BleepingComputer.com: Infections - Trj/Sinowal.WXX and Bck/Bredolab.AE-- per Panda scan online

Hi, and thanks so much for your very generous assistance!

Summary -
Windows 7 Home Premium --- 64-bit
Firefox 3.6.16 (default)
Internet Explorer 8
Thunderbird 3.0.11 (default)
Avast free version
Windows Firewall - On

random unknown files trying to "phone home" - blocked by Avast
many programs have disappeared

Ran Malwarebytes - found nothing
Ran Panda ActiveScan online - found Trj/Sinowal.WXX and Bck/Bredolab.AE, & dozens of cookies
- found the two in email, surprised by that - we're extremely cautious
Followed your prep instructions -
- unhide
~ hidden files, folders, or drives
~ extensions for known file types
~ protected operating system files
- Windows Firewall - On
- Ran DeFogger
- Ran DDS - log files included here
- Can't run GMER (have Win7/64)


Details -
Another regular user of this computer was on same websites as usual & reading email (she never opens junk email) yesterday evening (7/27), nothing unusual until Avast began giving notice of blocking connections to urls every 10 or 15 minutes. Eventually she shut down the computer for the evening.

Within minutes after I booted up this morning, I began getting the same/similar Avast messages, the most recent is the same thing over the last 5 hours -

"Malicious URL blocked. Avast Network Shield has blocked a threat.
The threat was detected and blocked just before connecting to the url.
Object: www.newaitz.com/borders.php (first several this morning was 188.72.228.113/twere.exe)
Infection: URL:Mal
Action: Blocked
Process: C:\Windows\TEMP\Ihh.exe" (that's capital i hh, not L hh)
(first Process this morning was Windows\system32\consrv.dll, Avast log said it was moved to C:\Windows\explorer.exe)"

(Probably unnecessary, but, respectfully mentioning, found consrv.dll info at www.securelist.com/en/blog/493/MAX_sets_its_sights_on_x64_platforms - [snip] ... Bleeding Life exploit kit. drive-by ... In particular, Acrobat Reader and Java. ... MAX++ Trojan-Downloader is installed. ...downloads the appropriate MAX++ dropper. ...dropper specially compiled for x64 systems ...does not contain a rootkit. ...body of dropper placed in system32 folder under the name consrv.dll. ...x64 version of MAX++ is installed by injecting itself into the services.exe process. What makes an infected x64 system difficult to treat is the malware's autorun key: if the file is deleted without repairing the registry key, the BSOD will appear when the system attempts to boot.)

Also new browser tabs popping open occasionally with a variety of urls: pops.dazzlingseek.com, pops.thepurple-search.com, and others similar, every 2 hours or so, a string of 2 or 3 at a time.

- Ran Malwarebytes - found nothing
- Ran Panda ActiveScan online - found Trj/Sinowal.WXX and Bck/Bredolab.AE, along with dozens of cookies that I will get rid of last - surprised to see those, I'm forever manually denying cookies, as many as around 20 at a time.

05951251 Bck/Bredolab.AE Virus/Trojan Active - No Severity - 1 Disinfectable - Yes
c:\gateway\documents and settings\owner\application data\thunderbird\mail location
\inbox[facebook_password_37413.zip][facebook_password_37413.exe]

05951251 Bck/Bredolab.AE Virus/Trojan Active - No Severity - 1 Disinfectable - Yes
c:\users\lynn\appdata\roaming\thunderbird\mail location
\inbox[facebook_password_37413.zip[facebook_password_37413.exe]

06125524 Trj/Sinowal.WXX Virus/Trojan Active - No Severity - 1 Disinfectable - Yes
c:\gateway\documents and settings\owner\application data\thunderbird\mail location
\inbox[facebook_password_346.zip][facebook_password_346.exe]

06125524 Trj/Sinowal.WXX Virus/Trojan Active - No Severity - 1 Disinfectable - Yes
c:\users\lynn\appdata\roaming\thunderbird\mail location
\inbox[facebook_password_346.zip][facebook_password_346.exe]

SUSPECTS
Sent Location
No c:\windows\syswow64\config\systemprofile\appdata\local\ntachcat.dll
No c:\gateway\winnt\dtaplugin.exe
(e-book reader integrated with eSellerate/Digital River ecommerce,
with an e-book from years ago, never opened it, meant to have already deleted it)
No c:\users\lynn\appdata\local\temp\cab9.tmp
No c:\windows\temp\nwcosamexr.exe

- In the middle of researching what to do, both browsers disappeared, would not re-launch from the toolbar icons. (default Firefox 3.6.16 and Internet Explorer 8 - used when google analytics prevents Firefox pages from loading).

Clicking both task bar icon brings up the "Open With" screen, so, couldn't open them. Went to a known good and safe link in an email, which brought Firefox back up. In Windows explorer, went to iexplore.exe, right-click, "run as administrator", flash then gone, right-click then "start", same thing, right-click then "Open", got "open with". Still haven't gotten IE re-started.

- While working on getting the browsers back, Windows Explorer disappeared. Clicking the task bar icon brought up "open with". Went to Task Launcher, explorer.exe was still listed in "Processes", double-clicked and got it back.

- During the same time frame, Windows Security Center service stopped (red x near clock), with error msg "The Windows Security Center service can't be started". Went to Run > services.msc, Security Center is not in the list.

Now, most every program I try to open is pulling up "open with", just tried opening Avast (wanted to review the log) and MS Paint (wanted to get screen shots), my password keeper, whisper.exe, error msg "application not found", but the data file is still in its separate folder, don't yet know how many more are gone.

Noticed in the DDS log that Yontoo was just installed yesterday also, at the same time as the Avast alerts began. It has never been deliberately downloaded/installed, and there was never any hint that it was taking place - I'd like to get rid of that too.

My apologies if this is too much info, just not sure what may or may not be important.

--- DDS.txt log ---

DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Run by Lynn at 18:20:29 on 2011-07-28
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8119.4753 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Dell\DellComms\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Samsung\PanelMgr\caller64.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\vds.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\OpenOffice.org 3\program\swriter.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\Syswow64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\TEMP\tmph4407026403140719092.tmp
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\notepad.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\naf.exe
C:\Windows\explorer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\TEMP\Ihg.exe
C:\Windows\TEMP\Ihh.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://att.net/
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient_2.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun: [dellsupportcenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\ssmmgr.exe /autorun
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe
mRunOnce: [STToasterLauncher] C:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe
mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
dRun: [Ylaho] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\NTAchcat.dll",Startup
dRun: [8DDYX0ZBPZ] C:\Windows\TEMP\Ihh.exe
dRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
dRun: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
dRun: [804993215] C:\Windows\system32\config\systemprofile\AppData\Local\naf.exe
StartupFolder: C:\Users\Lynn\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files (x86)\Dell\DellDock\DellDock.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: SmarThru4 Capture Selection - C:\Program Files (x86)\SmarThru 4\WebCapture.dll2.htm
IE: SmarThru4 Save as HTML - C:\Program Files (x86)\SmarThru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - C:\Program Files (x86)\SmarThru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - C:\Program Files (x86)\SmarThru 4\WebCapture.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install-ie/alttiff.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{0F5704FA-1935-46A2-AA4B-3B9B5CA7969C} : DhcpNameServer = 192.168.1.254 192.168.1.254
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO-X64: Search Helper - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
BHO-X64: Yontoo Layers: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient_2.dll
BHO-X64: Yontoo Layers - No File
TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
mRun-x64: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun-x64: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun-x64: [dellsupportcenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
mRun-x64: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\ssmmgr.exe /autorun
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRunOnce-x64: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe
mRunOnce-x64: [STToasterLauncher] C:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe
mRunOnce-x64: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Lynn\AppData\Roaming\Mozilla\Firefox\Profiles\n0spv2f6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://att.net/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 1
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - plugin: C:\WINNT\system32\Adobe\Director\np32dsw.dll
FF - plugin: C:\WINNT\System32\DNAML\npdbplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-2-17 92160]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-6-7 40384]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-2-17 656624]
R2 sprtsvc_DellComms;SupportSoft Sprocket Service (DellComms);C:\Program Files (x86)\Dell\DellComms\bin\sprtsvc.exe [2009-5-5 206064]
R2 SSPORT;SSPORT;\??\C:\Windows\system32\Drivers\SSPORT.sys --> C:\Windows\system32\Drivers\SSPORT.sys [?]
R3 avast! Mail Scanner;avast! Mail Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-6-7 40384]
R3 avast! Web Scanner;avast! Web Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-6-7 40384]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
.
=============== File Associations ===============
.
exefile="C:\Windows\SysWOW64\config\systemprofile\AppData\Local\naf.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-07-28 19:28:39 4283672 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2011-07-28 19:28:11 42776 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2011-07-28 19:19:56 0 ----a-w- C:\ProgramData\vbrw.exe
2011-07-28 19:19:56 0 ----a-w- C:\ProgramData\sfto.exe
2011-07-28 19:19:56 0 ----a-w- C:\ProgramData\rxml.exe
2011-07-28 19:19:56 0 ----a-w- C:\ProgramData\muog.exe
2011-07-28 17:58:30 63488 --sha-r- C:\Windows\SysWow64\dspropz.dll
2011-07-28 15:10:58 33800 ----a-w- C:\Windows\System32\drivers\pavboot64.sys
2011-07-28 15:10:54 -------- d-----w- C:\Program Files (x86)\Panda Security
2011-07-27 22:41:22 -------- d-----w- C:\ProgramData\Tarma Installer
2011-07-27 22:41:22 -------- d-----w- C:\Program Files (x86)\Yontoo Layers Runtime
.
==================== Find3M ====================
.
2011-07-06 23:52:42 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
.
============= FINISH: 18:20:59.06 ===============

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• Please Do not Attach logs or put in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can help also.
  
• Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
  
• Click the Disable button to disable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.

Download DDS:

Please download DDS by sUBs from one of the links below and save it to your desktop:


Download DDS and save it to your desktop

Link1
Link2
Link3

Please disable any anti-malware program that will block scripts from running before running DDS.


• Double-Click on dds.scr and a command window will appear. This is normal.
  
• Shortly after two logs will appear:
  
  • DDS.txt
    
  • Attach.txt
  
  
• A window will open instructing you save & post the logs
  
• Save the logs to a convenient place such as your desktop
  
• Copy the contents of both logs & post in your next reply

information and logs:

In your next post I need the following


• .logs from DDS
  
• let me know of any problems you may have had

Gringo

Thank you Gringo!

The day after my original post, 7/29, things progressively got worse. Late in the day, "Security Central" scareware suddenly appeared and crippled all applications, task manager, etc. and I could no longer get online. I don't have another computer, also couldn't find one to borrow, ended up taking it to a local computer shop. Picked up the next day, 7/30 - assured me everything was cleaned out.

The following day, Sunday 7/31, I ran a Panda online scan. During that scan, Microsoft Security Essentials alerted -

7/31 - MSE - 2 threats Detected & Removed -
TrojanDownloader:Win32/Tracur.y - Active - file: C:\Windows.old\Windows\Temp\tmph4407026403140719092.tmp
Rogue:Win32/FakeRean - Active - file: C:\Windows.old\Windows\SysWOW64\config\systemprofile\AppData\Local\naf.exe
(note: Panda identified both as Trj/CI.A, in same locations)

Ran MSE yesterday, 8/3 -

1 threat Detected & Removed -
Rogue:Win32/FakeRean - Active
containerfile: C:\Windows.old\ProgramData\defender.exe
containerfile: C:\Windows.old\Windows\Temp\D0B9.tmp
file: C:\Windows.old\ProgramData\defender.exe->(UPX)
file: C:\Windows.old\Users\Public\Desktop\Security Protection.lnk
file: C:\Windows.old\Windows\Temp\D0B9.tmp->(UPX)

I've taken no further scans or actions.

Also, I've attempted upgrading Microsoft Security Essentials 3 or 4 times, all failing - error code 0x80070643. The GUI indicates definitions are updating correctly.

As per your instructions -
Will not run any other tool ( or make any changes) until instructed
Ran DeFogger > disable (won't re-enable until you instruct)


Contents of DDS.txt -

.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_26
Run by Owner at 22:58:35 on 2011-08-04
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8119.6057 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Windows\Samsung\PanelMgr\caller64.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10u_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://att.my.yahoo.com/?_bc=1
mWinlogon: Userinit=userinit.exe
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\ssmmgr.exe /autorun
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: SmarThru4 Capture Selection - C:\Program Files (x86)\SmarThru 4\WebCapture.dll2.htm
IE: SmarThru4 Save as HTML - C:\Program Files (x86)\SmarThru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - C:\Program Files (x86)\SmarThru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - C:\Program Files (x86)\SmarThru 4\WebCapture.dll
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{25284F3C-E996-4591-892F-57834BAC44C5} : DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{59102DAE-38DB-4605-A4BD-2214D939C259} : DhcpNameServer = 10.1.10.1 0.0.0.0 0.0.0.0
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\ssmmgr.exe /autorun
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\nawyv8p2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://att.net/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 1
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - plugin: C:\WINNT\system32\Adobe\Director\np32dsw.dll
FF - plugin: C:\WINNT\System32\DNAML\npdbplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot64.sys --> C:\Windows\system32\drivers\pavboot64.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-7-30 303952]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-7-30 2214504]
R2 SSPORT;SSPORT;\??\C:\Windows\system32\Drivers\SSPORT.sys --> C:\Windows\system32\Drivers\SSPORT.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 DrvAgent64;DrvAgent64;C:\Windows\SysWOW64\drivers\DrvAgent64.SYS [2011-7-30 21712]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-08-04 19:37:10 8578896 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{14F10101-1A56-4680-A7FA-DFB819C6F96A}\mpengine.dll
2011-08-04 19:26:45 -------- d-----w- C:\Program Files (x86)\Microsoft Antimalware
2011-08-04 13:40:23 -------- d-----w- C:\Program Files (x86)\MSXML 4.0
2011-08-03 17:59:47 -------- d-----w- C:\Users\Owner\AppData\Roaming\Foxit Software
2011-08-02 23:41:21 -------- d-----w- C:\Users\Owner\AppData\Local\PSU
2011-08-02 23:24:25 -------- d-----w- C:\Program Files (x86)\Foxit Software
2011-08-02 22:48:08 -------- d-----w- C:\Program Files (x86)\Readiris10
2011-08-02 22:47:56 -------- d-----w- C:\Program Files (x86)\SmarThru 4
2011-08-02 22:46:08 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2011-08-02 22:46:08 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2011-08-02 22:46:08 225280 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
2011-08-02 22:46:08 176128 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2011-08-02 22:46:07 614532 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2011-08-02 22:44:59 -------- d-----w- C:\Users\Owner\AppData\Local\S2PC
2011-08-02 22:44:57 587264 ----a-w- C:\Windows\System32\ssmgr64.cpl
2011-08-02 22:44:55 113768 ----a-w- C:\Windows\Wiainst.exe
2011-08-02 22:44:45 36864 ----a-w- C:\Windows\System32\SaImgFlt.dll
2011-08-02 22:44:45 160768 ----a-w- C:\Windows\System32\SaMinDrv.dll
2011-08-02 22:44:45 14848 ----a-w- C:\Windows\System32\SaSegFlt.dll
2011-08-02 22:44:45 13312 ----a-w- C:\Windows\System32\SaErHdlr.dll
2011-08-02 22:29:21 11576 ----a-w- C:\Windows\System32\drivers\SSPORT.SYS
2011-08-02 22:29:20 -------- d-----w- C:\Program Files (x86)\Samsung
2011-08-02 18:21:14 -------- d-----w- C:\Windows\System32\EventProviders
2011-08-01 22:58:15 -------- d-----w- C:\Users\Owner\AppData\Local\Microsoft Games
2011-08-01 19:23:17 -------- d-----w- C:\Users\Owner\AppData\Local\Deployment
2011-08-01 19:23:17 -------- d-----w- C:\Users\Owner\AppData\Local\Apps
2011-08-01 19:14:31 -------- d-----w- C:\Windows\SysWow64\Dell
2011-08-01 19:14:31 -------- d-----w- C:\Program Files (x86)\Dell
2011-08-01 15:20:31 -------- d-----w- C:\Windows\SysWow64\Adobe
2011-08-01 05:02:33 -------- d-----w- C:\Users\Owner\AppData\Roaming\OpenOffice.org
2011-08-01 04:42:30 -------- d-----w- C:\Program Files (x86)\OpenOffice.org 3
2011-08-01 04:41:32 476904 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
2011-08-01 04:41:31 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-08-01 03:01:52 -------- d-----w- C:\Program Files (x86)\Whisper
2011-08-01 02:37:11 8578896 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-08-01 02:20:42 8578896 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-07-31 17:23:27 33800 ----a-w- C:\Windows\System32\drivers\pavboot64.sys
2011-07-31 17:23:22 -------- d-----w- C:\Program Files (x86)\Panda Security
2011-07-31 00:32:16 -------- d-----w- C:\Users\Owner\AppData\Local\Mozilla
2011-07-30 21:57:14 -------- d-----w- C:\Users\Owner\AppData\Local\Thunderbird
2011-07-30 21:43:04 -------- d-----w- C:\Users\Owner\AppData\Local\Diagnostics
2011-07-30 21:28:06 -------- d-----w- C:\Windows\Panther
2011-07-30 21:20:44 -------- d-----w- C:\Windows.old.000
2011-07-30 19:33:42 -------- d-----w- C:\Program Files\Broadcom
2011-07-30 19:33:15 -------- d-----w- C:\Windows\Dell
2011-07-30 19:32:26 -------- d-----w- C:\Users\Owner\AppData\Local\Downloaded Installations
2011-07-30 19:23:32 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-30 19:18:49 21712 ----a-w- C:\Windows\SysWow64\drivers\DrvAgent64.SYS
2011-07-30 19:18:49 -------- d-----w- C:\Users\Owner\AppData\Local\eSupport.com
2011-07-30 19:11:08 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-07-30 19:09:49 -------- d-----w- C:\Program Files\Microsoft Security Essentials
2011-07-30 19:09:42 -------- d-sh--w- C:\Windows\Installer
2011-07-30 19:03:04 -------- d-----w- C:\Users\Owner\AppData\Roaming\Malwarebytes
2011-07-30 19:02:56 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-30 19:02:55 24664 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-07-30 19:02:55 -------- d-----w- C:\ProgramData\Malwarebytes
2011-07-30 19:02:55 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-07-30 19:00:41 -------- d-----w- C:\Windows\SysWow64\Wat
2011-07-30 19:00:41 -------- d-----w- C:\Windows\System32\Wat
2011-07-30 19:00:07 1135104 ----a-w- C:\Windows\System32\FntCache.dll
2011-07-30 19:00:07 1074176 ----a-w- C:\Windows\SysWow64\DWrite.dll
2011-07-30 19:00:06 902656 ----a-w- C:\Windows\System32\d2d1.dll
2011-07-30 19:00:06 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2011-07-30 19:00:06 1540608 ----a-w- C:\Windows\System32\DWrite.dll
2011-07-30 18:49:31 367104 ----a-w- C:\Windows\System32\wcncsvc.dll
2011-07-30 18:49:31 276992 ----a-w- C:\Windows\SysWow64\wcncsvc.dll
2011-07-30 18:43:30 311808 ----a-w- C:\Windows\System32\msv1_0.dll
2011-07-30 18:43:30 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2011-07-30 18:37:47 14336 ----a-w- C:\Windows\System32\drivers\sffp_sd.sys
2011-07-30 18:36:59 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
2011-07-30 18:36:59 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
2011-07-30 18:36:59 48960 ----a-w- C:\Windows\System32\netfxperf.dll
2011-07-30 18:36:59 444752 ----a-w- C:\Windows\System32\mscoree.dll
2011-07-30 18:36:59 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
2011-07-30 18:36:59 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
2011-07-30 18:36:59 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
2011-07-30 18:36:59 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2011-07-30 18:36:59 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
2011-07-30 18:36:59 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
2011-07-30 18:32:25 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation
2011-07-30 18:32:19 739432 ----a-w- C:\Windows\System32\easyupdatusapiu64.dll
2011-07-30 18:32:19 6300776 ----a-w- C:\Windows\System32\nvcpl.dll
2011-07-30 18:32:19 61544 ----a-w- C:\Windows\System32\nvshext.dll
2011-07-30 18:32:19 3040872 ----a-w- C:\Windows\System32\nvsvc64.dll
2011-07-30 18:32:19 2560616 ----a-w- C:\Windows\System32\nvsvcr.dll
2011-07-30 18:32:19 117864 ----a-w- C:\Windows\System32\nvmctray.dll
2011-07-30 18:32:19 1016936 ----a-w- C:\Windows\System32\nvvsvc.exe
2011-07-30 18:32:05 -------- d-----w- C:\ProgramData\NVIDIA Corporation
2011-07-30 18:32:03 -------- d-----w- C:\Program Files\NVIDIA Corporation
2011-07-30 18:31:40 243712 ----a-w- C:\Windows\System32\drivers\ks.sys
2011-07-30 18:29:03 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2011-07-30 18:29:03 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2011-07-30 18:29:03 153160 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2011-07-30 18:29:03 1446912 ----a-w- C:\Windows\System32\lsasrv.dll
2011-07-30 18:27:27 31232 ----a-w- C:\Windows\SysWow64\prevhost.exe
2011-07-30 18:26:59 3138048 ----a-w- C:\Windows\System32\mstscax.dll
2011-07-30 18:24:34 139264 ----a-w- C:\Windows\System32\cabview.dll
2011-07-30 18:24:34 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2011-07-30 18:24:27 220672 ----a-w- C:\Windows\System32\wintrust.dll
2011-07-30 18:24:27 172032 ----a-w- C:\Windows\SysWow64\wintrust.dll
2011-07-30 18:23:12 8578896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{FDBCBA01-8400-4880-8382-4F9FDBFF2117}\mpengine.dll
2011-07-30 18:10:30 -------- d-----w- C:\Users\Owner\My Backup Files
2011-07-30 18:10:30 -------- d-----w- C:\Users\Owner\Drivers
2011-07-30 17:53:46 -------- d-sh--w- C:\Recovery
.
==================== Find3M ====================
.
2011-06-11 02:56:44 3134464 ----a-w- C:\Windows\System32\win32k.sys
2011-06-02 06:45:22 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-06-02 06:45:22 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-06-02 06:45:22 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-06-02 06:44:54 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-06-02 06:42:37 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-06-02 06:39:54 422400 ----a-w- C:\Windows\System32\KernelBase.dll
2011-06-02 06:35:56 338944 ----a-w- C:\Windows\System32\conhost.exe
2011-06-02 05:59:44 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-06-02 05:56:28 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-06-02 05:56:06 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-06-02 05:54:51 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-06-02 05:54:50 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-06-02 03:51:00 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-06-02 03:50:59 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-06-02 03:45:49 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-06-02 03:45:49 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-06-02 03:45:49 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-06-02 03:45:49 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-05-28 03:25:16 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-05-28 03:00:02 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-05-24 11:21:59 404992 ----a-w- C:\Windows\System32\umpnpmgr.dll
2011-05-24 10:34:20 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
2011-05-24 10:34:20 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
2011-05-24 10:34:00 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
2011-05-24 10:32:46 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
.
============= FINISH: 22:58:49.75 ===============


