Search Results Redirected

Recently I have noticed some strange behavior on my PC. I am hoping you pros can sniff out what the problem is.

1. My Google Search results in IE get forwarded to Ad sites, not always, just sometimes.
2. Sometimes I see a AVG virus warning for c:\Windows\System32\tdlwsp.dll is infected w/ a Trojan Agentr_OT. Even when defender picked it up, I cant seem to shake it and clean it for good. Defender saw it as: Trojan:Win32/Alureon.gen!U
3. Windows Media player will no longer open WMV files. MPG works fine. WMV gives me the c00d11b1 error I cant seem to get fixed.

I have run numerous AVG scans, MalwareBytes scans. And I cant seem to get everything working cleanly again.

Any ideas would be appreciated. I must have something infected or weird going on.

Thanks,
Scott


DDS (Ver_09-10-26.01) - NTFSx86
Run by Scott at 21:07:10.76 on Thu 11/05/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.1752 [GMT -5:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Scott\Desktop\secure\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = Preserve
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Google Update] "c:\users\scott\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {06305358-99CE-4C47-B59C-939B76856C2B} - hxxp://download.microsoft.com/download/A/C/4/AC43418A-8C86-4205-803E-249B637EE96B/pmupd806.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} - hxxp://www.priv.njmls.xmlsweb.com/XMLSearch/XMLCache.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\scott\appdata\roaming\mozilla\firefox\profiles\np54roo0.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\users\scott\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-2 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-2 360584]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2007-4-23 25896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-10-25 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-10-25 285392]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2009-7-20 935208]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2008-7-1 27648]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2009-7-12 289280]
S2 Seagate Sync Service;Seagate Sync Service;"c:\program files\seagate\sync\seasyncservices.exe" --> c:\program files\seagate\sync\SeaSyncServices.exe [?]
S2 SessionLauncher;SessionLauncher;c:\users\scott\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\scott\appdata\local\temp\dx9\SessionLauncher.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-3-18 21504]
S4 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [?]

=============== Created Last 30 ================

2009-11-04 22:22:01 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-04 04:46:08 22016 ----a-w- c:\windows\system32\tdlwsp.dll
2009-11-03 04:37:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-03 02:32:15 2 --shatr- c:\windows\winstart.bat
2009-11-03 02:31:51 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-03 02:31:24 0 d-----w- c:\users\scott\appdata\roaming\SUPERAntiSpyware.com
2009-11-03 02:31:24 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 02:30:44 0 d-----w- c:\program files\UnHackMe
2009-11-03 02:04:03 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-03 02:01:45 0 d-----w- c:\programdata\Lavasoft
2009-11-01 21:02:01 0 d-----w- c:\program files\ESET
2009-10-31 01:15:58 178176 ----a-w- c:\windows\system32\unrar.dll
2009-10-31 01:15:57 0 d-----w- c:\program files\K-Lite Codec Pack
2009-10-28 02:46:35 0 d-----w- c:\program files\Windows Portable Devices
2009-10-28 02:46:24 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-28 02:46:16 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-27 23:46:35 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-27 23:45:52 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-27 23:45:52 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-27 23:45:52 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-27 23:37:06 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-27 23:37:05 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-27 00:17:21 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-27 00:16:49 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-27 00:16:31 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-27 00:16:31 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-26 04:09:38 0 d--h--w- C:\$AVG
2009-10-26 04:09:18 0 d-----w- c:\programdata\avg9
2009-10-19 03:49:10 0 d-----w- c:\users\scott\appdata\roaming\Malwarebytes
2009-10-19 03:49:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 03:49:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-19 03:49:04 0 d-----w- c:\programdata\Malwarebytes
2009-10-19 03:49:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 17:27:16 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 17:27:13 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 17:27:13 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe

==================== Find3M ====================

2009-10-28 02:46:34 86016 ----a-w- c:\windows\inf\infpub.dat
2009-10-28 02:46:34 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-28 02:46:34 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-28 02:46:34 143360 ----a-w- c:\windows\inf\infstor.dat
2009-10-26 04:09:31 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-26 04:09:31 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-26 04:09:19 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-01 14:29:14 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01:50 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01:49 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01:49 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:25 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-14 09:29:50 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 02:01:02 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-09-10 02:00:54 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-09-10 02:00:36 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-09-04 11:41:59 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 03:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 15:53:34 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49:20 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49:18 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49:18 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49:15 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49:14 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49:14 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49:13 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48:02 105984 ----a-w- c:\windows\system32\netiohlp.dll
2008-03-18 22:23:27 174 --sha-w- c:\program files\desktop.ini
2007-12-28 18:59:30 342528 ----a-w- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-12-28 18:58:30 289280 ----a-w- c:\windows\inf\wg111v3\WG111v3.sys
2007-12-28 18:58:30 289280 ----a-w- c:\windows\inf\wg111v3\vista\wg111v3.sys
2007-11-27 21:53:58 63488 ----a-w- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 21:52:44 32768 ----a-w- c:\windows\inf\wg111v3\SetDrv.exe
2007-04-23 17:15:48 31016 ----a-w- c:\windows\inf\wg111v3\vista64\RtlProt.sys
2007-04-23 14:50:50 25896 ----a-w- c:\windows\inf\wg111v3\vista\RtlProt.sys
2007-04-20 01:22:44 75264 ----a-w- c:\windows\inf\wg111v3\vista64\rtkbind.exe
2007-04-20 01:22:28 74752 ----a-w- c:\windows\inf\wg111v3\vista\rtkbind.exe
2006-12-15 15:30:36 98304 ----a-w- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 15:30:36 315392 ----a-w- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 15:30:36 212992 ----a-w- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 15:30:36 20480 ----a-w- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 15:30:36 19968 ----a-w- c:\windows\inf\wg111v3\RTWREFU.EXE
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-01-04 22:50:14 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-01-04 22:50:14 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-01-04 22:50:14 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 21:08:29.07 ===============

Hello!
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


Make sure that you save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks for the quick reply. Here is the combo fix log.

