2011-10-25 21:42:25 -------- d-----w- C:\ProgramData\Malwarebytes
2011-10-25 21:42:20 . 2011-10-25 21:42:31 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2011-10-25 21:42:20 . 2011-08-31 22:00:50 22216 ----a-w- C:\Windows\system32\drivers\mbam.sys
2011-10-23 19:00:46 . 2011-10-23 20:20:14 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-10-23 19:00:46 . 2011-10-23 19:17:19 -------- d-----w- C:\Program Files\Spybot - Search & Destroy
2011-10-22 02:18:15 . 2011-10-22 02:18:57 -------- d-----w- C:\Program Files\iTunes
2011-10-22 02:18:15 . 2011-10-22 02:18:15 -------- d-----w- C:\Program Files\iPod
2011-10-22 02:15:22 . 2011-10-22 02:15:24 -------- d-----w- C:\Program Files\Bonjour
2011-10-22 02:14:19 . 2011-10-22 02:14:18 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin7.dll
2011-10-22 02:14:18 . 2011-10-22 02:14:18 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin6.dll
2011-10-22 02:14:18 . 2011-10-22 02:14:18 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin5.dll
2011-10-22 02:14:18 . 2011-10-22 02:14:18 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin4.dll
2011-10-22 02:14:18 . 2011-10-22 02:14:18 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin3.dll
2011-10-22 02:14:18 . 2011-10-22 02:14:18 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin2.dll
2011-10-22 02:14:18 . 2011-10-22 02:14:18 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin.dll
2011-10-20 12:00:00 . 2011-10-20 12:00:00 184 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{DDCA8712-1E21-66EB-F588-330BE1C2C51E}-tmp41f69acf.bat
2011-10-17 02:28:00 . 2011-10-17 03:28:00 -------- d-----w- C:\Users\Jack\AppData\Roaming\Skype
2011-10-13 11:32:00 . 2011-08-17 04:24:12 465408 ----a-w- C:\Windows\system32\psisdecd.dll
2011-10-13 11:32:00 . 2011-08-17 04:19:27 75776 ----a-w- C:\Windows\system32\psisrndr.ax
2011-10-13 11:31:58 . 2011-08-27 04:26:27 571904 ----a-w- C:\Windows\system32\oleaut32.dll
2011-10-13 11:31:58 . 2011-08-27 04:26:27 233472 ----a-w- C:\Windows\system32\oleacc.dll
2011-10-13 11:31:51 . 2011-09-06 02:28:37 2334720 ----a-w- C:\Windows\system32\win32k.sys
2011-10-11 11:46:54 . 2011-10-11 11:46:38 703824 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E509B4F9-C7BB-48EC-BC0B-0DDB365714DD}\gapaengine.dll
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-10-24 02:33:04 . 2011-05-17 01:48:27 414368 ----a-w- C:\Windows\system32\FlashPlayerCPLApp.cpl
2011-10-07 03:48:07 . 2011-08-06 12:19:24 6668624 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-03 10:06:03 . 2011-05-08 01:17:01 472808 ----a-w- C:\Windows\system32\deployJava1.dll
2011-09-14 16:47:40 . 2011-09-14 16:47:40 53760 ----a-w- C:\Windows\system32\OVDecode.dll
2011-09-14 16:46:58 . 2011-09-14 16:46:58 13625856 ----a-w- C:\Windows\system32\amdocl.dll
2011-09-14 16:38:28 . 2011-09-14 16:38:28 37376 ----a-w- C:\Windows\system32\amdoclcl.dll
2011-08-31 04:05:04 . 2011-08-31 04:05:04 83816 ----a-w- C:\Windows\system32\dns-sd.exe
2011-08-31 04:05:04 . 2011-08-31 04:05:04 73064 ----a-w- C:\Windows\system32\dnssd.dll
2011-08-31 04:05:04 . 2011-08-31 04:05:04 178536 ----a-w- C:\Windows\system32\dnssdX.dll


((((((((((((((((((((((((((((( SnapShot_2011-10-31_22.46.09 )))))))))))))))))))))))))))))))))))))))))

+ 2009-07-14 04:55:35 . 2011-11-05 21:19:18 41560 C:\Windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-01-10 00:28:40 . 2011-10-31 15:42:44 32768 C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-10 00:28:40 . 2011-11-05 21:17:30 32768 C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-10 00:28:40 . 2011-11-05 21:17:30 49152 C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:41:53 . 2011-10-31 15:42:44 16384 C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41:53 . 2011-11-05 21:17:30 16384 C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-07 20:49:40 . 2011-11-01 16:20:38 4524 C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2370536414-983749384-3936569394-1004_UserData.bin
+ 2011-11-05 19:47:10 . 2011-11-05 21:17:26 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-10-30 18:52:37 . 2011-10-31 15:42:42 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-11-05 19:47:10 . 2011-11-05 21:17:26 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-10-30 18:52:37 . 2011-10-31 15:42:42 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-01-10 11:04:22 . 2011-11-05 22:28:57 290632 C:\Windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2009-07-14 04:47:10 . 2011-11-05 19:46:17 391728 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:47:10 . 2011-10-30 18:51:12 391728 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-10-20 19:53:55 . 2011-11-03 00:50:43 572652 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1001-12288.dat
+ 2010-12-14 13:41:35 . 2011-11-03 00:50:41 2884652 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1006-8192.dat
+ 2010-12-14 13:41:33 . 2011-11-02 22:18:13 2327636 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1005-8192.dat
+ 2011-02-07 23:08:03 . 2011-11-05 19:46:22 4057207 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1004-8192.dat
+ 2010-12-05 17:26:05 . 2011-11-05 19:46:19 3448580 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1001-8192.dat
- 2010-12-05 17:26:05 . 2011-10-25 19:18:38 3448580 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1001-8192.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99}]
2011-10-02 15:45:44 294096 ----a-w- C:\Program Files\Incredibar.com\Incredibar\1.5.0.2\bh\Incredibar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F9639E4A-801B-4843-AEE3-03D9DA199E77}"= "C:\Program Files\Incredibar.com\Incredibar\1.5.0.2\IncredibarTlbr.dll" [2011-10-02 15:45:46 260816]