Contents of Attach.txt -

.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 7/30/2011 1:38:36 PM
System Uptime: 8/4/2011 3:37:58 PM (7 hours ago)
.
Motherboard: Dell Inc. | | 033FF6
Processor: Intel® Core™ i5 CPU 650 @ 3.20GHz | CPU 1 | 3201/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 917 GiB total, 810.294 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP8: 7/31/2011 10:36:50 PM - Windows Update
RP9: 7/31/2011 11:01:20 PM - Installed Whisper 32
RP10: 7/31/2011 11:59:43 PM - Installed Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
RP11: 8/1/2011 12:00:43 AM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
RP12: 8/1/2011 12:41:05 AM - Installed Java™ 6 Update 22
RP13: 8/1/2011 12:41:42 AM - Installed OpenOffice.org 3.3
RP14: 8/1/2011 1:04:19 AM - Installed Java™ 6 Update 26
RP15: 8/1/2011 2:11:51 AM - Windows Update
RP16: 8/2/2011 11:05:53 AM - Windows Update
RP17: 8/2/2011 12:49:44 PM - Installed Microsoft Works
RP18: 8/2/2011 2:09:58 PM - Windows Update
RP19: 8/2/2011 2:12:17 PM - Windows Update
RP20: 8/2/2011 2:21:01 PM - Windows Update
RP21: 8/2/2011 2:23:21 PM - Windows Update
RP22: 8/2/2011 2:37:41 PM - Windows Update
RP23: 8/2/2011 6:47:45 PM - Installed SmarThru 4
RP24: 8/2/2011 6:48:09 PM - Installed InstallShield Restore Point
RP25: 8/3/2011 10:31:26 AM - Windows Update
RP26: 8/4/2011 9:38:29 AM - Windows Update
RP27: 8/4/2011 9:42:50 AM - Windows Update
RP28: 8/4/2011 10:02:30 AM - Windows Update
RP29: 8/4/2011 3:17:20 PM - Windows Update
RP30: 8/4/2011 3:37:02 PM - Windows Update
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.6
Compatibility Pack for the 2007 Office system
Foxit Reader 5.0
Java Auto Updater
Java™ 6 Update 26
Malwarebytes' Anti-Malware
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Mozilla Firefox (3.6.19)
Mozilla Thunderbird (5.0)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OpenOffice.org 3.3
Panda ActiveScan 2.0
Readiris Pro 10
Samsung CLX-3170 Series
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
SmarThru 4
SmarThru PC Fax
Whisper 32
.
==== Event Viewer Messages From Past Week ========
.
8/4/2011 9:44:20 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Dnscache service.
8/4/2011 9:22:24 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
8/4/2011 3:38:34 PM, Error: Service Control Manager [7000] - The DgiVecp service failed to start due to the following error: The system cannot find the device specified.
8/4/2011 3:37:19 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.109.1086.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7104.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
8/4/2011 3:27:01 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft Security Essentials Client update package - KB2267610.
8/3/2011 10:30:37 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.109.915.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7104.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
8/3/2011 10:15:01 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
8/2/2011 6:44:07 PM, Error: Service Control Manager [7000] - The DgiVecp service failed to start due to the following error: The system cannot find the file specified.
8/2/2011 6:39:46 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
8/2/2011 2:22:32 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Windows 7 Service Pack 1 for x64-based Systems (KB976932).
8/2/2011 2:22:25 PM, Error: Microsoft-Windows-Service Pack Installer [8] - Service Pack installation failed with error code 0x800f0a09.
8/2/2011 2:21:58 PM, Error: Microsoft-Windows-Service Pack Installer [2] - An installed driver has known compatibility problems. Try updating the driver to a more recent version. Name: Microsoft Security Essentials Reason: your version of this program may prevent successful installation of this service pack. GUID: {EE990683-6675-41CC-BEE9-6A679A01237A}
8/2/2011 10:55:32 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
8/1/2011 10:13:51 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
7/31/2011 1:25:22 PM, Error: Service Control Manager [7000] - The RkPavproc1 service failed to start due to the following error: This driver has been blocked from loading
7/31/2011 1:25:22 PM, Error: Application Popup [1060] - \??\C:\Windows\SysWow64\drivers\RkPavproc1.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
7/30/2011 3:12:50 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
7/30/2011 3:01:50 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk5\DR6.
7/30/2011 2:56:37 PM, Error: Service Control Manager [7023] -
7/30/2011 2:54:36 PM, Error: Application Popup [877] - There was error [DATABASE OPEN FAILED] processing the driver database.
7/30/2011 11:50:47 PM, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.
7/30/2011 1:47:53 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk5\DR5.
.
==== End Of File ===========================

Thanks so very much for kindly and generously assisting me!

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following


• Log from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

Hi Gringo,

Still the same problems with Microsoft Security Essentials, and I've just realized I hadn't mentioned a problem with sp1 update before (oops!),
but still the same with that also. From what I've read, it's a common problem with the combination of these two.