Scott



ComboFix 09-11-05.05 - Scott 11/06/2009 18:23.1.2 - NTFSx86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.3070.1987 [GMT -5:00]
Running from: c:\users\Scott\Desktop\secure\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2725499745-1328295949-1772943228-1008
c:\$recycle.bin\S-1-5-21-355297301-94722134-1120825431-1000
c:\recycler\S-1-5-21-1078081533-861567501-725345543-1003
c:\windows\patchw32.dll
c:\windows\pw32a.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-11-06 23:31 . 2009-11-06 23:32 -------- d-----w- c:\users\Scott\AppData\Local\temp
2009-11-06 23:31 . 2009-11-06 23:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-06 03:32 . 2009-11-06 23:20 22016 ----a-w- c:\windows\system32\tdlwsp.dll
2009-11-03 04:37 . 2009-11-03 04:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-03 02:32 . 2009-11-03 02:32 2 --shatr- c:\windows\winstart.bat
2009-11-03 02:31 . 2009-11-03 02:31 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-03 02:31 . 2009-11-03 12:31 -------- d-----w- c:\users\Scott\AppData\Roaming\SUPERAntiSpyware.com
2009-11-03 02:31 . 2009-11-03 12:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 02:30 . 2009-11-03 12:31 8192 d-----w- c:\program files\UnHackMe
2009-11-03 02:04 . 2009-11-03 02:03 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-03 02:01 . 2009-11-04 04:44 -------- d-----w- c:\programdata\Lavasoft
2009-11-01 21:02 . 2009-11-01 21:02 -------- d-----w- c:\program files\ESET
2009-10-31 02:03 . 2009-10-31 02:04 4096 d-----w- c:\users\Scott\AppData\Roaming\vlc
2009-10-31 01:15 . 2009-08-16 15:08 178176 ----a-w- c:\windows\system32\unrar.dll
2009-10-31 01:15 . 2009-10-31 01:16 4096 d-----w- c:\program files\K-Lite Codec Pack
2009-10-28 02:46 . 2009-10-28 02:46 -------- d-----w- c:\program files\Windows Portable Devices
2009-10-27 23:46 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-27 23:45 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-27 23:45 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-27 23:45 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-27 23:37 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-27 23:37 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-27 00:17 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-27 00:17 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-27 00:17 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-27 00:17 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-27 00:16 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-27 00:16 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-27 00:16 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-27 00:16 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-27 00:16 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-26 04:09 . 2009-10-27 00:10 -------- d-----w- C:\$AVG
2009-10-26 04:09 . 2009-10-26 04:09 4096 d-----w- c:\programdata\avg9
2009-10-19 03:49 . 2009-10-19 03:49 -------- d-----w- c:\users\Scott\AppData\Roaming\Malwarebytes
2009-10-19 03:49 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 03:49 . 2009-10-19 04:08 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 03:49 . 2009-10-19 03:49 -------- d-----w- c:\programdata\Malwarebytes
2009-10-19 03:49 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 17:27 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 17:27 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 17:27 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-13 12:58 . 2009-10-13 12:58 -------- d-----w- c:\users\Scott\AppData\Local\AIM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 22:53 . 2007-11-11 03:44 4096 d-----w- c:\users\Scott\AppData\Roaming\FileZilla
2009-11-04 04:53 . 2008-09-19 18:04 4096 d-----w- c:\program files\Coupons
2009-11-04 04:28 . 2007-10-01 22:04 1356 ----a-w- c:\users\Scott\AppData\Local\d3d9caps.dat
2009-11-03 12:31 . 2008-06-27 01:09 4096 d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-03 05:46 . 2007-10-12 23:40 8192 d-----w- c:\program files\Steam
2009-11-03 04:37 . 2007-10-11 01:08 4096 d-----w- c:\program files\Java
2009-11-01 23:44 . 2007-10-21 20:09 20480 d-----w- c:\programdata\DVD Shrink
2009-10-28 02:46 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-28 02:46 . 2009-10-28 02:46 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-28 02:46 . 2009-10-28 02:46 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-26 04:09 . 2009-02-03 03:24 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-26 04:09 . 2009-02-03 03:24 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-26 04:09 . 2009-02-03 03:24 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-26 04:09 . 2009-02-03 03:24 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-26 04:09 . 2008-04-24 02:27 -------- d-----w- c:\program files\AVG
2009-10-19 03:44 . 2009-03-29 01:46 4096 d-----w- c:\users\Scott\AppData\Roaming\dvdcss
2009-10-16 01:21 . 2007-10-13 01:55 4096 d-----w- c:\program files\Common Files\Adobe
2009-10-14 21:13 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-10-14 18:20 . 2007-10-02 00:08 20480 d-----w- c:\programdata\Microsoft Help
2009-10-01 14:29 . 2009-10-02 20:07 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-01 01:02 . 2009-10-27 23:46 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-10-27 23:46 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-10-27 23:46 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-10-27 23:46 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-10-27 23:46 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-10-27 23:46 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-10-27 23:46 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-10-27 23:46 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-10-27 23:46 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-10-27 23:46 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-10-27 23:46 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-10-27 23:46 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-10-27 23:46 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-10-27 23:46 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01 . 2009-10-27 23:46 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-25 02:17 . 2009-09-25 02:17 -------- d-----w- c:\users\Scott\AppData\Roaming\Canneverbe_Limited
2009-09-25 02:17 . 2009-09-25 02:17 -------- d-----w- c:\programdata\Canneverbe Limited
2009-09-25 02:10 . 2009-10-27 23:47 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-10-27 23:47 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-10-27 23:47 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-10-27 23:47 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-10-27 23:47 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-10-27 23:47 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-10-27 23:47 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-10-27 23:47 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-10-27 23:47 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-10-27 23:47 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-10-27 23:47 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-10-27 23:47 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-10-27 23:47 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-10-27 23:47 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-10-27 23:47 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-10-27 23:47 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-10-27 23:47 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-10-27 23:47 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-10-27 23:47 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-10-27 23:47 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-10-27 23:47 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-10-27 23:47 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-10-27 23:47 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-10-27 23:47 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-10-27 23:47 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-10-27 23:47 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-10-27 23:47 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-24 00:28 . 2008-06-27 01:10 4096 d-----w- c:\program files\Seagate
2009-09-14 09:29 . 2009-10-14 17:26 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 15:40 . 2007-11-25 00:57 4096 d-----w- c:\program files\Microsoft Silverlight
2009-09-10 02:01 . 2009-10-27 23:47 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-09-10 02:00 . 2009-10-27 23:47 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-09-10 02:00 . 2009-10-27 23:47 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-09-04 11:41 . 2009-10-14 17:26 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 07:09 . 2009-09-02 07:09 176128 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2009-08-29 00:27 . 2009-09-02 23:16 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 23:16 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 21:42 . 2009-08-27 21:42 161632 ----a-w- c:\users\Scott\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
2009-08-27 21:42 . 2009-08-27 21:42 291696 ----a-w- c:\users\Scott\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
2009-08-27 05:22 . 2009-10-14 17:26 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 17:26 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 05:17 . 2009-10-14 17:26 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 03:42 . 2009-10-14 17:26 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-15 20:01 . 2007-10-01 22:04 147736 ----a-w- c:\users\Scott\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-14 16:27 . 2009-09-10 13:20 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-10 13:20 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-10 13:20 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-10 13:20 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-10 13:20 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-10 13:20 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-10 13:20 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-10 13:20 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-10 13:20 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-10 13:20 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-10 13:20 105984 ----a-w- c:\windows\system32\netiohlp.dll
2007-11-08 00:15 . 2007-11-08 00:15 0 --sh--w- c:\windows\SDA72777C.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Google Update"="c:\users\Scott\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 92704]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-26 2010904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-03 149280]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-11 4702208]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-25 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
SetupExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:14,89,c9,c9,4c,df,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2725499745-1328295949-1772943228-1000]
"EnableNotificationsRef"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2/2/2009 10:24 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2/2/2009 10:24 PM 360584]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\System32\drivers\RtlProt.sys [4/23/2007 9:50 AM 25896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/25/2009 11:09 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/25/2009 11:09 PM 285392]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\System32\drivers\RtNdPt60.sys [7/1/2008 3:59 PM 27648]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\System32\drivers\wg111v3.sys [7/12/2009 12:35 AM 289280]
S2 Seagate Sync Service;Seagate Sync Service;"c:\program files\Seagate\Sync\SeaSyncServices.exe" --> c:\program files\Seagate\Sync\SeaSyncServices.exe [?]
S2 SessionLauncher;SessionLauncher;c:\users\Scott\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\users\Scott\AppData\Local\Temp\DX9\SessionLauncher.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [3/18/2008 5:00 PM 21504]
S4 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rsmsvcs REG_MULTI_SZ ntmssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2725499745-1328295949-1772943228-1000Core.job
- c:\users\Scott\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 20:21]