[HKEY_CLASSES_ROOT\clsid\{f9639e4a-801b-4843-aee3-03d9da199e77}]
[HKEY_CLASSES_ROOT\Incredibar.dskBnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[HKEY_CLASSES_ROOT\Incredibar.dskBnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2011-05-13 21:03:34 4283256]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [2010-08-24 22:02:18 2264336]
"TivoTransfer"="C:\Program Files\TiVo\Desktop\TiVoTransfer.exe" [2010-08-24 22:02:20 608528]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [2010-08-24 22:02:14 437520]
"TranscodingService"="C:\Program Files\TiVo\Desktop\Plus\\TranscodingService.exe" [2010-08-24 22:02:28 856336]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 21:07:20 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 17:44:34 31072]
"fssui"="C:\Program Files\Windows Live\Family Safety\fsui.exe" [2011-05-13 20:27:02 884584]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 18:53:10 77824]
"Start WingMan Profiler"="C:\Program Files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 18:37:59 88584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 22:58:10 37296]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 04:59:06 937920]
"EEventManager"="C:\Program Files\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 16:12:12 976320]
"snpstd3"="C:\Windows\vsnpstd3.exe" [2006-09-19 14:07:28 827392]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2011-04-13 20:03:38 1298320]
"PAC7302_Monitor"="C:\Windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 16:01:16 319488]
"MSC"="C:\Program Files\Microsoft Security Client\msseces.exe" [2011-06-15 20:16:48 997920]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 18:06:06 254696]
"APSDaemon"="C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 12:22:28 59240]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2011-07-05 23:36:48 421888]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2011-10-09 23:06:40 421736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg&inst=NzctNTkzNjMyMzQ5LUZQOSs2LVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMS1MSUMrNzctU1AxKzEtU1AxVEIrMS1TVUQrMS1TMUkrMS1TVTMrMS1GTDEwKzEtRERUKzA&prod=90&ver=10.0.1391" [?]

C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

R1 MpKsl0f087856;MpKsl0f087856;C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0209AC4E-D9C4-4289-BBC5-3CF5A16CA916}\MpKsl0f087856.sys [x]
R1 MpKsl49eafb6b;MpKsl49eafb6b;C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A1C08BE0-1CDF-4B13-8F5D-0CBFC2D5122F}\MpKsl49eafb6b.sys [x]
R1 MpKsl8590d562;MpKsl8590d562;C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{2D748FEB-2C0D-465B-BDDA-2F108C3D294F}\MpKsl8590d562.sys [x]
R1 MpKsl912937b0;MpKsl912937b0;C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C1D324BE-2AAC-4ACB-966F-4B91FBAE9330}\MpKsl912937b0.sys [x]
R2 AODDriver4.01;AODDriver4.01;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 18:16:28 130384]
R2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [2010-02-05 01:36:53 135664]
R3 amdiox86;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox86.sys [x]
R3 BBSvc;Bing Bar Update Service;C:\Program Files\Microsoft\BingBar\BBSvc.EXE [2011-03-16 03:27:14 183560]
R3 gupdatem;Google Update Service (gupdatem);C:\Program Files\Google\Update\GoogleUpdate.exe [2010-02-05 01:36:53 135664]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 18:18:50 43392]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 20:25:24 65024]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 20:39:26 208944]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 02:37:50 4640000]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys [2010-11-20 10:21:14 15872]
R3 Synth3dVsc;Synth3dVsc;C:\Windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys [2010-11-20 10:24:41 52224]
R3 tsusbhub;tsusbhub;C:\Windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;C:\Windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2010-04-30 08:20:29 1343400]
R4 TivoBeacon2;TiVo Beacon Service;C:\Program Files\TiVo\Desktop\TiVoBeacon.exe [2010-08-24 22:02:08 1104656]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe [2011-07-28 21:35:24 176128]
S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [2009-09-14 11:00:00 153600]
S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [2009-09-14 11:00:00 121856]
S2 FlipShareServer;FlipShare Server;C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe [2010-12-15 19:22:42 1085440]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 20:31:10 1153368]
S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2011-07-28 22:22:04 8396800]
S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys [2011-07-28 20:53:46 247296]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW73.sys [2011-03-30 18:46:36 100880]


Contents of the 'Scheduled Tasks' folder

2011-11-05 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-02-05 01:36:59 . 2010-02-05 01:36:53]

2011-11-05 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-02-05 01:36:59 . 2010-02-05 01:36:53]


------- Supplementary Scan -------

uStart Page = hxxp://mystart.incredibar.com/mb110?a=6OyixyOf9t&i=26
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3EA3B73C-52E7-4632-9399-71C3A80B61CC}: NameServer = 192.168.2.1,8.8.4.4,8.8.4.4


--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2370536414-983749384-3936569394-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:1e,2a,f6,56,c4,d2,2f,17,e5,09,82,30,67,3b,56,d5,9f,51,61,4b,86,67,17,
39,71,6e,1b,41,5d,02,5a,50,72,f9,a9,7d,6a,42,2e,a0,39,75,d8,06,f7,8d,9c,19,\
"??"=hex:cc,7c,b8,4e,21,96,58,df,52,95,ed,b3,65,f0,5c,24

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

Completion time: 2011-11-05 17:49:02
ComboFix-quarantined-files.txt 2011-11-05 22:48:53
ComboFix2.txt 2011-11-05 17:13:00
ComboFix3.txt 2011-10-31 23:06:20
ComboFix4.txt 2011-10-21 06:15:03

Pre-Run: 3,955,662,848 bytes free
Post-Run: 4,441,296,896 bytes free

- - End Of File - - AE1C58B77C591856DE6029274AC6BB05

 

[jbmeyer]

tried to run eset scan, machine shuts down

Tried next step to run eset scan, but after about an hour of scanning (99%), finding 9 infected files, the PC does a full shutdown...not sure why. Have tried several times, same result every time. Is there any way to recover a log from this?

The infected files indicated Zugo, Yontoo A&B, OpenStream NC, and InstallCore.C infections. Let me know if this help and thanks for your follow-up!

 

[Bobbye]

Zugo, Yontoo A&B, OpenStream NC, and InstallCore.C

I can't do anything with this because I don't know where they are located. The virus scan will show entries in the Qoobox, which is the folder Combofix sends quarantined files and System Volume which is where the restore points are kept. If the entries are in either of these only, they are no longer active in the system. Unfortunately the virus scan doesn't read that.