Other than that, there's no sign or symptoms of the trojan/virus/scareware behavior.

MICROSOFT SECURITY ESSENTIALS -

After completing ComboFix, MSSE still complains about upgrading.
notification-area alert pops up - "An upgrade is available. Click here to upgrade"
Clicked, then got error - "Illegal operation attempted on a registery key that has been marked for deletion."

Restarted computer -
(fyi - was first restart after running ComboFix, a couple things I had previously added to the start menu disappeared - "Run" command & "Recent Items")

MSSE alerted again -
Clicked to upgrade, failed with same error code as before -
"0x80070643 - Microsoft Security Essentials cannot be installed on a computer that is running other security programs.
Sometimes, even if you remove other security programs, they do not completely uninstall."

I had been using Avast, but when I got the computer back from the shop, every one of my installed programs were gone.
Only the basic programs built into the OS remained. The only "other security programs" are mbam, and some of the Avast files
are in one of the two cloned file sets the computer guy created. He, in turn, installed MSSE instead. I'm beginning to think MSSE
is more trouble than it's worth.


WINDOWS UPDATE -

Tried a microsoft instruction - "Ensure that the Windows Installer service is running" - didn't help...

(small message window)
"Service pack installation can't continue
Software installed on this computer isn't compatible with the service pack.
Click the link for more information about this problem.
After the problem is resolved, restart the installation."

"Microsoft Security Essentials - your version of this program may prevent successful installation of this service pack."

The referenced link is -

http://windows.microsoft.com/en-us/windows7/why-am-i-receiving-a-message-about-microsoft-security-essentials-or-microsoft-forefront-client-security-when-installing-a-service-pack
[snip] "To avoid this issue, install the latest updates to Microsoft Security Essentials"

Closed the message window, then -

"Failed: 1 update - Windows Update encountered an unknown error - code 800F0A09"

With a link to -

http://support.microsoft.com/kb/957307
"This issue occurs if a Windows Update client or a Microsoft Update client cannot access the user token.
To resolve this issue, stop and then restart the Windows Update Service."

Didn't help - same error 800F0A09
..."Software installed on this computer isn't compatible with the service pack."...

I had already tested an sp1 update a couple days after I got the computer back (before my 2nd DDS logs), and it failed -
(I wouldn't have actually installed it until completing your instructions, since sp's often create their own additional problems).
But I have installed small security updates, to test for problems with other types of updates - and they installed in snap -
some before my 2nd DDS logs, and today, 6 for MS Office and 1 for PowerPoint Viewer
(Hope I haven't stepped too far out of line with those, since I should wait on your ok) :::in the time-out chair facing the corner!:::


ComboFix Log ----

ComboFix 11-08-05.01 - Owner 08/05/2011 13:42:10.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8119.6500 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Disabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-05 to 2011-08-05 )))))))))))))))))))))))))))))))
.
.
2011-08-05 17:45 . 2011-08-05 17:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-05 13:03 . 2011-07-13 01:53 8578896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{293D47EF-4394-4F32-AB9D-BAEFD60C4A43}\mpengine.dll
2011-08-04 19:26 . 2011-08-04 19:26 -------- d-----w- c:\program files (x86)\Microsoft Antimalware
2011-08-04 13:40 . 2011-08-04 13:40 -------- d-----w- c:\program files (x86)\MSXML 4.0
2011-08-02 23:24 . 2011-08-02 23:24 -------- d-----w- c:\program files (x86)\Foxit Software
2011-08-02 22:46 . 2011-08-02 22:46 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
2011-08-02 22:44 . 2008-06-27 00:44 587264 ----a-w- c:\windows\system32\ssmgr64.cpl
2011-08-02 22:44 . 2009-09-22 06:30 113768 ----a-w- c:\windows\Wiainst.exe
2011-08-02 22:44 . 2009-05-11 23:00 14848 ----a-w- c:\windows\system32\SaSegFlt.dll
2011-08-02 22:44 . 2009-05-11 23:00 160768 ----a-w- c:\windows\system32\SaMinDrv.dll
2011-08-02 22:44 . 2009-05-11 23:00 36864 ----a-w- c:\windows\system32\SaImgFlt.dll
2011-08-02 22:44 . 2009-05-11 23:00 13312 ----a-w- c:\windows\system32\SaErHdlr.dll
2011-08-02 22:29 . 2007-10-23 04:58 11576 ----a-w- c:\windows\system32\drivers\SSPORT.SYS
2011-08-02 22:29 . 2011-08-02 22:29 -------- d-----w- c:\program files (x86)\Samsung
2011-08-02 18:21 . 2011-08-02 18:21 -------- d-----w- c:\windows\system32\EventProviders
2011-08-02 18:10 . 2011-08-02 18:10 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2011-08-02 16:49 . 2011-08-04 13:39 -------- d-----w- c:\program files (x86)\Microsoft Works
2011-08-01 19:14 . 2011-08-01 19:14 -------- d-----w- c:\windows\SysWow64\Dell
2011-08-01 19:14 . 2011-08-01 19:14 -------- d-----w- c:\program files (x86)\Dell
2011-08-01 15:20 . 2011-08-01 15:20 -------- d-----w- c:\windows\SysWow64\Adobe
2011-08-01 06:00 . 2011-08-01 06:00 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-08-01 04:42 . 2011-08-01 04:42 -------- d-----w- c:\program files (x86)\OpenOffice.org 3
2011-08-01 04:41 . 2011-05-04 08:52 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-08-01 04:41 . 2011-08-01 05:04 -------- d-----w- c:\program files (x86)\Java
2011-08-01 03:01 . 2011-08-01 03:01 -------- d-----w- c:\program files (x86)\Whisper
2011-08-01 02:37 . 2011-07-13 01:53 8578896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-08-01 02:20 . 2011-07-13 01:53 8578896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-07-31 17:23 . 2009-06-30 14:37 33800 ----a-w- c:\windows\system32\drivers\pavboot64.sys
2011-07-31 17:23 . 2011-07-31 17:23 -------- d-----w- c:\program files (x86)\Panda Security
2011-07-31 03:49 . 2011-07-31 03:49 -------- d-----w- c:\program files (x86)\Microsoft.NET
2011-07-30 21:56 . 2011-07-30 21:56 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird
2011-07-30 21:28 . 2011-07-30 17:38 -------- d-----w- c:\windows\Panther
2011-07-30 19:33 . 2011-07-30 19:33 -------- d-----w- c:\program files\Broadcom
2011-07-30 19:33 . 2011-07-30 19:33 -------- d-----w- c:\windows\Dell
2011-07-30 19:23 . 2011-08-01 05:59 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-30 19:23 . 2011-08-01 15:21 -------- d-----w- c:\windows\SysWow64\Macromed
2011-07-30 19:18 . 2011-07-30 19:18 21712 ----a-w- c:\windows\SysWow64\drivers\DrvAgent64.SYS
2011-07-30 19:11 . 2010-10-19 20:51 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-07-30 19:09 . 2011-08-04 19:26 -------- d-----w- c:\program files\Microsoft Security Essentials
2011-07-30 19:09 . 2011-08-04 19:26 -------- d-sh--w- c:\windows\Installer
2011-07-30 19:02 . 2010-03-29 19:24 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-30 19:02 . 2011-07-30 19:02 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-07-30 19:02 . 2011-07-30 19:02 -------- d-----w- c:\programdata\Malwarebytes
2011-07-30 19:02 . 2010-03-29 19:24 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-30 19:00 . 2011-07-30 19:00 -------- d-----w- c:\windows\SysWow64\Wat
2011-07-30 19:00 . 2011-07-30 19:00 -------- d-----w- c:\windows\system32\Wat
2011-07-30 19:00 . 2011-02-19 06:37 1135104 ----a-w- c:\windows\system32\FntCache.dll
2011-07-30 19:00 . 2011-02-19 05:32 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-07-30 19:00 . 2011-02-19 06:37 1540608 ----a-w- c:\windows\system32\DWrite.dll
2011-07-30 19:00 . 2011-02-19 06:36 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-07-30 19:00 . 2011-02-19 05:32 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-07-30 18:49 . 2010-09-14 06:45 367104 ----a-w- c:\windows\system32\wcncsvc.dll
2011-07-30 18:49 . 2010-09-14 06:07 276992 ----a-w- c:\windows\SysWow64\wcncsvc.dll
2011-07-30 18:43 . 2009-09-10 06:28 311808 ----a-w- c:\windows\system32\msv1_0.dll
2011-07-30 18:43 . 2009-09-10 05:52 257024 ----a-w- c:\windows\SysWow64\msv1_0.dll
2011-07-30 18:37 . 2009-10-10 03:17 14336 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2011-07-30 18:36 . 2009-11-25 16:47 99176 ----a-w- c:\windows\SysWow64\PresentationHostProxy.dll
2011-07-30 18:36 . 2009-11-25 16:47 49472 ----a-w- c:\windows\SysWow64\netfxperf.dll
2011-07-30 18:36 . 2009-11-25 16:47 48960 ----a-w- c:\windows\system32\netfxperf.dll
2011-07-30 18:36 . 2009-11-25 16:47 297808 ----a-w- c:\windows\SysWow64\mscoree.dll
2011-07-30 18:36 . 2009-11-25 16:47 295264 ----a-w- c:\windows\SysWow64\PresentationHost.exe
2011-07-30 18:36 . 2009-11-25 16:47 1130824 ----a-w- c:\windows\SysWow64\dfshim.dll
2011-07-30 18:36 . 2009-11-25 16:47 109912 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-07-30 18:36 . 2009-11-25 16:47 444752 ----a-w- c:\windows\system32\mscoree.dll
2011-07-30 18:36 . 2009-11-25 16:47 320352 ----a-w- c:\windows\system32\PresentationHost.exe
2011-07-30 18:36 . 2009-11-25 16:47 1942856 ----a-w- c:\windows\system32\dfshim.dll
2011-07-30 18:32 . 2011-07-30 18:56 -------- d-----w- c:\programdata\NVIDIA
2011-07-30 18:32 . 2011-07-30 18:32 -------- d-----w- c:\users\UpdatusUser
2011-07-30 18:32 . 2011-07-30 18:32 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2011-07-30 18:32 . 2011-05-21 10:01 739432 ----a-w- c:\windows\system32\easyupdatusapiu64.dll
2011-07-30 18:32 . 2011-05-21 10:01 6300776 ----a-w- c:\windows\system32\nvcpl.dll
2011-07-30 18:32 . 2011-05-21 10:01 61544 ----a-w- c:\windows\system32\nvshext.dll
2011-07-30 18:32 . 2011-05-21 10:01 3040872 ----a-w- c:\windows\system32\nvsvc64.dll
2011-07-30 18:32 . 2011-05-21 10:01 2560616 ----a-w- c:\windows\system32\nvsvcr.dll
2011-07-30 18:32 . 2011-05-21 10:01 117864 ----a-w- c:\windows\system32\nvmctray.dll
2011-07-30 18:32 . 2011-05-21 10:01 1016936 ----a-w- c:\windows\system32\nvvsvc.exe
2011-07-30 18:32 . 2011-07-30 18:32 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-07-30 18:32 . 2011-07-30 18:32 -------- d-----w- c:\program files\NVIDIA Corporation
2011-07-30 18:31 . 2010-03-04 04:32 243712 ----a-w- c:\windows\system32\drivers\ks.sys
2011-07-30 18:29 . 2009-12-11 10:29 153160 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2011-07-30 18:29 . 2009-12-11 09:24 1446912 ----a-w- c:\windows\system32\lsasrv.dll
2011-07-30 18:29 . 2009-12-11 07:39 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2011-07-30 18:29 . 2009-12-11 07:36 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2011-07-30 18:27 . 2011-02-18 06:33 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-07-30 18:26 . 2010-12-18 06:12 3138048 ----a-w- c:\windows\system32\mstscax.dll
2011-07-30 18:24 . 2010-01-09 07:19 139264 ----a-w- c:\windows\system32\cabview.dll
2011-07-30 18:24 . 2010-01-09 06:52 132608 ----a-w- c:\windows\SysWow64\cabview.dll
2011-07-30 18:24 . 2009-12-29 08:03 220672 ----a-w- c:\windows\system32\wintrust.dll
2011-07-30 18:24 . 2009-12-29 06:55 172032 ----a-w- c:\windows\SysWow64\wintrust.dll
2011-07-30 18:23 . 2011-07-20 13:44 8578896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FDBCBA01-8400-4880-8382-4F9FDBFF2117}\mpengine.dll
2011-07-30 17:53 . 2011-07-30 17:38 -------- d-----w- C:\Recovery
2011-07-30 17:38 . 2011-08-04 23:12 -------- d-----w- c:\users\Owner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-02 05:56 . 2011-07-30 18:26 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-05-21 10:01 . 2011-05-21 10:01 8863336 ----a-w- c:\windows\system32\nvwgf2umx.dll
2011-05-21 10:01 . 2011-05-21 10:01 7123560 ----a-w- c:\windows\system32\nvcuda.dll
2011-05-21 10:01 . 2011-05-21 10:01 67176 ----a-w- c:\windows\system32\OpenCL.dll
2011-05-21 10:01 . 2011-05-21 10:01 6555240 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2011-05-21 10:01 . 2011-05-21 10:01 57960 ----a-w- c:\windows\SysWow64\OpenCL.dll
2011-05-21 10:01 . 2011-05-21 10:01 5301352 ----a-w- c:\windows\SysWow64\nvcuda.dll
2011-05-21 10:01 . 2011-05-21 10:01 2943592 ----a-w- c:\windows\system32\nvcuvid.dll
2011-05-21 10:01 . 2011-05-21 10:01 2804328 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2011-05-21 10:01 . 2011-05-21 10:01 2644584 ----a-w- c:\windows\system32\nvapi64.dll
2011-05-21 10:01 . 2011-05-21 10:01 2335848 ----a-w- c:\windows\SysWow64\nvapi.dll
2011-05-21 10:01 . 2011-05-21 10:01 22286952 ----a-w- c:\windows\system32\nvoglv64.dll
2011-05-21 10:01 . 2011-05-21 10:01 2212968 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-05-21 10:01 . 2011-05-21 10:01 2082408 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2011-05-21 10:01 . 2011-05-21 10:01 18583144 ----a-w- c:\windows\system32\nvcompiler.dll
2011-05-21 10:01 . 2011-05-21 10:01 16456296 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2011-05-21 10:01 . 2011-05-21 10:01 15223912 ----a-w- c:\windows\system32\nvd3dumx.dll
2011-05-21 10:01 . 2011-05-21 10:01 1496168 ----a-w- c:\windows\system32\nvdispco6420150.dll
2011-05-21 10:01 . 2011-05-21 10:01 1427048 ----a-w- c:\windows\system32\nvgenco642090.dll
2011-05-21 10:01 . 2011-05-21 10:01 13206120 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-05-21 10:01 . 2011-05-21 10:01 13011560 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2011-05-21 10:01 . 2011-05-21 10:01 11992680 ----a-w- c:\windows\SysWow64\nvd3dum.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-03-29 437584]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2009-12-09 606208]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 DrvAgent64;DrvAgent64;c:\windows\SysWOW64\Drivers\DrvAgent64.SYS [2011-07-30 21712]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2010-03-29 303952]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1446496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://att.my.yahoo.com/?_bc=1
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: SmarThru4 Capture Selection - c:\program files (x86)\SmarThru 4\WebCapture.dll2.htm
IE: SmarThru4 Save as HTML - c:\program files (x86)\SmarThru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - c:\program files (x86)\SmarThru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - c:\program files (x86)\SmarThru 4\WebCapture.dll
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\nawyv8p2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://att.net/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-08-05 13:49:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-05 17:49
.
Pre-Run: 869,969,317,888 bytes free
Post-Run: 869,918,670,848 bytes free
.
- - End Of File - - E5176EC59A97D06387DA5339B44C1364