2009-11-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2725499745-1328295949-1772943228-1000UA.job
- c:\users\Scott\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 20:21]

2009-11-06 c:\windows\Tasks\User_Feed_Synchronization-{317E82E1-DFBC-4603-B7A9-A772026AC47C}.job
- c:\windows\system32\msfeedssync.exe [2009-10-14 03:41]

2009-11-06 c:\windows\Tasks\User_Feed_Synchronization-{6B738A42-E589-466E-BE43-FF0ED232C195}.job
- c:\windows\system32\msfeedssync.exe [2009-10-14 03:41]
.
.
------- Supplementary Scan -------
.
uSearch Bar = Preserve
Trusted Zone: turbotax.com
DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} - hxxp://www.priv.njmls.xmlsweb.com/XMLSearch/XMLCache.CAB
DPF: {6BA21C22-53A5-463F-BBE8-5CF7FFA0132B} - hxxps://epsdev.bankofny.com/dct/data/officeviewer.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://jpass1.bnymellon.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\np54roo0.default\
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
regedit=regedit.exe "%1"
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 18:32
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll atapi.sys >>UNKNOWN [0x870E1F61]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2725499745-1328295949-1772943228-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:71,0f,e7,10,1a,c3,53,52,b3,14,1f,70,cd,db,08,64,b5,a6,98,38,43,3d,9f,
c1,e0,f4,3d,d8,2f,10,6d,9e,db,88,4f,2f,57,3e,d4,f5,ae,10,de,0b,56,cf,ce,85,\
"??"=hex:23,1f,67,c9,24,00,50,a7,00,4d,0c,cc,c3,ad,32,c4
.
Completion time: 2009-11-06 18:35
ComboFix-quarantined-files.txt 2009-11-06 23:35

Pre-Run: 62,151,172,096 bytes free
Post-Run: 62,596,923,392 bytes free

- - End Of File - - 08EB960A59C5152DD458C61C6F902FDD

Edited by Buckeye_Sam, 07 November 2009 - 09:02 AM.

Please do not attach log files unless specifically requested to do. Just copy the text in the log and then paste it directly into your reply.
It makes it much easier for me to review the information if I can see it all in one place.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

KillAll::

File::
c:\windows\system32\tdlwsp.dll

Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.



This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



=====================


Download GMER from here:

• Unzip it to the desktop.
• Open the program and click on the Rootkit tab.
• Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
• Click on Scan.
• When the scan has run click Copy and paste the results (if any) into this thread.