I removed some of these and Combofix removed others.(Yontoo, System Restore) InstallCore.C comes with all CNet downloads. I'm seeing Zugo bundled with Bing bars. I suspect the Bing/Zugo is pre-checked on some download screens and not downloaded by itself from the MS home site.

There is a Trojan Downloader OpenStream,found with Java applets, especially if there is an outdated version of Java. The cache needs to be emptied as follows:

1. . Click Start > Control Panel.
2. . Double-click the Java icon
   
   in the Control Panel.
3. . Click Settings under Temporary Internet Files.
   http://www.java.com/en/img/download/5000020303.jpg[/b]
   There are three options on this window to clear the cache.(Version dependent)
   [o]. Delete Files
   [o]. View Applications
   [o]. View Applets
   [*]. Click OK on Delete Temporary Files window.
   Note: This deletes all the Downloaded Applications and Applets from the cache.
   [*]. Click OK on Temporary Files Settings window. [/list]
   ---------------------------
   Did you check and see if there is a log for Eset? Perhaps you can search for an entry> Use Windows Explorer to go to the Directories on the Local Drive (C): Look for any Eset entry. Also check the desktop.
   [*] Push [b]Export of text file[/b] and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
   ----------------------------------------------------------------
   [b]Let's talk about why your system is malware waiting to happen![/b]
   1)User 'John' ran 65 appdata from 10/1- 10/31
   2) 7 QuickTime plugins> Files size of each: 159744, all on 10/22
   3) Running program like [b]Bandoo:[/b]
   Description: [QUOTE]Bandoo boosts your instant messages and the whole communication with friends to a new fun and crazy level with tons of cool Emoticons, Nudges, Winks, Images and more in a huge variety. Go crazy with our INTERACTIVE WINKS - the Winks are now coming to live and you are the one controlling them - Messaging was never more fun. (This is from Bandoo site)[/QUOTE]
   
   [B]Comments from CNet download site:[/B]
   [QUOTE]1. Most annoying f***'ing app ever and how the heck did this install on my machine. All I know is that I can't even type a "thanks" in a hotmail email without having some annoying f***ing emotion appearing instead.
   2. There are no pros. THIS IS A VIRUS!
   3. DO NOT DOWNLOAD!!!!![/QUOTE]
   Plus you got malware from CNet: [b]InstallCore.C[/b]
   ---------------------------------------------------
   4) This Homepage, which now appears in the log, is not one I would recommend
   uStart Page = hxxp://mystart.incredibar.com/mb110?a=6OyixyOf9t&i=26
   ---------------------------------------------------
   Putting it bluntly, you can't have a 'cutsie' system and a secure system. [b]ALL[/b] of these type sites have to make their money- most do it in ads. Malware writers are learning to drop their code in places where the 'unsafe' will frequeny visit.Spyware, Trojan.Droppers and Backdoor.bots are also frequent visitors.
   =====================================
   I' like to run the following to see if we can sort out who is going where and at least reset the Cookies. On SAS, be sure to check the line for removal of the entries it finds. I will still see them, but they will be handled:
   [IMG]http://www.superantispyware.com/images/SASLogo48x48.gif
   SuperAntiSpyware Home Edition Free Version
   
   • Please download SuperAntiSpyware from HERE
   • Launch SuperAntiSpyware and click on 'Check for updates'.
   • Wait for the updates to be installed
   • On the main screen click on 'Scan your computer'.
   • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
   • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
   • Make sure everything found has a checkmark next to it,then press 'Next'.
   • Click on 'Finish' when you've done.
   It's possible that the program will ask you to reboot in order to delete some files.
   
   Obtain the SuperAntiSpyware log as follows:
   • Click on 'Preferences'.
   • Click on the 'Statistics/Logs' tab.
   • Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
   It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply
   =========================================
   Then run HJT to see if there are remaining bad entries:
   Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
   • Extract it to a directory on your hard drive called c:\HijackThis.
   • Then navigate to that directory and double-click on the hijackthis.exe file.
   • When started click on the Scan button and then the Save Log button to create a log of your information.
   • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
   • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
   • Come back here to this thread and paste (Ctrl+V) the log in your next reply.
   
   NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
   ======================================
   There are 3 users on the system: John and Rina each have different malware on their accounts. Elisa must have dropped by as I don't see infected files there

 

[jbmeyer]

Ran SuperAntiSpyware, see log below, pt 1

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/06/2011 at 06:59 PM

Application Version : 5.0.1134

Core Rules Database Version : 7904
Trace Rules Database Version: 5716

Scan type : Complete Scan
Total Scan Time : 00:56:43

Operating System Information
Windows 7 Ultimate 32-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator

Memory items scanned : 352
Memory threats detected : 0
Registry items scanned : 39587
Registry threats detected : 0
File items scanned : 86347
File threats detected : 1686

Adware.Tracking Cookie

Edit: Excess Tracking Cookies reviewed and deleted by Bobbye.

 

[jbmeyer]

Edit: Excess Tracking Cookies reviewed and deleted by Bobbye.

 

[jbmeyer]

Edit: Excess Tracking Cookies reviewed and deleted by Bobbye.

 

[jbmeyer]

Edit: Excess Tracking Cookies reviewed and deleted by Bobbye.

 

[jbmeyer]

log from HijackThis

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:12:08 PM, on 11/6/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Live\Family Safety\fsui.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Windows\vsnpstd3.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\PixArt\PAC7302\Monitor.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Users\John\Downloads\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredibar.com/mb110?a=6OyixyOf9t&i=26
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Incredibar.com Helper Object - {6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} - C:\Program Files\Incredibar.com\Incredibar\1.5.0.2\bh\Incredibar.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Incredibar Toolbar - {F9639E4A-801B-4843-AEE3-03D9DA199E77} - C:\Program Files\Incredibar.com\Incredibar\1.5.0.2\IncredibarTlbr.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fsui.exe" -autorun
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [EEventManager] "C:\Program Files\Epson Software\Event Manager\EEventManager.exe"
O4 - HKLM\..\Run: [snpstd3] C:\Windows\vsnpstd3.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\Windows\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNTkzNjMyMzQ5LUZQOSs2LVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMS1MSUMrNzctU1AxKzEtU1AxVEIrMS1TVUQrMS1TMUkrMS1TVTMrMS1GTDEwKzEtRERUKzA"&"prod=90"&"ver=10.0.1391
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [TivoServer] C:\Program Files\TiVo\Desktop\TiVoServer.exe /service /registry
O4 - HKCU\..\Run: [TivoTransfer] C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
O4 - HKCU\..\Run: [TivoNotify] C:\Program Files\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TranscodingService] C:\Program Files\TiVo\Desktop\Plus\\TranscodingService.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3EA3B73C-52E7-4632-9399-71C3A80B61CC}: NameServer = 192.168.2.1,8.8.4.4,8.8.4.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{3EA3B73C-52E7-4632-9399-71C3A80B61CC}: NameServer = 192.168.2.1,8.8.4.4,8.8.4.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{3EA3B73C-52E7-4632-9399-71C3A80B61CC}: NameServer = 192.168.2.1,8.8.4.4,8.8.4.4
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: c:\progra~1\bandoo\bndhook.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bandoo Coordinator - Bandoo Media Inc. - C:\Program Files\Bandoo\Bandoo.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V5 Service4(04) (EPSON_EB_RPCV4_04) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE
O23 - Service: EPSON V3 Service4(04) (EPSON_PM_RPCV4_04) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: FlipShare Server (FlipShareServer) - Unknown owner - C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 11855 bytes