Lets see if we can fix windows update


please go here Fix Windows Update and click on the Fix It Button



also I want you to uninstall MSE and then reinstall it and see if it will update


let me know how things go



normaly when you take a computer to a shop they don't clean it they just reinstall the os so you lose anything that was on there



gringo

Oh Wow Gringo! I wasn't expecting additional help with issues outside of the cleaning process! I really do appreciate it! At the time that I posted the details of the remaining 2 problems, I was thinking it would be best for you to look them over in case there was anything related to the infections. So thank you very much for saving me from lots of study time in figuring out how to fix them!

I ran MS Fix it, uninstalled MSSE and installed the latest version, ran Windows Update to attempt the sp1 install again, and presto! Worked like a charm!

Quote

Yes, I was aware of that, but he assured me he wouldn't, and would call first if he thought it necessary after all. When he had it ready to go, said he replaced everything with a cleaned-up clone, and "to my eye", nothing would look different. Pffft!!!

So thank you again for all your kind and generous help Gringo!

Clear your Java Cache

• click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
  
  • On the General tab, under Temporary Internet Files, click the Settings button.
    
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    Applications and Applets
    Trace and Log Files
    
    
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    
  • Click OK to leave the Temporary Files Window
    
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

• Please download TFC to your desktop,
  
• Save any unsaved work. TFC will close all open application windows.
  
• Double-click TFC.exe to run the program.
  
• If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

I would like you to rerun MBAM


• Double-click mbam icon
  
• go to the update tab at the top
  
• click on check for updates
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

• Go Here to download HijackThis Installer
  
• Save HijackThis Installer to your desktop.
  
• Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
  
• Click on Install.
  
• It will create a HijackThis icon on the desktop.
  
• Once installed it will launch Hijackthis.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  
• Come back here to this thread and Paste the log in your next reply.
  
• DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

In your next post I need the following


• Log From MBAM
  
• report from Hijackthis
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

Hi Gringo,

Still no noticeble computer problems, other than the missing "run as admin" option for HijackThis

- Cleared Java Cache - went smoothly
- Ran TFC - went smoothly
- Updated and ran MBAM quick scan - no "Show Results" option/nothing to "Check (tick)" - went smoothly

HijackThis -
- saved HijackThis to desktop
- right-clicked Installer -- no "run as admin" option (very unusual)
--- double-clicked to install
--- default install to C:\Program Files(x86)\Trend Micro\HijackThis [note: all other programs I've ever installed default to this]
- did not launch automatically
- right-clicked desktop HijackThis icon - no "run as admin"
- double-clicked to open, selected "Do a system scan and save a logfile button"
- message re: can't access hosts file - must do manually, with instructions
- clicked "ok" and scan started automatically
- notepad opened, and message screen "create new log?", no, closed program
- right-clicked HijackThis icon > properties > compatibility - privilege level: run as admin
- double-clicked HijackThis icon to launch - continued with your original instructions - went smoothly


Malwarebytes log-

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7402

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

8/7/2011 2:11:13 PM
mbam-log-2011-08-07 (14-11-13).txt

Scan type: Quick scan
Objects scanned: 180385
Time elapsed: 2 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


HijackThis log-

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:44:54 PM, on 8/7/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/?_bc=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
O4 - HKUS\S-1-5-21-1263489233-3492360673-1503041181-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-1263489233-3492360673-1503041181-1001\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O8 - Extra context menu item: SmarThru4 Capture Selection - C:\Program Files (x86)\SmarThru 4\WebCapture.dll2.htm
O8 - Extra context menu item: SmarThru4 Save as HTML - C:\Program Files (x86)\SmarThru 4\WebCapture.dll1.htm
O8 - Extra context menu item: SmarThru4 Save Selected Text - C:\Program Files (x86)\SmarThru 4\WebCapture.dll.htm
O8 - Extra context menu item: SmarThru4 Web Capture - C:\Program Files (x86)\SmarThru 4\WebCapture.dll
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - https://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 5869 bytes

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

• Run HijackThis
  
• Click on the Scan button
  
• Put a check beside all of the items listed below (if present):
  
  
  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
  O4 - HKLM\..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\ssmmgr.exe /autorun
  O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
  O4 - HKUS\S-1-5-21-1263489233-3492360673-1503041181-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
  O4 - HKUS\S-1-5-21-1263489233-3492360673-1503041181-1001\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
  
  
  
  
• Close all open windows and browsers/email, etc...
  
• Click on the "Fix Checked" button
  
• When completed, close the application.
  
  
  NOTE**You can research each of those lines >here< and see if you want to keep them or not
  just copy the name between the brakets and paste into the search space
  O4 - HKLM\..\Run: [IntelliPoint]

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• click on the ESET Online Scanner button
  
• Tick the box next to YES, I accept the Terms of Use.
  
  • Click Start
• When asked, allow the activex control to install
  
  • Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  
• Click on Advanced Settings, ensure the options
  
  Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
  
• Wait for the scan to finish
  
• Click on copy to clipboard and paste the results here in this topic
  
• you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo

Ran HijackThis - removed all those start-up items. Thanks for that!


Eset log -

C:\Downlods\CD Helpful\NeroCDBurning\Nero-9.4.12.3_free.exe Win32/Toolbar.AskSBar application
C:\Downlods\CD Helpful\Utilities\Keys\produkey.zip a variant of Win32/PSWTool.ProductKey application
C:\Gateway\Documents and Settings\Owner\My Documents\downloads\programs\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application
C:\Gateway\Documents and Settings\Owner\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe Win32/PrcView application
C:\Users\Owner\Documents\downloads\programs\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application
C:\Users\Owner\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe Win32/PrcView application
C:\Windows.old\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Windows.old\Documents and Settings\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Windows.old\Documents and Settings\Lynn\AppData\Local\Application Data\Temp\CAB9.tmp a variant of Win32/Olmarik.AWG trojan
C:\Windows.old\Documents and Settings\Lynn\AppData\Local\Temp\CAB9.tmp a variant of Win32/Olmarik.AWG trojan
C:\Windows.old\Documents and Settings\Lynn\Documents\downloads\programs\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application
C:\Windows.old\Documents and Settings\Lynn\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe Win32/PrcView application
C:\Windows.old\Documents and Settings\Lynn\Local Settings\Temp\CAB9.tmp a variant of Win32/Olmarik.AWG trojan
C:\Windows.old\Documents and Settings\Lynn\My Documents\downloads\programs\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application
C:\Windows.old\Documents and Settings\Lynn\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe Win32/PrcView application
C:\Windows.old\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Windows.old\Users\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Windows.old\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Windows.old\Users\Lynn\AppData\Local\Temp\CAB9.tmp a variant of Win32/Olmarik.AWG trojan
C:\Windows.old\Users\Lynn\Documents\downloads\programs\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application
C:\Windows.old\Users\Lynn\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe Win32/PrcView application
C:\Windows.old\Users\Lynn\Local Settings\Temp\CAB9.tmp a variant of Win32/Olmarik.AWG trojan
C:\Windows.old\Users\Lynn\My Documents\downloads\programs\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application
C:\Windows.old\Users\Lynn\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe Win32/PrcView application
C:\Windows.old\Windows\Temp\nwcosamexr.exe Win32/Adware.LoudMo.D application
C:\Windows.old\Windows\Temp\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application
C:\Windows.old.000\Documents and Settings\Owner\Documents\downloads\programs\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application
C:\Windows.old.000\Documents and Settings\Owner\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe Win32/PrcView application
C:\Windows.old.000\Documents and Settings\Owner\My Documents\downloads\programs\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application
C:\Windows.old.000\Documents and Settings\Owner\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe Win32/PrcView application
C:\Windows.old.000\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A application
C:\Windows.old.000\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application
C:\Windows.old.000\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application
C:\Windows.old.000\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient_2.dll a variant of Win32/Adware.Yontoo.A application
C:\Windows.old.000\Users\Owner\Documents\downloads\programs\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application
C:\Windows.old.000\Users\Owner\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe Win32/PrcView application
C:\Windows.old.000\Users\Owner\My Documents\downloads\programs\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application
C:\Windows.old.000\Users\Owner\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe Win32/PrcView application

Greetings

There are somethings in the online scan I want to remove so run this scrript for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
C:\Downlods\CD Helpful\NeroCDBurning\Nero-9.4.12.3_free.exe
C:\Downlods\CD Helpful\Utilities\Keys\produkey.zip
C:\Gateway\Documents and Settings\Owner\My Documents\downloads\programs\Nero-6.6.1.15a.exe
C:\Gateway\Documents and Settings\Owner\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe
C:\Users\Owner\Documents\downloads\programs\Nero-6.6.1.15a.exe
C:\Users\Owner\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe
C:\Windows.old\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
C:\Windows.old\Documents and Settings\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
C:\Windows.old\Documents and Settings\Lynn\AppData\Local\Application Data\Temp\CAB9.tmp
C:\Windows.old\Documents and Settings\Lynn\AppData\Local\Temp\CAB9.tmp
C:\Windows.old\Documents and Settings\Lynn\Documents\downloads\programs\Nero-6.6.1.15a.exe
C:\Windows.old\Documents and Settings\Lynn\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe
C:\Windows.old\Documents and Settings\Lynn\Local Settings\Temp\CAB9.tmp
C:\Windows.old\Documents and Settings\Lynn\My Documents\downloads\programs\Nero-6.6.1.15a.exe
C:\Windows.old\Documents and Settings\Lynn\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe
C:\Windows.old\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
C:\Windows.old\Users\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
C:\Windows.old\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
C:\Windows.old\Users\Lynn\AppData\Local\Temp\CAB9.tmp
C:\Windows.old\Users\Lynn\Documents\downloads\programs\Nero-6.6.1.15a.exe
C:\Windows.old\Users\Lynn\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe
C:\Windows.old\Users\Lynn\Local Settings\Temp\CAB9.tmp
C:\Windows.old\Users\Lynn\My Documents\downloads\programs\Nero-6.6.1.15a.exe
C:\Windows.old\Users\Lynn\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe
C:\Windows.old\Windows\Temp\nwcosamexr.exe
C:\Windows.old\Windows\Temp\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application
C:\Windows.old.000\Documents and Settings\Owner\Documents\downloads\programs\Nero-6.6.1.15a.exe
C:\Windows.old.000\Documents and Settings\Owner\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe
C:\Windows.old.000\Documents and Settings\Owner\My Documents\downloads\programs\Nero-6.6.1.15a.exe
C:\Windows.old.000\Documents and Settings\Owner\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe
C:\Windows.old.000\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe
C:\Windows.old.000\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe
C:\Windows.old.000\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll
C:\Windows.old.000\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient_2.dll
C:\Windows.old.000\Users\Owner\Documents\downloads\programs\Nero-6.6.1.15a.exe
C:\Windows.old.000\Users\Owner\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe
C:\Windows.old.000\Users\Owner\My Documents\downloads\programs\Nero-6.6.1.15a.exe
C:\Windows.old.000\Users\Owner\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

In your next post I need the following


• report from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now after running the script?

Gringo

Well, some problems after running ComboFix / CFScript.txt log, but still no noticeable infection-type issues.

- 2 items on start menu disappeared again - "Run" command & "Recent Items"
- nothing will open without "run as admin" again... click anything, get these 2 message boxes, with only the program name in the title bar
"Illegal operation attempted on a registry key that has been marked for deletion."
click ok, then get this -
"The item you selected is unavailable. It might have been moved, renamed, or removed. Do you want to remove it from the list?" Yes or No

haven't answered - not exactly sure what list(?) presume it's the "moved, renamed, or removed" list(?)

I've tried these, so far …

Firefox
Internet Explorer
Thunderbird
Windows Explorer
Notepad (twice – had to "run as admin" both times)
OpenOffice writer



I hope it's not too late to mention that several items in the Eset/CFScript are legit -

These are ok -

C:\Downlods\CD Helpful ... - [computer guy's large collection of tools, from last year]
C:\Gateway ... - [my Gateway/XP died last year, he copied files to this computer]
C:\Users ...
C:\Windows.old\Documents and Settings\Lynn\Documents (and My Documents) ... - [computer guy copy from last weekend]
C:\Windows.old.000\Documents and Settings ... - [computer guy copy from last weekend]
C:\Windows.old.000\Program Files (x86)\Dell ...
C:\Windows.old.000\Users ...