Here is the resulting log. Thanks

ComboFix 09-11-06.03 - Scott 11/07/2009 11:05.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.2043 [GMT -5:00]
Running from: c:\users\Scott\Desktop\ComboFix.exe
Command switches used :: c:\users\Scott\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\tdlwsp.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tdlwsp.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-07 16:12 . 2009-11-07 16:15 4096 d-----w- c:\users\Scott\AppData\Local\temp
2009-11-07 16:12 . 2009-11-07 16:12 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-11-07 16:12 . 2009-11-07 16:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-03 04:37 . 2009-11-03 04:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-03 02:32 . 2009-11-03 02:32 2 --shatr- c:\windows\winstart.bat
2009-11-03 02:31 . 2009-11-03 02:31 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-03 02:31 . 2009-11-03 12:31 -------- d-----w- c:\users\Scott\AppData\Roaming\SUPERAntiSpyware.com
2009-11-03 02:31 . 2009-11-03 12:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 02:30 . 2009-11-03 12:31 -------- d-----w- c:\program files\UnHackMe
2009-11-03 02:04 . 2009-11-03 02:03 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-03 02:01 . 2009-11-04 04:44 -------- d-----w- c:\programdata\Lavasoft
2009-11-01 21:02 . 2009-11-01 21:02 -------- d-----w- c:\program files\ESET
2009-10-31 02:03 . 2009-10-31 02:04 -------- d-----w- c:\users\Scott\AppData\Roaming\vlc
2009-10-31 01:15 . 2009-08-16 15:08 178176 ----a-w- c:\windows\system32\unrar.dll
2009-10-31 01:15 . 2009-10-31 01:16 4096 d-----w- c:\program files\K-Lite Codec Pack
2009-10-28 02:46 . 2009-10-28 02:46 -------- d-----w- c:\program files\Windows Portable Devices
2009-10-27 23:46 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-27 23:45 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-27 23:45 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-27 23:45 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-27 23:37 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-27 23:37 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-27 00:17 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-27 00:17 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-27 00:17 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-27 00:17 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-27 00:16 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-27 00:16 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-27 00:16 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-27 00:16 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-27 00:16 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-26 04:09 . 2009-10-27 00:10 -------- d-----w- C:\$AVG
2009-10-26 04:09 . 2009-10-26 04:09 4096 d-----w- c:\programdata\avg9
2009-10-19 03:49 . 2009-10-19 03:49 -------- d-----w- c:\users\Scott\AppData\Roaming\Malwarebytes
2009-10-19 03:49 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 03:49 . 2009-10-19 04:08 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 03:49 . 2009-10-19 03:49 -------- d-----w- c:\programdata\Malwarebytes
2009-10-19 03:49 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 17:27 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 17:27 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 17:27 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-13 12:58 . 2009-10-13 12:58 -------- d-----w- c:\users\Scott\AppData\Local\AIM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 22:53 . 2007-11-11 03:44 4096 d-----w- c:\users\Scott\AppData\Roaming\FileZilla
2009-11-04 04:53 . 2008-09-19 18:04 4096 d-----w- c:\program files\Coupons
2009-11-04 04:28 . 2007-10-01 22:04 1356 ----a-w- c:\users\Scott\AppData\Local\d3d9caps.dat
2009-11-03 12:31 . 2008-06-27 01:09 4096 d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-03 05:46 . 2007-10-12 23:40 8192 d-----w- c:\program files\Steam
2009-11-03 04:37 . 2007-10-11 01:08 4096 d-----w- c:\program files\Java
2009-11-01 23:44 . 2007-10-21 20:09 20480 d-----w- c:\programdata\DVD Shrink
2009-10-28 02:46 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-28 02:46 . 2009-10-28 02:46 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-28 02:46 . 2009-10-28 02:46 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-26 04:09 . 2009-02-03 03:24 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-26 04:09 . 2009-02-03 03:24 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-26 04:09 . 2009-02-03 03:24 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-26 04:09 . 2009-02-03 03:24 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-26 04:09 . 2008-04-24 02:27 -------- d-----w- c:\program files\AVG
2009-10-19 03:44 . 2009-03-29 01:46 4096 d-----w- c:\users\Scott\AppData\Roaming\dvdcss
2009-10-16 01:21 . 2007-10-13 01:55 4096 d-----w- c:\program files\Common Files\Adobe
2009-10-14 21:13 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-10-14 18:20 . 2007-10-02 00:08 20480 d-----w- c:\programdata\Microsoft Help
2009-10-01 14:29 . 2009-10-02 20:07 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-01 01:02 . 2009-10-27 23:46 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-10-27 23:46 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-10-27 23:46 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-10-27 23:46 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-10-27 23:46 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-10-27 23:46 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-10-27 23:46 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-10-27 23:46 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-10-27 23:46 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-10-27 23:46 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-10-27 23:46 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-10-27 23:46 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-10-27 23:46 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-10-27 23:46 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01 . 2009-10-27 23:46 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-25 02:17 . 2009-09-25 02:17 -------- d-----w- c:\users\Scott\AppData\Roaming\Canneverbe_Limited
2009-09-25 02:17 . 2009-09-25 02:17 -------- d-----w- c:\programdata\Canneverbe Limited
2009-09-25 02:10 . 2009-10-27 23:47 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-10-27 23:47 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-10-27 23:47 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-10-27 23:47 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-10-27 23:47 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-10-27 23:47 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-10-27 23:47 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-10-27 23:47 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-10-27 23:47 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-10-27 23:47 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-10-27 23:47 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-10-27 23:47 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-10-27 23:47 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-10-27 23:47 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-10-27 23:47 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-10-27 23:47 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-10-27 23:47 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-10-27 23:47 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-10-27 23:47 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-10-27 23:47 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-10-27 23:47 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-10-27 23:47 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-10-27 23:47 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-10-27 23:47 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-10-27 23:47 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-10-27 23:47 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-10-27 23:47 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-24 00:28 . 2008-06-27 01:10 4096 d-----w- c:\program files\Seagate
2009-09-14 09:29 . 2009-10-14 17:26 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 15:40 . 2007-11-25 00:57 4096 d-----w- c:\program files\Microsoft Silverlight
2009-09-10 02:01 . 2009-10-27 23:47 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-09-10 02:00 . 2009-10-27 23:47 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-09-10 02:00 . 2009-10-27 23:47 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-09-04 11:41 . 2009-10-14 17:26 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 07:09 . 2009-09-02 07:09 176128 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2009-08-29 00:27 . 2009-09-02 23:16 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 23:16 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 21:42 . 2009-08-27 21:42 161632 ----a-w- c:\users\Scott\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
2009-08-27 21:42 . 2009-08-27 21:42 291696 ----a-w- c:\users\Scott\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
2009-08-27 05:22 . 2009-10-14 17:26 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 17:26 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 05:17 . 2009-10-14 17:26 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 03:42 . 2009-10-14 17:26 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-15 20:01 . 2007-10-01 22:04 147736 ----a-w- c:\users\Scott\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-14 16:27 . 2009-09-10 13:20 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-10 13:20 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-10 13:20 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-10 13:20 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-10 13:20 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-10 13:20 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-10 13:20 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-10 13:20 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-10 13:20 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-10 13:20 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-10 13:20 105984 ----a-w- c:\windows\system32\netiohlp.dll
2007-11-08 00:15 . 2007-11-08 00:15 0 --sh--w- c:\windows\SDA72777C.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-11-06_23.32.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-01 22:13 . 2009-11-07 16:17 73696 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-11-07 16:17 82930 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-10-01 22:05 . 2009-11-07 16:17 19486 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2725499745-1328295949-1772943228-1000_UserData.bin
- 2006-11-02 13:02 . 2009-11-06 23:15 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-11-07 15:25 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2009-11-06 23:15 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2009-11-07 15:25 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2009-11-07 15:25 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:02 . 2009-11-06 23:15 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-06 23:15 . 2009-11-06 23:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-11-07 16:15 . 2009-11-07 16:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-11-07 16:15 . 2009-11-07 16:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-11-06 23:15 . 2009-11-06 23:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-05-07 23:42 . 2009-11-07 15:25 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-05-07 23:42 . 2009-11-06 23:15 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Google Update"="c:\users\Scott\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 92704]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-26 2010904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-03 149280]
"combofix"="c:\combofix\CF6164.exe" [2009-11-07 318976]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-11 4702208]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-25 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:14,89,c9,c9,4c,df,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2725499745-1328295949-1772943228-1000]
"EnableNotificationsRef"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2/2/2009 10:24 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2/2/2009 10:24 PM 360584]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\System32\drivers\RtlProt.sys [4/23/2007 9:50 AM 25896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/25/2009 11:09 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/25/2009 11:09 PM 285392]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\System32\drivers\RtNdPt60.sys [7/1/2008 3:59 PM 27648]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\System32\drivers\wg111v3.sys [7/12/2009 12:35 AM 289280]
S2 Seagate Sync Service;Seagate Sync Service;"c:\program files\Seagate\Sync\SeaSyncServices.exe" --> c:\program files\Seagate\Sync\SeaSyncServices.exe [?]
S2 SessionLauncher;SessionLauncher;c:\users\Scott\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\users\Scott\AppData\Local\Temp\DX9\SessionLauncher.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [3/18/2008 5:00 PM 21504]
S4 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rsmsvcs REG_MULTI_SZ ntmssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2725499745-1328295949-1772943228-1000Core.job
- c:\users\Scott\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 20:21]