 

[Bobbye]

Oh my goodness! Total tracking Cookies found on accounts of John, Eliza, Jack and Rina are File threats detected : 1686!

Most of the Tracking Cookies are the usually from internet ads, banners, etc. But if you don't prevent them or ever clean them out, the computer will get so heavy, it will go through the table, the floor and what ever is under it!

All of you- or better said, each of you needs to reset the Cookies on your accounts as follows:

Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
(First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
-------------------------------------------
This number of Tracking Cookies would seem to indicate that none of you are doing any type of Maintenance> deleting temporary internet files, deleting Cookies,, disc cleanup, error checking, defrag. Set up a schedule, do it regularly.
========================================
If you did not check this line when you ran SAS, run it again and do so.
[*] Make sure everything found has a checkmark next to it,then press 'Next'.
I do not need the log.

Shutting down for night. Will check HJT in AM.

 

[jbmeyer]

Update

I have reset cookies for IE and Chrome, (Firefox not used) as you have suggested, and have rerun SAS, all items checked. I have also changed the IE home page (set by malware, not by me). I also deleted the Java temporary files as previously suggested.

Additionally, I have with some consistency, once a month, maybe more, run Windows Disk Cleanup, but obviously things are not under control.

Not sure what next steps should be? TIA...

 

[Bobbye]

Small comment If you had used Firefox and put the 2 addons on it, you would not have gotten any of those Tracking Cookies!
--------------------------------
Since Eset found Zugo, I have picked up the BingBar entries for removal. There is a Bing/Zugo combination that I'm seeing frequently. I don't know the source, but you do not want Zugo on the system. Also found Yontoo, Bandoo and removed remaining Incredibar entries.
====================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
c:\program files\Microsoft\BingBar\BBSvc.EXE
Folder::
C:\Program Files\Incredibar.com
C:\Program Files\Yontoo Layers Runtime
DDS::
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F9639E4A-801B-4843-AEE3-03D9DA199E77}"=-
[HKEY_CLASSES_ROOT\clsid\{f9639e4a-801b-4843-aee3-03d9da199e77}]
[HKEY_CLASSES_ROOT\Incredibar.dskBnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[HKEY_CLASSES_ROOT\Incredibar.dskBnd]
Driver::
BBSvc

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
======================================
Reopen Hijackthis to 'do system scan only.' Check each of the following, if present

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredibar.com/mb110?a=6OyixyOf9t&i=26
O2 - BHO: Incredibar.com Helper Object - {6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} - C:\Program Files\Incredibar.com\Incredibar\1.5.0.2\bh\Incredibar.dll
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O3 - Toolbar: Incredibar Toolbar - {F9639E4A-801B-4843-AEE3-03D9DA199E77} - C:\Program Files\Incredibar.com\Incredibar\1.5.0.2\IncredibarTlbr.dll
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNTkzNjM yMzQ5LUZQOSs2LVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMS1MSU MrNzctU1AxKzEtU1AxVEIrMS1TVUQrMS1TMUkrMS1TVTMrMS1GTDEwKzEtRERUKzA"&"prod=90 "&"ver=10.0.1391
O20 - AppInit_DLLs: c:\progra~1\bandoo\bndhook.dll
O23 - Service: Bandoo Coordinator - Bandoo Media Inc. - C:\Program Files\Bandoo\Bandoo.exe

Close all Windows except HijackThis and click on "Fix Checked."
===================================
Click on Start> in Search, type in services.msc> enter> Find each of the following and double click to open> Change Startup type to Disabled> Stop the Service.
BandooCoordinator
BingBar Update Service

Exit Services when through

 

[jbmeyer]

Ran CF Script, here is log...

Also ran HiJack this, but had previously removed Bandoo, IncrediBar and BingBar programs, so only had AVGUninstallURL entry to fix, which I did. Neither BandooCoordinator or BingBar Update services displayed in the services.msc window, so nothing to change there.

ComboFix log follows, let me know next steps, TIA!