These are not ok -

C:\Windows.old\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
C:\Windows.old\Documents and Settings\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
C:\Windows.old\Documents and Settings\Lynn\AppData\Local\Application Data\Temp\CAB9.tmp
C:\Windows.old\Documents and Settings\Lynn\AppData\Local\Temp\CAB9.tmp
C:\Windows.old\Documents and Settings\Lynn\Local Settings\Temp\CAB9.tmp
C:\Windows.old\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
C:\Windows.old\Users\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
C:\Windows.old\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
C:\Windows.old\Users\Lynn\AppData\Local\Temp\CAB9.tmp
C:\Windows.old\Users\Lynn\Local Settings\Temp\CAB9.tmp
C:\Windows.old\Windows\Temp\nwcosamexr.exe
C:\Windows.old\Windows\Temp\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application
C:\Windows.old.000\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll
C:\Windows.old.000\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient_2.dll



ComboFix / CFScript.txt log - in the next post

Hello

Restart the computer and it will fix the "Illegal operation attempted on a registry key that has been marked for deletion."
problems. (see earlier posts of mine about combofix)


the things I listed in the CF script either have adware aplications with them or are old tools that should not be used any more as they are outdated


after you rstart the computer let me know how things are


gringo

ComboFix / CFScript.txt log

ComboFix 11-08-07.03 - Owner 08/07/2011 23:41:07.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8119.6032 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
Command switches used :: c:\users\Owner\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\downlods\CD Helpful\NeroCDBurning\Nero-9.4.12.3_free.exe"
"c:\downlods\CD Helpful\Utilities\Keys\produkey.zip"
"c:\gateway\Documents and Settings\Owner\My Documents\downloads\programs\Nero-6.6.1.15a.exe"
"c:\gateway\Documents and Settings\Owner\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe"
"c:\users\Owner\Documents\downloads\programs\Nero-6.6.1.15a.exe"
"c:\users\Owner\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe"
"c:\windows.old.000\Documents and Settings\Owner\Documents\downloads\programs\Nero-6.6.1.15a.exe"
"c:\windows.old.000\Documents and Settings\Owner\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe"
"c:\windows.old.000\Documents and Settings\Owner\My Documents\downloads\programs\Nero-6.6.1.15a.exe"
"c:\windows.old.000\Documents and Settings\Owner\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe"
"c:\windows.old.000\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe"
"c:\windows.old.000\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe"
"c:\windows.old.000\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll"
"c:\windows.old.000\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient_2.dll"
"c:\windows.old.000\Users\Owner\Documents\downloads\programs\Nero-6.6.1.15a.exe"
"c:\windows.old.000\Users\Owner\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe"
"c:\windows.old.000\Users\Owner\My Documents\downloads\programs\Nero-6.6.1.15a.exe"
"c:\windows.old.000\Users\Owner\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe"
"c:\windows.old\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
"c:\windows.old\Documents and Settings\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
"c:\windows.old\Documents and Settings\Lynn\AppData\Local\Application Data\Temp\CAB9.tmp"
"c:\windows.old\Documents and Settings\Lynn\AppData\Local\Temp\CAB9.tmp"
"c:\windows.old\Documents and Settings\Lynn\Documents\downloads\programs\Nero-6.6.1.15a.exe"
"c:\windows.old\Documents and Settings\Lynn\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe"
"c:\windows.old\Documents and Settings\Lynn\Local Settings\Temp\CAB9.tmp"
"c:\windows.old\Documents and Settings\Lynn\My Documents\downloads\programs\Nero-6.6.1.15a.exe"
"c:\windows.old\Documents and Settings\Lynn\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe"
"c:\windows.old\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
"c:\windows.old\Users\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
"c:\windows.old\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
"c:\windows.old\Users\Lynn\AppData\Local\Temp\CAB9.tmp"
"c:\windows.old\Users\Lynn\Documents\downloads\programs\Nero-6.6.1.15a.exe"
"c:\windows.old\Users\Lynn\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe"
"c:\windows.old\Users\Lynn\Local Settings\Temp\CAB9.tmp"
"c:\windows.old\Users\Lynn\My Documents\downloads\programs\Nero-6.6.1.15a.exe"
"c:\windows.old\Users\Lynn\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe"
"c:\windows.old\Windows\Temp\nwcosamexr.exe"
"c:\windows.old\Windows\Temp\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\downlods\CD Helpful\NeroCDBurning\Nero-9.4.12.3_free.exe
c:\downlods\CD Helpful\Utilities\Keys\produkey.zip
c:\gateway\Documents and Settings\Owner\My Documents\downloads\programs\Nero-6.6.1.15a.exe
c:\gateway\Documents and Settings\Owner\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe
c:\users\Owner\Documents\downloads\programs\Nero-6.6.1.15a.exe
c:\users\Owner\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe
c:\windows.old.000\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe
c:\windows.old.000\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe
c:\windows.old.000\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll
c:\windows.old.000\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient_2.dll
c:\windows.old.000\Users\Owner\Documents\downloads\programs\Nero-6.6.1.15a.exe
c:\windows.old.000\Users\Owner\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe
c:\windows.old.000\Users\Owner\My Documents\downloads\programs\Nero-6.6.1.15a.exe
c:\windows.old.000\Users\Owner\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe
c:\windows.old\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\windows.old\Users\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\windows.old\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\windows.old\Users\Lynn\AppData\Local\Temp\CAB9.tmp
c:\windows.old\Users\Lynn\Documents\downloads\programs\Nero-6.6.1.15a.exe
c:\windows.old\Users\Lynn\Documents\downloads\programs\spyware tools & firewalls\smitRem.exe
c:\windows.old\Users\Lynn\Local Settings\Temp\CAB9.tmp
c:\windows.old\Users\Lynn\My Documents\downloads\programs\Nero-6.6.1.15a.exe
c:\windows.old\Users\Lynn\My Documents\downloads\programs\spyware tools & firewalls\smitRem.exe
c:\windows.old\Windows\Temp\nwcosamexr.exe
c:\windows\isRS-000.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-07-08 to 2011-08-08 )))))))))))))))))))))))))))))))
.
.
2011-08-08 03:44 . 2011-08-08 03:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-08 03:05 . 2011-07-20 13:44 8578896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7F0E50BE-C651-4DA7-9277-AB1E19C80BF4}\mpengine.dll
2011-08-07 23:37 . 2011-08-07 23:37 -------- d-----w- c:\program files (x86)\ESET
2011-08-07 19:39 . 2011-07-20 13:44 8578896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-08-07 18:25 . 2011-08-07 18:25 -------- d-----w- c:\program files (x86)\Trend Micro
2011-08-06 21:33 . 2011-08-06 21:33 -------- d-----w- c:\windows\system32\SPReview
2011-08-06 21:18 . 2010-11-30 15:43 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B2D2C65D-9525-4275-A565-4448C03E5C76}\gapaengine.dll
2011-08-06 21:09 . 2011-08-06 21:09 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2011-08-06 21:09 . 2011-08-06 21:09 -------- d-----w- c:\program files\Microsoft Security Client
2011-08-04 13:40 . 2011-08-04 13:40 -------- d-----w- c:\program files (x86)\MSXML 4.0
2011-08-02 23:24 . 2011-08-02 23:24 -------- d-----w- c:\program files (x86)\Foxit Software
2011-08-02 22:46 . 2011-08-02 22:46 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
2011-08-02 22:44 . 2008-06-27 00:44 587264 ----a-w- c:\windows\system32\ssmgr64.cpl
2011-08-02 22:44 . 2009-09-22 06:30 113768 ----a-w- c:\windows\Wiainst.exe
2011-08-02 22:44 . 2009-05-11 23:00 14848 ----a-w- c:\windows\system32\SaSegFlt.dll
2011-08-02 22:44 . 2009-05-11 23:00 160768 ----a-w- c:\windows\system32\SaMinDrv.dll
2011-08-02 22:44 . 2009-05-11 23:00 36864 ----a-w- c:\windows\system32\SaImgFlt.dll
2011-08-02 22:44 . 2009-05-11 23:00 13312 ----a-w- c:\windows\system32\SaErHdlr.dll
2011-08-02 22:29 . 2007-10-23 04:58 11576 ----a-w- c:\windows\system32\drivers\SSPORT.SYS
2011-08-02 22:29 . 2011-08-02 22:29 -------- d-----w- c:\program files (x86)\Samsung
2011-08-02 18:21 . 2011-08-02 18:21 -------- d-----w- c:\windows\system32\EventProviders
2011-08-02 18:10 . 2011-08-02 18:10 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2011-08-02 16:49 . 2011-08-04 13:39 -------- d-----w- c:\program files (x86)\Microsoft Works
2011-08-01 19:14 . 2011-08-01 19:14 -------- d-----w- c:\windows\SysWow64\Dell
2011-08-01 19:14 . 2011-08-01 19:14 -------- d-----w- c:\program files (x86)\Dell
2011-08-01 15:20 . 2011-08-01 15:20 -------- d-----w- c:\windows\SysWow64\Adobe
2011-08-01 06:00 . 2011-08-01 06:00 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-08-01 04:42 . 2011-08-01 04:42 -------- d-----w- c:\program files (x86)\OpenOffice.org 3
2011-08-01 04:41 . 2011-05-04 08:52 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-08-01 04:41 . 2011-08-01 05:04 -------- d-----w- c:\program files (x86)\Java
2011-08-01 03:01 . 2011-08-01 03:01 -------- d-----w- c:\program files (x86)\Whisper
2011-07-31 17:23 . 2009-06-30 14:37 33800 ----a-w- c:\windows\system32\drivers\pavboot64.sys
2011-07-31 17:23 . 2011-07-31 17:23 -------- d-----w- c:\program files (x86)\Panda Security
2011-07-31 03:49 . 2011-07-31 03:49 -------- d-----w- c:\program files (x86)\Microsoft.NET
2011-07-30 21:56 . 2011-07-30 21:56 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird
2011-07-30 21:28 . 2011-07-30 17:38 -------- d-----w- c:\windows\Panther
2011-07-30 19:38 . 2010-11-20 13:33 299392 ----a-w- c:\windows\system32\mcupdate_GenuineIntel.dll
2011-07-30 19:37 . 2010-11-20 13:33 155008 ----a-w- c:\windows\system32\drivers\mpio.sys
2011-07-30 19:36 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
2011-07-30 19:33 . 2011-07-30 19:33 -------- d-----w- c:\program files\Broadcom
2011-07-30 19:33 . 2011-07-30 19:33 -------- d-----w- c:\windows\Dell
2011-07-30 19:23 . 2011-08-01 05:59 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-30 19:23 . 2011-08-01 15:21 -------- d-----w- c:\windows\SysWow64\Macromed
2011-07-30 19:18 . 2011-07-30 19:18 21712 ----a-w- c:\windows\SysWow64\drivers\DrvAgent64.SYS
2011-07-30 19:11 . 2010-10-19 20:51 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-07-30 19:09 . 2011-08-07 18:25 -------- d-sh--w- c:\windows\Installer
2011-07-30 19:02 . 2011-07-06 23:52 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-30 19:02 . 2011-08-07 18:03 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-07-30 19:02 . 2011-07-30 19:02 -------- d-----w- c:\programdata\Malwarebytes
2011-07-30 19:02 . 2011-07-06 23:52 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-30 19:00 . 2011-07-30 19:00 -------- d-----w- c:\windows\SysWow64\Wat
2011-07-30 19:00 . 2011-07-30 19:00 -------- d-----w- c:\windows\system32\Wat
2011-07-30 19:00 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
2011-07-30 19:00 . 2011-02-19 12:04 1544192 ----a-w- c:\windows\system32\DWrite.dll
2011-07-30 19:00 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-07-30 19:00 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-07-30 19:00 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-07-30 18:32 . 2011-07-30 18:56 -------- d-----w- c:\programdata\NVIDIA
2011-07-30 18:32 . 2011-07-30 18:32 -------- d-----w- c:\users\UpdatusUser
2011-07-30 18:32 . 2011-07-30 18:32 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2011-07-30 18:32 . 2011-05-21 10:01 739432 ----a-w- c:\windows\system32\easyupdatusapiu64.dll
2011-07-30 18:32 . 2011-05-21 10:01 6300776 ----a-w- c:\windows\system32\nvcpl.dll
2011-07-30 18:32 . 2011-05-21 10:01 61544 ----a-w- c:\windows\system32\nvshext.dll
2011-07-30 18:32 . 2011-05-21 10:01 3040872 ----a-w- c:\windows\system32\nvsvc64.dll
2011-07-30 18:32 . 2011-05-21 10:01 2560616 ----a-w- c:\windows\system32\nvsvcr.dll
2011-07-30 18:32 . 2011-05-21 10:01 117864 ----a-w- c:\windows\system32\nvmctray.dll
2011-07-30 18:32 . 2011-05-21 10:01 1016936 ----a-w- c:\windows\system32\nvvsvc.exe
2011-07-30 18:32 . 2011-07-30 18:32 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-07-30 18:32 . 2011-07-30 18:32 -------- d-----w- c:\program files\NVIDIA Corporation
2011-07-30 18:28 . 2011-06-03 06:56 421888 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-30 18:27 . 2011-02-18 10:51 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-07-30 18:27 . 2011-02-18 05:39 31232 ----a-w- c:\windows\SysWow64\prevhost.exe
2011-07-30 18:27 . 2011-04-29 03:06 467456 ----a-w- c:\windows\system32\drivers\srv.sys
2011-07-30 18:27 . 2011-04-29 03:05 410112 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-07-30 18:27 . 2011-04-29 03:05 168448 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-07-30 18:27 . 2011-02-05 17:10 642944 ----a-w- c:\windows\system32\winload.efi
2011-07-30 18:27 . 2011-02-05 17:10 20352 ----a-w- c:\windows\system32\kdusb.dll
2011-07-30 18:27 . 2011-02-05 17:10 19328 ----a-w- c:\windows\system32\kd1394.dll
2011-07-30 18:27 . 2011-02-05 17:10 17792 ----a-w- c:\windows\system32\kdcom.dll
2011-07-30 18:27 . 2011-02-05 17:06 605552 ----a-w- c:\windows\system32\winload.exe
2011-07-30 18:27 . 2011-02-05 17:06 566208 ----a-w- c:\windows\system32\winresume.efi
2011-07-30 18:27 . 2011-02-05 17:06 518672 ----a-w- c:\windows\system32\winresume.exe
2011-07-30 18:27 . 2010-11-20 13:27 63488 ----a-w- c:\windows\system32\setbcdlocale.dll
2011-07-30 18:23 . 2011-07-20 13:44 8578896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FDBCBA01-8400-4880-8382-4F9FDBFF2117}\mpengine.dll
2011-07-30 17:53 . 2011-07-30 17:38 -------- d-----w- C:\Recovery
2011-07-30 17:38 . 2011-08-04 23:12 -------- d-----w- c:\users\Owner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-06 21:38 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-08-06 21:38 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-06-03 05:57 . 2011-07-30 18:26 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-05-21 10:01 . 2011-05-21 10:01 8863336 ----a-w- c:\windows\system32\nvwgf2umx.dll
2011-05-21 10:01 . 2011-05-21 10:01 7123560 ----a-w- c:\windows\system32\nvcuda.dll
2011-05-21 10:01 . 2011-05-21 10:01 67176 ----a-w- c:\windows\system32\OpenCL.dll
2011-05-21 10:01 . 2011-05-21 10:01 6555240 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2011-05-21 10:01 . 2011-05-21 10:01 57960 ----a-w- c:\windows\SysWow64\OpenCL.dll
2011-05-21 10:01 . 2011-05-21 10:01 5301352 ----a-w- c:\windows\SysWow64\nvcuda.dll
2011-05-21 10:01 . 2011-05-21 10:01 2943592 ----a-w- c:\windows\system32\nvcuvid.dll
2011-05-21 10:01 . 2011-05-21 10:01 2804328 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2011-05-21 10:01 . 2011-05-21 10:01 2644584 ----a-w- c:\windows\system32\nvapi64.dll
2011-05-21 10:01 . 2011-05-21 10:01 2335848 ----a-w- c:\windows\SysWow64\nvapi.dll
2011-05-21 10:01 . 2011-05-21 10:01 22286952 ----a-w- c:\windows\system32\nvoglv64.dll
2011-05-21 10:01 . 2011-05-21 10:01 2212968 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-05-21 10:01 . 2011-05-21 10:01 2082408 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2011-05-21 10:01 . 2011-05-21 10:01 18583144 ----a-w- c:\windows\system32\nvcompiler.dll
2011-05-21 10:01 . 2011-05-21 10:01 16456296 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2011-05-21 10:01 . 2011-05-21 10:01 15223912 ----a-w- c:\windows\system32\nvd3dumx.dll
2011-05-21 10:01 . 2011-05-21 10:01 1496168 ----a-w- c:\windows\system32\nvdispco6420150.dll
2011-05-21 10:01 . 2011-05-21 10:01 1427048 ----a-w- c:\windows\system32\nvgenco642090.dll
2011-05-21 10:01 . 2011-05-21 10:01 13206120 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-05-21 10:01 . 2011-05-21 10:01 13011560 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2011-05-21 10:01 . 2011-05-21 10:01 11992680 ----a-w- c:\windows\SysWow64\nvd3dum.dll