2009-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2725499745-1328295949-1772943228-1000UA.job
- c:\users\Scott\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 20:21]

2009-11-07 c:\windows\Tasks\User_Feed_Synchronization-{317E82E1-DFBC-4603-B7A9-A772026AC47C}.job
- c:\windows\system32\msfeedssync.exe [2009-10-14 03:41]

2009-11-07 c:\windows\Tasks\User_Feed_Synchronization-{6B738A42-E589-466E-BE43-FF0ED232C195}.job
- c:\windows\system32\msfeedssync.exe [2009-10-14 03:41]
.
.
------- Supplementary Scan -------
.
Trusted Zone: turbotax.com
DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} - hxxp://www.priv.njmls.xmlsweb.com/XMLSearch/XMLCache.CAB
DPF: {6BA21C22-53A5-463F-BBE8-5CF7FFA0132B} - hxxps://epsdev.bankofny.com/dct/data/officeviewer.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://jpass1.bnymellon.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\np54roo0.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 11:15
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll atapi.sys >>UNKNOWN [0x871F4F61]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2725499745-1328295949-1772943228-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:71,0f,e7,10,1a,c3,53,52,b3,14,1f,70,cd,db,08,64,b5,a6,98,38,43,3d,9f,
c1,e0,f4,3d,d8,2f,10,6d,9e,db,88,4f,2f,57,3e,d4,f5,ae,10,de,0b,56,cf,ce,85,\
"??"=hex:23,1f,67,c9,24,00,50,a7,00,4d,0c,cc,c3,ad,32,c4
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\AUDIODG.EXE
c:\windows\system32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AIM6\aolsoftware.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-11-07 11:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-07 16:24
ComboFix2.txt 2009-11-06 23:35

Pre-Run: 52,300,427,264 bytes free
Post-Run: 52,174,442,496 bytes free

- - End Of File - - 9C13267074A190DDB5E63C703432FF14

Do you also have the Gmer log?

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-07 21:37:31
Windows 6.0.6002 Service Pack 2
Running: 097hcskh.exe; Driver: C:\Users\Scott\AppData\Local\Temp\kwldqpow.sys


---- System - GMER 1.0.15 ----

INT 0x72 ? 86AD4F00
INT 0x82 ? 86AD4F00
INT 0x82 ? 86AD4F00
INT 0x82 ? 86AD4F00
INT 0x82 ? 86AD4F00
INT 0x92 ? 86AD4F00
INT 0xA2 ? 84B67BF8
INT 0xA2 ? 84B67BF8
INT 0xA2 ? 84B67BF8
INT 0xA2 ? 84B67BF8
INT 0xA2 ? 84B67BF8
INT 0xA2 ? 84B67BF8
INT 0xA2 ? 86AD4F00
INT 0xA2 ? 84B67BF8
INT 0xB2 ? 86AD4F00
INT 0xB2 ? 86AD4F00

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spmi.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8FAF041B 5 Bytes JMP 86AD44E0

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [826906D2] \SystemRoot\System32\Drivers\spmi.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [82690040] \SystemRoot\System32\Drivers\spmi.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [826907FC] \SystemRoot\System32\Drivers\spmi.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [826900BE] \SystemRoot\System32\Drivers\spmi.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8269013C] \SystemRoot\System32\Drivers\spmi.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8592C1F8

AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\volmgr \Device\VolMgrControl 84B691F8

AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy3 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy4 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\usbuhci \Device\USBPDO-0 86BE9500

AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy5 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\usbuhci \Device\USBPDO-1 86BE9500

AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy6 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\usbuhci \Device\USBPDO-2 86BE9500

AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy7 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\usbehci \Device\USBPDO-3 869E21F8
Device \Driver\usbuhci \Device\USBPDO-4 86BE9500

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-5 86BE9500
Device \Driver\usbuhci \Device\USBPDO-6 86BE9500
Device \Driver\volmgr \Device\HarddiskVolume1 84B691F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\usbehci \Device\USBPDO-7 869E21F8
Device \Driver\volmgr \Device\HarddiskVolume2 84B691F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\cdrom \Device\CdRom0 86A321F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 [82C8D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort0 [82C8D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort1 [82C8D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort2 [82C8D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort3 [82C8D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort4 [82C8D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort5 [82C8D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\msahci \Device\Ide\PciIde1Channel0 8592B1F8
Device \Driver\msahci \Device\Ide\PciIde1Channel1 8592B1F8
Device \Driver\msahci \Device\Ide\PciIde1Channel4 8592B1F8
Device \Driver\msahci \Device\Ide\PciIde1Channel5 8592B1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-6 [82C8D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\volmgr \Device\HarddiskVolume3 84B691F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\cdrom \Device\CdRom1 86A321F8
Device \Driver\netbt \Device\NetBt_Wins_Export 8757F1F8
Device \Driver\Smb \Device\NetbiosSmb 878541F8
Device \Driver\netbt \Device\NetBT_Tcpip_{8F2B1788-129E-4DD3-9C95-51BF8E073DC1} 8757F1F8
Device \Driver\iScsiPrt \Device\RaidPort0 86A311F8

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\netbt \Device\NetBT_Tcpip_{F48E80AA-85E5-41D2-8763-2F45953C0A4F} 8757F1F8
Device \Driver\usbuhci \Device\USBFDO-0 86BE9500
Device \Driver\usbuhci \Device\USBFDO-1 86BE9500
Device \Driver\usbuhci \Device\USBFDO-2 86BE9500
Device \Driver\usbehci \Device\USBFDO-3 869E21F8
Device \Driver\usbuhci \Device\USBFDO-4 86BE9500
Device \Driver\usbuhci \Device\USBFDO-5 86BE9500
Device \Driver\usbuhci \Device\USBFDO-6 86BE9500
Device \Driver\usbehci \Device\USBFDO-7 869E21F8
Device \Driver\netbt \Device\NetBT_Tcpip_{2DB44BD0-8874-4B8E-ADC5-C7BB2C8DB15C} 8757F1F8
Device \Driver\VClone \Device\Scsi\VClone1 86C001F8
Device \Driver\VClone \Device\Scsi\VClone1Port7Path0Target0Lun0 86C001F8
Device \FileSystem\cdfs \Cdfs 884A4500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x19 0x36 0xBD 0xF0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x19 0x36 0xBD 0xF0 ...
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@LogName C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy115.gthr
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@LogNumber 115
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@CheckPointSignature 4bee52a8-a42c-41ca-b734-ff8bd16606e9
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\2390
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\2390@CrawlType 5
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\2390@InProgress 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\2390@DoneAddingCrawlSeeds 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\2390@LogName C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Crwl2390.gthr
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\2390@CheckPoint 0xE0 0x02 0x00 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\2390@IsCatalogLevel 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\2390@LogStartAddId 2
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\2390@SuccessfulTransactions 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\2390@ErrorTransactions 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\2390@WarningTransactions 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\2390@ExcludedTransactions 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\2390@RetryTransactions 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\2390@KilobytesCrawled 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\2390@Modified 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\2390@UnvisitedItems 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\2390@ForcedFullCrawl 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\2@CrawlNumberInProgress 2390
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x37 0xA4 0xAA 0xC3 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- Files - GMER 1.0.15 ----

File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS1EB4E.log 131072 bytes
File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  atapi.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Here is the log:

When running the scan, AVG detected c:\windows\system32\caonima1.exe to be infected w/ Trojan horse SHeur2.BQEO from process C:\windows\temp\bpmn.tmp

AVG "Move to Vault" the threat/

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 14:50 on 08/11/2009 by Scott (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\Windows\ERDNT\cache\atapi.sys --a--- 19944 bytes [23:33 06/11/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys ------ 21560 bytes [05:36 13/02/2008] [05:36 13/02/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys --a--- 19944 bytes [03:37 28/05/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys ------ 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys ------ 21560 bytes [22:01 18/03/2008] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\System32\drivers\atapi.sys --a--- 19944 bytes [03:37 28/05/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys --a--- 21560 bytes [05:36 13/02/2008] [05:36 13/02/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys --a--- 21560 bytes [05:36 13/02/2008] [05:36 13/02/2008] E03E8C99D15D0381E02743C36AFC7C6F
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [22:01 18/03/2008] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --a--- 19944 bytes [03:37 28/05/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4

-=End Of File=-

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

FCopy::
C:\Windows\ERDNT\cache\atapi.sys | C:\Windows\System32\drivers\atapi.sys

File::
c:\windows\system32\caonima1.exe

Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.



This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Thanks again. I created the file and ran combo fix.

During the scan AVG detected
Trojan Horse Agent_r.OT in C:\windows\system32\tdlwsp.dll

This was kicked off by 2 processes. C:\combofix\findstr.cfxxe and c:\windows\pev.exe

Here is the combofix log:

ComboFix 09-11-08.03 - Scott 11/09/2009 20:18.3.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.1932 [GMT -5:00]
Running from: c:\users\Scott\Desktop\ComboFix.exe
Command switches used :: c:\users\Scott\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\caonima1.exe"
.

((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.