ComboFix 11-11-05.02 - John 11/08/2011 6:48.6.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2047.1361 [GMT -6:00]
Running from: c:\users\John\Desktop\ComboFix.exe
Command switches used :: c:\users\John\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files\Microsoft\BingBar\BBSvc.EXE"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Microsoft\BingBar\BBSvc.EXE
c:\program files\Yontoo Layers Runtime
c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_BBSvc
.
.
((((((((((((((((((((((((( Files Created from 2011-10-08 to 2011-11-08 )))))))))))))))))))))))))))))))
.
.
2011-11-08 13:32 . 2011-11-08 14:08 -------- d-----w- c:\users\John\AppData\Local\temp
2011-11-08 13:32 . 2011-11-08 13:32 -------- d-----w- c:\users\Rina\AppData\Local\temp
2011-11-08 13:32 . 2011-11-08 13:32 -------- d-----w- c:\users\Jack\AppData\Local\temp
2011-11-08 13:32 . 2011-11-08 13:32 -------- d-----w- c:\users\Elisa\AppData\Local\temp
2011-11-08 13:32 . 2011-11-08 13:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-08 13:32 . 2011-11-08 13:32 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-11-08 03:01 . 2011-11-08 03:01 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B8374E5C-91EB-48AE-8D26-7503B16344E3}\MpKsle1a83760.sys
2011-11-08 03:01 . 2011-11-08 13:35 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B8374E5C-91EB-48AE-8D26-7503B16344E3}\offreg.dll
2011-11-08 03:01 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B8374E5C-91EB-48AE-8D26-7503B16344E3}\mpengine.dll
2011-11-06 23:25 . 2011-11-06 23:25 -------- d-----w- c:\users\John\AppData\Roaming\SUPERAntiSpyware.com
2011-11-06 23:24 . 2011-11-06 23:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-06 23:24 . 2011-11-06 23:24 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-11-05 19:50 . 2011-11-05 19:50 -------- d-----w- c:\program files\ESET
2011-11-03 00:47 . 2011-11-03 00:47 -------- d-----w- c:\program files\ADLSoft UnCompressor
2011-11-03 00:38 . 2011-11-03 00:39 -------- d-----w- c:\users\Jack\PDFReader
2011-10-25 21:42 . 2011-10-25 21:42 -------- d-----w- c:\users\John\AppData\Roaming\Malwarebytes
2011-10-25 21:42 . 2011-10-25 21:42 -------- d-----w- c:\programdata\Malwarebytes
2011-10-25 21:42 . 2011-10-25 21:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-23 19:00 . 2011-10-23 20:20 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-10-23 19:00 . 2011-10-23 19:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-22 02:18 . 2011-10-22 02:18 -------- d-----w- c:\program files\iTunes
2011-10-22 02:18 . 2011-10-22 02:18 -------- d-----w- c:\program files\iPod
2011-10-22 02:15 . 2011-10-22 02:15 -------- d-----w- c:\program files\Bonjour
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2011-10-20 12:00 . 2011-10-20 12:00 184 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{DDCA8712-1E21-66EB-F588-330BE1C2C51E}-tmp41f69acf.bat
2011-10-17 02:28 . 2011-10-17 03:28 -------- d-----w- c:\users\Jack\AppData\Roaming\Skype
2011-10-13 11:32 . 2011-08-17 04:24 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-13 11:32 . 2011-08-17 04:19 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-13 11:31 . 2011-08-27 04:26 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-13 11:31 . 2011-08-27 04:26 233472 ----a-w- c:\windows\system32\oleacc.dll
2011-10-13 11:31 . 2011-09-06 02:28 2334720 ----a-w- c:\windows\system32\win32k.sys
2011-10-11 11:46 . 2011-10-11 11:46 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E509B4F9-C7BB-48EC-BC0B-0DDB365714DD}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-24 02:33 . 2011-05-17 01:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-07 03:48 . 2011-08-06 12:19 6668624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-03 10:06 . 2011-05-08 01:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-14 16:47 . 2011-09-14 16:47 53760 ----a-w- c:\windows\system32\OVDecode.dll
2011-09-14 16:46 . 2011-09-14 16:46 13625856 ----a-w- c:\windows\system32\amdocl.dll
2011-09-14 16:38 . 2011-09-14 16:38 37376 ----a-w- c:\windows\system32\amdoclcl.dll
2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 04:05 . 2011-08-31 04:05 178536 ----a-w- c:\windows\system32\dnssdX.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-31_22.46.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-10 02:48 . 2011-11-07 01:08 36690 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2011-11-08 14:08 42028 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-01-10 00:28 . 2011-10-31 15:42 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-10 00:28 . 2011-11-08 13:35 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-10 00:28 . 2011-11-08 13:35 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:41 . 2011-10-31 15:42 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2011-11-08 13:35 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-21 02:19 . 2011-11-07 03:58 7214 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2370536414-983749384-3936569394-1006_UserData.bin
+ 2010-02-07 20:49 . 2011-11-01 16:20 4524 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2370536414-983749384-3936569394-1004_UserData.bin
+ 2010-01-10 02:48 . 2011-11-08 14:08 8072 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2370536414-983749384-3936569394-1001_UserData.bin
+ 2011-11-07 12:40 . 2011-11-08 13:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-10-30 18:52 . 2011-10-31 15:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-10-30 18:52 . 2011-10-31 15:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-11-07 12:40 . 2011-11-08 13:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-01-10 11:04 . 2011-11-08 12:20 292200 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2009-07-14 02:05 . 2011-11-08 13:40 626354 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2011-10-30 15:17 626354 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2011-10-30 15:17 107816 c:\windows\System32\perfc009.dat
+ 2009-07-14 02:05 . 2011-11-08 13:40 107816 c:\windows\System32\perfc009.dat
- 2009-07-14 04:47 . 2011-10-30 18:51 391728 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:47 . 2011-11-07 12:39 391728 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-10-20 19:53 . 2011-11-03 00:50 572652 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1001-12288.dat
+ 2010-12-14 13:41 . 2011-11-07 12:39 2896084 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1006-8192.dat
+ 2010-12-14 13:41 . 2011-11-02 22:18 2327636 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1005-8192.dat
+ 2011-02-07 23:08 . 2011-11-05 19:46 4057207 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1004-8192.dat
+ 2010-12-05 17:26 . 2011-11-07 12:39 3708352 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1001-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2011-05-13 4283256]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2010-08-24 2264336]
"TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2010-08-24 608528]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2010-08-24 437520]
"TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2010-08-24 856336]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-11-06 4615552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2011-05-13 884584]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 88584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-04-13 1298320]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg&inst=NzctNTkzNjMyMzQ5LUZQOSs2LVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMS1MSUMrNzctU1AxKzEtU1AxVEIrMS1TVUQrMS1TMUkrMS1TVTMrMS1GTDEwKzEtRERUKzA&prod=90&ver=10.0.1391" [?]
.
c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 MpKsl0f087856;MpKsl0f087856;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0209AC4E-D9C4-4289-BBC5-3CF5A16CA916}\MpKsl0f087856.sys [x]
R1 MpKsl49eafb6b;MpKsl49eafb6b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A1C08BE0-1CDF-4B13-8F5D-0CBFC2D5122F}\MpKsl49eafb6b.sys [x]
R1 MpKsl8590d562;MpKsl8590d562;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2D748FEB-2C0D-465B-BDDA-2F108C3D294F}\MpKsl8590d562.sys [x]
R1 MpKsl912937b0;MpKsl912937b0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C1D324BE-2AAC-4ACB-966F-4B91FBAE9330}\MpKsl912937b0.sys [x]
R2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 135664]
R3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 135664]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-30 1343400]
R4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [2010-08-24 1104656]
S1 MpKsle1a83760;MpKsle1a83760;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B8374E5C-91EB-48AE-8D26-7503B16344E3}\MpKsle1a83760.sys [2011-11-08 28752]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-07-28 176128]
S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [2009-09-14 153600]
S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [2009-09-14 121856]
S2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [2010-12-15 1085440]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-07-28 8396800]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-07-28 247296]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-03-30 100880]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 01:36]
.
2011-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 01:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3EA3B73C-52E7-4632-9399-71C3A80B61CC}: NameServer = 192.168.2.1,8.8.4.4,8.8.4.4
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2370536414-983749384-3936569394-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:1e,2a,f6,56,c4,d2,2f,17,e5,09,82,30,67,3b,56,d5,9f,51,61,4b,86,67,17,
39,71,6e,1b,41,5d,02,5a,50,72,f9,a9,7d,6a,42,2e,a0,39,75,d8,06,f7,8d,9c,19,\
"??"=hex:cc,7c,b8,4e,21,96,58,df,52,95,ed,b3,65,f0,5c,24
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Windows Live\Family Safety\fsssvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\DllHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Google\Google Toolbar\GoogleToolbarUser_32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2011-11-08 08:29:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-08 14:29
ComboFix2.txt 2011-11-05 22:49
ComboFix3.txt 2011-11-05 17:13
ComboFix4.txt 2011-10-31 23:06
ComboFix5.txt 2011-11-08 12:39
.
Pre-Run: 4,197,842,944 bytes free
Post-Run: 4,580,904,960 bytes free
.
- - End Of File - - CE68A674B362BC23DE06F139047A5C03