---------------------------------------------------------------------------------------------------------------------------------------------------------
While waiting for the log to pop up, a message said it needed to submit some info for further analysis. But it failed due to server possibly down, and it saved a report to be submitted manually. The next section is huge, and I'm guessing it's info only they want, so I cut it out, but I'll post it if you want.
.
.These 2 lines are the beginning and end of the section -

((((((((((((((((((((((((((((( SnapShot@2011-08-05_17.46.52 )))))))))))))))))))))))))))))))))))))))))
.
-- Snapshot reset to current date --
---------------------------------------------------------------------------------------------------------------------------------------------------------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 DrvAgent64;DrvAgent64;c:\windows\SysWOW64\Drivers\DrvAgent64.SYS [2011-07-30 21712]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://att.my.yahoo.com/?_bc=1
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: SmarThru4 Capture Selection - c:\program files (x86)\SmarThru 4\WebCapture.dll2.htm
IE: SmarThru4 Save as HTML - c:\program files (x86)\SmarThru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - c:\program files (x86)\SmarThru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - c:\program files (x86)\SmarThru 4\WebCapture.dll
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\nawyv8p2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://att.net/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-08-07 23:48:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-08 03:48
ComboFix2.txt 2011-08-05 17:49
.
Pre-Run: 878,786,682,880 bytes free
Post-Run: 878,042,664,960 bytes free
.
- - End Of File - - CC24FB09E44BD26E0C2A4902B2CF3F11