2009-11-10 01:25 . 2009-11-10 01:28 -------- d-----w- c:\users\Scott\AppData\Local\temp
2009-11-10 01:25 . 2009-11-10 01:25 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-11-10 01:25 . 2009-11-10 01:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-10 01:13 . 2009-10-26 04:09 360584 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2009-11-10 01:13 . 2009-10-26 04:09 610072 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2009-11-10 01:13 . 2009-10-26 04:09 1657112 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2009-11-03 04:37 . 2009-11-03 04:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-03 02:32 . 2009-11-03 02:32 2 --shatr- c:\windows\winstart.bat
2009-11-03 02:31 . 2009-11-03 02:31 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-03 02:31 . 2009-11-03 12:31 -------- d-----w- c:\users\Scott\AppData\Roaming\SUPERAntiSpyware.com
2009-11-03 02:31 . 2009-11-03 12:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 02:30 . 2009-11-03 12:31 -------- d-----w- c:\program files\UnHackMe
2009-11-03 02:04 . 2009-11-03 02:03 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-03 02:01 . 2009-11-04 04:44 -------- d-----w- c:\programdata\Lavasoft
2009-11-01 21:02 . 2009-11-01 21:02 -------- d-----w- c:\program files\ESET
2009-10-31 02:03 . 2009-10-31 02:04 -------- d-----w- c:\users\Scott\AppData\Roaming\vlc
2009-10-31 01:15 . 2009-08-16 15:08 178176 ----a-w- c:\windows\system32\unrar.dll
2009-10-31 01:15 . 2009-10-31 01:16 4096 d-----w- c:\program files\K-Lite Codec Pack
2009-10-28 02:46 . 2009-10-28 02:46 -------- d-----w- c:\program files\Windows Portable Devices
2009-10-27 23:46 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-27 23:45 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-27 23:45 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-27 23:45 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-27 23:37 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-27 23:37 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-27 00:17 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-27 00:17 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-27 00:17 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-27 00:17 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-27 00:16 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-27 00:16 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-27 00:16 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-27 00:16 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-27 00:16 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-26 04:09 . 2009-10-27 00:10 -------- d-----w- C:\$AVG
2009-10-26 04:09 . 2009-10-26 04:09 4096 d-----w- c:\programdata\avg9
2009-10-19 03:49 . 2009-10-19 03:49 -------- d-----w- c:\users\Scott\AppData\Roaming\Malwarebytes
2009-10-19 03:49 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 03:49 . 2009-10-19 04:08 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 03:49 . 2009-10-19 03:49 -------- d-----w- c:\programdata\Malwarebytes
2009-10-19 03:49 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 17:27 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 17:27 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 17:27 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-13 12:58 . 2009-10-13 12:58 -------- d-----w- c:\users\Scott\AppData\Local\AIM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 01:13 . 2009-02-03 03:24 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-04 22:53 . 2007-11-11 03:44 4096 d-----w- c:\users\Scott\AppData\Roaming\FileZilla
2009-11-04 04:53 . 2008-09-19 18:04 4096 d-----w- c:\program files\Coupons
2009-11-04 04:28 . 2007-10-01 22:04 1356 ----a-w- c:\users\Scott\AppData\Local\d3d9caps.dat
2009-11-03 12:31 . 2008-06-27 01:09 4096 d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-03 05:46 . 2007-10-12 23:40 8192 d-----w- c:\program files\Steam
2009-11-03 04:37 . 2007-10-11 01:08 4096 d-----w- c:\program files\Java
2009-11-01 23:44 . 2007-10-21 20:09 20480 d-----w- c:\programdata\DVD Shrink
2009-10-28 02:46 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-28 02:46 . 2009-10-28 02:46 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-28 02:46 . 2009-10-28 02:46 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-26 04:09 . 2009-02-03 03:24 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-26 04:09 . 2009-02-03 03:24 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-26 04:09 . 2009-02-03 03:24 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-26 04:09 . 2008-04-24 02:27 -------- d-----w- c:\program files\AVG
2009-10-19 03:44 . 2009-03-29 01:46 4096 d-----w- c:\users\Scott\AppData\Roaming\dvdcss
2009-10-16 01:21 . 2007-10-13 01:55 4096 d-----w- c:\program files\Common Files\Adobe
2009-10-14 21:13 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-10-14 18:20 . 2007-10-02 00:08 20480 d-----w- c:\programdata\Microsoft Help
2009-10-01 14:29 . 2009-10-02 20:07 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-01 01:02 . 2009-10-27 23:46 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-10-27 23:46 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-10-27 23:46 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-10-27 23:46 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-10-27 23:46 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-10-27 23:46 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-10-27 23:46 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-10-27 23:46 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-10-27 23:46 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-10-27 23:46 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-10-27 23:46 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-10-27 23:46 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-10-27 23:46 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-10-27 23:46 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01 . 2009-10-27 23:46 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-25 02:17 . 2009-09-25 02:17 -------- d-----w- c:\users\Scott\AppData\Roaming\Canneverbe_Limited
2009-09-25 02:17 . 2009-09-25 02:17 -------- d-----w- c:\programdata\Canneverbe Limited
2009-09-25 02:10 . 2009-10-27 23:47 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-10-27 23:47 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-10-27 23:47 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-10-27 23:47 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-10-27 23:47 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-10-27 23:47 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-10-27 23:47 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-10-27 23:47 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-10-27 23:47 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-10-27 23:47 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-10-27 23:47 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-10-27 23:47 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-10-27 23:47 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-10-27 23:47 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-10-27 23:47 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-10-27 23:47 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-10-27 23:47 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-10-27 23:47 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-10-27 23:47 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-10-27 23:47 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-10-27 23:47 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-10-27 23:47 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-10-27 23:47 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-10-27 23:47 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-10-27 23:47 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-10-27 23:47 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-10-27 23:47 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-24 00:28 . 2008-06-27 01:10 4096 d-----w- c:\program files\Seagate
2009-09-14 09:29 . 2009-10-14 17:26 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 02:01 . 2009-10-27 23:47 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-09-10 02:00 . 2009-10-27 23:47 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-09-10 02:00 . 2009-10-27 23:47 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-09-04 11:41 . 2009-10-14 17:26 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 07:09 . 2009-09-02 07:09 176128 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2009-08-29 00:27 . 2009-09-02 23:16 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 23:16 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 21:42 . 2009-08-27 21:42 161632 ----a-w- c:\users\Scott\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
2009-08-27 21:42 . 2009-08-27 21:42 291696 ----a-w- c:\users\Scott\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
2009-08-27 05:22 . 2009-10-14 17:26 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 17:26 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 05:17 . 2009-10-14 17:26 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 03:42 . 2009-10-14 17:26 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-15 20:01 . 2007-10-01 22:04 147736 ----a-w- c:\users\Scott\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-14 16:27 . 2009-09-10 13:20 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-10 13:20 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-10 13:20 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-10 13:20 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-10 13:20 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-10 13:20 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-10 13:20 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-10 13:20 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-10 13:20 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-10 13:20 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-10 13:20 105984 ----a-w- c:\windows\system32\netiohlp.dll
2007-11-08 00:15 . 2007-11-08 00:15 0 --sh--w- c:\windows\SDA72777C.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-11-06_23.32.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-01 22:13 . 2009-11-10 01:29 74102 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-11-10 01:29 82994 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-10-01 22:05 . 2009-11-10 01:29 19712 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2725499745-1328295949-1772943228-1000_UserData.bin
- 2006-11-02 13:02 . 2009-11-06 23:15 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-11-10 01:27 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2009-11-06 23:15 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2009-11-10 01:27 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2009-11-10 01:27 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:02 . 2009-11-06 23:15 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-06 23:15 . 2009-11-06 23:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-11-10 01:27 . 2009-11-10 01:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-11-10 01:27 . 2009-11-10 01:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-11-06 23:15 . 2009-11-06 23:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-05-07 23:42 . 2009-11-10 01:27 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-05-07 23:42 . 2009-11-06 23:15 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Google Update"="c:\users\Scott\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 92704]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-10 2016536]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-03 149280]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-11 4702208]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-25 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:14,89,c9,c9,4c,df,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2725499745-1328295949-1772943228-1000]
"EnableNotificationsRef"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2/2/2009 10:24 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2/2/2009 10:24 PM 360584]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\System32\drivers\RtlProt.sys [4/23/2007 9:50 AM 25896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/25/2009 11:09 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/25/2009 11:09 PM 285392]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\System32\drivers\RtNdPt60.sys [7/1/2008 3:59 PM 27648]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\System32\drivers\wg111v3.sys [7/12/2009 12:35 AM 289280]
S2 Seagate Sync Service;Seagate Sync Service;"c:\program files\Seagate\Sync\SeaSyncServices.exe" --> c:\program files\Seagate\Sync\SeaSyncServices.exe [?]
S2 SessionLauncher;SessionLauncher;c:\users\Scott\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\users\Scott\AppData\Local\Temp\DX9\SessionLauncher.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [3/18/2008 5:00 PM 21504]
S4 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rsmsvcs REG_MULTI_SZ ntmssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2725499745-1328295949-1772943228-1000Core.job
- c:\users\Scott\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 20:21]