 

[Bobbye]

Okay, looks good. The BingBar Update Service was zapped in Combofix! I do see the prgram currently running though- note SeaPort:
c:\program files\Microsoft\BingBar\SeaPort.EXE
I found the following which in one way answers my question and in another ought to put Microsoft to shame:

What does this mean going forward?
SeaPort.exe typically comes bundled as part of the Microsoft Live Search Enhancement application pack. In addition, there’s a plethora of “helpful” web downloads from Microsoft including the Bing and MSN toolbars included (edit)
To date, most security analysts operate under the presumption that Spyware is defined as anything that “reports private information or activity to a remote host that the user may not be aware of”. In most cases, SeaPort.exe is installed without the front-end user knowingly doing so. When installing Microsoft Live, there’s no option to skip the Seaport.exe portion of the application set, it’s included no matter what selections are made.

SeaPort.exe should be considered armed and dangerous and network administrators need to understand that this process is gaining access and information about workstations that is better kept private. In short, we’re not ready to call Seaport.exe “Spyware” but it’s teetering on the edge of the definition, which is uncharted territory for a major OS vendor.

Attributes for bold and color text are mine.
Full article can be found > http://www.riskanalytics.com/blog/?p=270

If you choose, instructions for removing/deleting/stopping this process can be found HERE.

Some interesting sites in cyberspace about partner attempts to get their search engine on our computer and things they do to accomplish it!

So the progress goes like this:
Have SeaPort> BingBar bundled with it> some app says you need an addon to run it> Now have Zugo> which changes the homepage and search engine and becomes the Bing/Zugo bar.
=====================================
I'd like you to attempt the Eset scan again.

Please let me know how the system is doing now.

 

[jbmeyer]

reran Eset scan, PC shutdown...

I reran the Eset scan, PC continues to shutdown at some point after reaching 99% (runs for over an hour). Here is a little more detail about what showed in the status window, not sure if this is helpful or not...

-a variant of the Win32/Toolbar.zugo application was found
-a variant of the Win32/InstallCore.C application was found
-a variant of the Win32/Adware.Yontoo.B application was found
-a variant of the Win32/Adware.Yontoo.A application was found
-Java/TrojanDownloader.OpenStream.NC trojan was found

One option is that I could try to stop the scan before it shuts down, at least capturing a log for some of these infections. Though the shutdown leads me to think there is something else that plagues this PC at the 99.9% point of the scan. Let me know recommended next steps...as always TIA.

As for Seaport, I will address this after we reach a better point of stability, unless you indicate otherwise.

 

[Bobbye]

-a variant of the Win32/Toolbar.zugo application was found
-a variant of the Win32/InstallCore.C application was found
-a variant of the Win32/Adware.Yontoo.B application was found
-a variant of the Win32/Adware.Yontoo.A application was found
-Java/TrojanDownloader.OpenStream.NC trojan was found

Unfortunately, this is the wrong part of the scan! While it tells me what was found, it does not tell me what it's on- so I can remove it. OTM works by removing the file or folder name given, not the name of the infection.

Please search in the system and see if you can find the log. If you're getting this much info from the scan it should have a log somewhere.
--------------------------------------------
If you did not empty the Java cache, do it now:
To clear the Java Plug-in cache:

• 
  [1]. Click Start > Control Panel.
  [2]. Double-click the Java icon in the control panel.
  
  The Java Control Panel appears.
  
  
  
  [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
  
  
  
  [4] Click Delete Files.The Delete Temporary Files dialog box appears.
  
  
  
  [5]. Click OK on Delete Temporary Files window.
  Note: This deletes all the Downloaded Applications and Applets from the cache.
  [6]. Click Apply> OK on Temporary Files Settings window.

Images courtesy java.com

I'm really tired and shutting down for the night.

 

[jbmeyer]

OK, I understand that the virus info that I supplied is not helpful. I have found the Eset log, but it only shows info about the install, nothing regarding any virus scan because the PC shuts down before this information can be added to the log. Do you still want this log? I have tried to run Eset several different times, both in normal and safe modes, same results.

Also, I have cleared the Java plug-in cache, multiple times now.

Am I out of options? The PC seemed to be improving with the SAS work, etc...but when I run the Eset scan, all the same infections still seem to identify during the scan, and then poof, the system shuts down and I can proceed no further. I am still thinking that I should stop the scan at a certain point post 99% and save the log, at least this provides some information. Let me know what you think, TIA!

 

[jbmeyer]

took my own advice...

Stopped Eset scan after discovering nine threats...here they are:

C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\ToOLbar32.dll.vir a variant of Win32/Toolbar.Zugo application
C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe.vir a variant of Win32/Toolbar.Zugo application
C:\Qoobox\Quarantine\C\Program Files\Yontoo Layers\YontooIEClient.dll.vir Win32/Adware.Yontoo.A application
C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application
C:\Qoobox\Quarantine\C\Users\Jack\AppData\Local\temp\ICReinstall\PDFReaderSetup.exe.vir a variant of Win32/InstallCore.C application
C:\Qoobox\Quarantine\C\Users\Jack\AppData\Local\temp\is1438683437\zgInstaller.exe.vir a variant of Win32/Toolbar.Zugo application
C:\Users\Elisa\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\58cf3ce6-4692b267 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Jack\Downloads\PDFReaderSetup.exe a variant of Win32/InstallCore.C application
C:\Users\Jack\PDFReader\Uninstall\Uninstall.exe a variant of Win32/InstallCore.C application

 

[Bobbye]

Okay, looks like a 'Java leak' from something. Logs show the most current version v6u29 is installed.

Java/TrojanDownloader.Agent.NCA may be invoked when visiting a malicious website by referencing a malicious Java class file within a Java archive file (.JAR).
(Your first mention of OpenStream was 'NC'. The section of Eset you left had OpenStream.NCM, then Google offered OpenStream.NCA. There is also an OpenStream.NCV! These are usually alieases from different AVs or varianlt of same malware.
====================================
.Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
FileLook::
c:\windows\system32\DllHost.exe
ClearJavaCache::
RegNull::
[HKEY_USERS\S-1-5-21-2370536414-983749384-3936569394-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Let's check the security:
Download Security Check by screen317 from one of these links:
Link1
Link 2

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

[jbmeyer]

Ran combofix with script, here is the log.

ComboFix 11-11-05.02 - John 11/09/2011 15:44:28.7.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2047.1269 [GMT -6:00]
Running from: c:\users\John\Desktop\ComboFix.exe
Command switches used :: c:\users\John\Desktop\cfscript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-10-09 to 2011-11-09 )))))))))))))))))))))))))))))))
.
.
2011-11-09 22:27 . 2011-11-09 22:27 -------- d-----w- c:\users\Rina\AppData\Local\temp
2011-11-09 22:27 . 2011-11-09 22:27 -------- d-----w- c:\users\Jack\AppData\Local\temp
2011-11-09 22:27 . 2011-11-09 22:27 -------- d-----w- c:\users\Elisa\AppData\Local\temp
2011-11-09 22:27 . 2011-11-09 22:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-09 22:27 . 2011-11-09 22:27 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-11-09 03:59 . 2011-11-09 22:29 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3F8037F2-443E-4724-98A9-D3538EA153E0}\offreg.dll
2011-11-09 03:59 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3F8037F2-443E-4724-98A9-D3538EA153E0}\mpengine.dll
2011-11-08 13:32 . 2011-11-09 23:03 -------- d-----w- c:\users\John\AppData\Local\temp
2011-11-06 23:25 . 2011-11-06 23:25 -------- d-----w- c:\users\John\AppData\Roaming\SUPERAntiSpyware.com
2011-11-06 23:24 . 2011-11-06 23:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-06 23:24 . 2011-11-06 23:24 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-11-05 19:50 . 2011-11-05 19:50 -------- d-----w- c:\program files\ESET
2011-11-03 00:47 . 2011-11-03 00:47 -------- d-----w- c:\program files\ADLSoft UnCompressor
2011-11-03 00:38 . 2011-11-03 00:39 -------- d-----w- c:\users\Jack\PDFReader
2011-10-25 21:42 . 2011-10-25 21:42 -------- d-----w- c:\users\John\AppData\Roaming\Malwarebytes
2011-10-25 21:42 . 2011-10-25 21:42 -------- d-----w- c:\programdata\Malwarebytes
2011-10-25 21:42 . 2011-10-25 21:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-23 19:00 . 2011-10-23 20:20 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-10-23 19:00 . 2011-10-23 19:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-22 02:18 . 2011-10-22 02:18 -------- d-----w- c:\program files\iTunes
2011-10-22 02:18 . 2011-10-22 02:18 -------- d-----w- c:\program files\iPod
2011-10-22 02:15 . 2011-10-22 02:15 -------- d-----w- c:\program files\Bonjour
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2011-10-22 02:14 . 2011-10-22 02:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2011-10-20 12:00 . 2011-10-20 12:00 184 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{DDCA8712-1E21-66EB-F588-330BE1C2C51E}-tmp41f69acf.bat
2011-10-17 02:28 . 2011-10-17 03:28 -------- d-----w- c:\users\Jack\AppData\Roaming\Skype
2011-10-13 11:32 . 2011-08-17 04:24 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-13 11:32 . 2011-08-17 04:19 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-13 11:31 . 2011-08-27 04:26 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-13 11:31 . 2011-08-27 04:26 233472 ----a-w- c:\windows\system32\oleacc.dll
2011-10-13 11:31 . 2011-09-06 02:28 2334720 ----a-w- c:\windows\system32\win32k.sys
2011-10-11 11:46 . 2011-10-11 11:46 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E509B4F9-C7BB-48EC-BC0B-0DDB365714DD}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-24 02:33 . 2011-05-17 01:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-07 03:48 . 2011-08-06 12:19 6668624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-03 10:06 . 2011-05-08 01:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-14 16:47 . 2011-09-14 16:47 53760 ----a-w- c:\windows\system32\OVDecode.dll
2011-09-14 16:46 . 2011-09-14 16:46 13625856 ----a-w- c:\windows\system32\amdocl.dll
2011-09-14 16:38 . 2011-09-14 16:38 37376 ----a-w- c:\windows\system32\amdoclcl.dll
2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 04:05 . 2011-08-31 04:05 178536 ----a-w- c:\windows\system32\dnssdX.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\system32\DllHost.exe ---
Company: Microsoft Corporation
File Description: COM Surrogate
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: dllhost.exe
File size: 7168
Created time: 2009-07-13 23:43
Modified time: 2009-07-14 01:14
MD5: A63DC5C2EA944E6657203E0C8EDEAF61
SHA1: ACE762C51DB1908C858C898D7E0F9B36F788D2D9
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-31_22.46.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-13 23:42 . 2009-07-14 01:16 41984 c:\windows\winsxs\x86_microsoft-windows-wab-core_31bf3856ad364e35_6.1.7601.21830_none_579ad6f7c13ca999\wabimp.dll
+ 2009-07-13 23:42 . 2009-07-14 01:16 41984 c:\windows\winsxs\x86_microsoft-windows-wab-core_31bf3856ad364e35_6.1.7601.17699_none_56d95b58a847985d\wabimp.dll
+ 2009-07-13 23:42 . 2009-07-14 01:16 41984 c:\windows\winsxs\x86_microsoft-windows-wab-core_31bf3856ad364e35_6.1.7600.21062_none_5595e0fdc42cfa49\wabimp.dll
+ 2009-07-13 23:42 . 2009-07-14 01:16 41984 c:\windows\winsxs\x86_microsoft-windows-wab-core_31bf3856ad364e35_6.1.7600.16891_none_54eafc02ab2861b9\wabimp.dll
+ 2010-01-10 02:48 . 2011-11-07 01:08 36690 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2011-11-08 23:19 42060 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-01-10 00:28 . 2011-11-09 22:29 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-10 00:28 . 2011-10-31 15:42 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-10 00:28 . 2011-11-09 22:29 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:41 . 2011-10-31 15:42 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2011-11-09 22:29 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-21 02:19 . 2011-11-07 03:58 7214 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2370536414-983749384-3936569394-1006_UserData.bin
+ 2010-02-07 20:49 . 2011-11-01 16:20 4524 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2370536414-983749384-3936569394-1004_UserData.bin
+ 2010-01-10 02:48 . 2011-11-08 14:08 8072 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2370536414-983749384-3936569394-1001_UserData.bin
- 2011-10-30 18:52 . 2011-10-31 15:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-11-09 02:56 . 2011-11-09 22:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-10-30 18:52 . 2011-10-31 15:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-11-09 02:56 . 2011-11-09 22:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-05-21 02:25 . 2010-11-20 12:29 187776 c:\windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17697_none_b4d1ffa1c4e682b5\FWPKCLNT.SYS
+ 2009-07-13 23:12 . 2009-07-14 01:20 187472 c:\windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16889_none_b2f8731bc7b62d86\FWPKCLNT.SYS
+ 2010-01-10 11:04 . 2011-11-09 13:40 293112 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2009-07-14 02:05 . 2011-11-09 22:33 626354 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2011-10-30 15:17 626354 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2011-11-09 22:33 107816 c:\windows\System32\perfc009.dat
- 2009-07-14 02:05 . 2011-10-30 15:17 107816 c:\windows\System32\perfc009.dat
+ 2009-07-14 04:47 . 2011-11-09 02:55 391728 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:47 . 2011-10-30 18:51 391728 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-10-20 19:53 . 2011-11-03 00:50 572652 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1001-12288.dat
+ 2009-07-13 23:42 . 2009-07-14 01:11 1098752 c:\windows\winsxs\x86_microsoft-windows-wab-core_31bf3856ad364e35_6.1.7601.21830_none_579ad6f7c13ca999\wab32res.dll
+ 2009-07-13 23:42 . 2009-07-14 01:11 1098752 c:\windows\winsxs\x86_microsoft-windows-wab-core_31bf3856ad364e35_6.1.7601.17699_none_56d95b58a847985d\wab32res.dll
+ 2009-07-13 23:42 . 2009-07-14 01:11 1098752 c:\windows\winsxs\x86_microsoft-windows-wab-core_31bf3856ad364e35_6.1.7600.21062_none_5595e0fdc42cfa49\wab32res.dll
+ 2009-07-13 23:42 . 2009-07-14 01:11 1098752 c:\windows\winsxs\x86_microsoft-windows-wab-core_31bf3856ad364e35_6.1.7600.16891_none_54eafc02ab2861b9\wab32res.dll
+ 2010-12-14 13:41 . 2011-11-07 12:39 2896084 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1006-8192.dat
+ 2010-12-14 13:41 . 2011-11-02 22:18 2327636 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1005-8192.dat
+ 2011-02-07 23:08 . 2011-11-09 02:55 4057207 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1004-8192.dat
+ 2010-12-05 17:26 . 2011-11-09 02:55 3750940 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2370536414-983749384-3936569394-1001-8192.dat
+ 2011-05-20 08:01 . 2011-11-09 21:25 125307612 c:\windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2011-05-13 4283256]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2010-08-24 2264336]
"TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2010-08-24 608528]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2010-08-24 437520]
"TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2010-08-24 856336]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-11-06 4615552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2011-05-13 884584]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 88584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-04-13 1298320]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg&inst=NzctNTkzNjMyMzQ5LUZQOSs2LVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMS1MSUMrNzctU1AxKzEtU1AxVEIrMS1TVUQrMS1TMUkrMS1TVTMrMS1GTDEwKzEtRERUKzA&prod=90&ver=10.0.1391" [?]
.
c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 MpKsl0f087856;MpKsl0f087856;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0209AC4E-D9C4-4289-BBC5-3CF5A16CA916}\MpKsl0f087856.sys [x]
R1 MpKsl49eafb6b;MpKsl49eafb6b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A1C08BE0-1CDF-4B13-8F5D-0CBFC2D5122F}\MpKsl49eafb6b.sys [x]
R1 MpKsl8590d562;MpKsl8590d562;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2D748FEB-2C0D-465B-BDDA-2F108C3D294F}\MpKsl8590d562.sys [x]
R1 MpKsl912937b0;MpKsl912937b0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C1D324BE-2AAC-4ACB-966F-4B91FBAE9330}\MpKsl912937b0.sys [x]
R2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 135664]
R3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 135664]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-30 1343400]
R4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [2010-08-24 1104656]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-07-28 176128]
S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [2009-09-14 153600]
S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [2009-09-14 121856]
S2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [2010-12-15 1085440]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-07-28 8396800]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-07-28 247296]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-03-30 100880]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 01:36]
.
2011-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 01:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3EA3B73C-52E7-4632-9399-71C3A80B61CC}: NameServer = 192.168.2.1,8.8.4.4,8.8.4.4
.
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Windows Live\Family Safety\fsssvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\DllHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Google\Google Toolbar\GoogleToolbarUser_32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2011-11-09 17:23:45 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-09 23:23
ComboFix2.txt 2011-11-08 14:30
ComboFix3.txt 2011-11-05 22:49
ComboFix4.txt 2011-11-05 17:13
ComboFix5.txt 2011-11-09 21:35
.
Pre-Run: 4,222,251,008 bytes free
Post-Run: 4,306,898,944 bytes free
.
- - End Of File - - 1EC6BE812728515E747A1A01DE9242C3