2009-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2725499745-1328295949-1772943228-1000UA.job
- c:\users\Scott\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 20:21]

2009-11-10 c:\windows\Tasks\User_Feed_Synchronization-{317E82E1-DFBC-4603-B7A9-A772026AC47C}.job
- c:\windows\system32\msfeedssync.exe [2009-10-14 03:41]

2009-11-10 c:\windows\Tasks\User_Feed_Synchronization-{6B738A42-E589-466E-BE43-FF0ED232C195}.job
- c:\windows\system32\msfeedssync.exe [2009-10-14 03:41]
.
.
------- Supplementary Scan -------
.
Trusted Zone: turbotax.com
DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} - hxxp://www.priv.njmls.xmlsweb.com/XMLSearch/XMLCache.CAB
DPF: {6BA21C22-53A5-463F-BBE8-5CF7FFA0132B} - hxxps://epsdev.bankofny.com/dct/data/officeviewer.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://jpass1.bnymellon.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\np54roo0.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 20:28
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll atapi.sys >>UNKNOWN [0x87156F61]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2725499745-1328295949-1772943228-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:71,0f,e7,10,1a,c3,53,52,b3,14,1f,70,cd,db,08,64,b5,a6,98,38,43,3d,9f,
c1,e0,f4,3d,d8,2f,10,6d,9e,db,88,4f,2f,57,3e,d4,f5,ae,10,de,0b,56,cf,ce,85,\
"??"=hex:23,1f,67,c9,24,00,50,a7,00,4d,0c,cc,c3,ad,32,c4
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3576)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\System32\SyncCenter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\AUDIODG.EXE
c:\windows\system32\rundll32.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\rundll32.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-11-10 20:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-10 01:36
ComboFix2.txt 2009-11-07 16:24
ComboFix3.txt 2009-11-06 23:35

Pre-Run: 47,323,475,968 bytes free
Post-Run: 46,627,876,864 bytes free

- - End Of File - - 6529F2781FC6C9D2B8D881C0CCEF92EA

When you created the cfscript, are you sure this was included?

FCopy::
C:\Windows\ERDNT\cache\atapi.sys | C:\Windows\System32\drivers\atapi.sys

Yes, I copied the code your outlined.

Just in case I will run it again when I get home (currently not in front of the affected computer) and re-post the ComboFix log for you.

Thanks again for all of your help so far I really appreciate it.

How is your computer behaving now? Are you still getting redirected searches?

I Just reran the script you posted earlier: Here is the log

I havent noticed any search redirects but it seemed to come and go before.

ComboFix 09-11-08.03 - Scott 11/10/2009 19:51.4.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.2086 [GMT -5:00]
Running from: c:\users\Scott\Desktop\ComboFix.exe
Command switches used :: c:\users\Scott\Desktop\CFScript
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\caonima1.exe"
.

((((((((((((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 )))))))))))))))))))))))))))))))
.

2009-11-11 00:58 . 2009-11-11 01:02 -------- d-----w- c:\users\Scott\AppData\Local\temp
2009-11-11 00:58 . 2009-11-11 00:58 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-11-11 00:58 . 2009-11-11 00:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-10 01:32 . 2009-11-11 00:14 22016 ----a-w- c:\windows\system32\tdlwsp.dll
2009-11-10 01:13 . 2009-10-26 04:09 360584 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2009-11-10 01:13 . 2009-10-26 04:09 610072 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2009-11-10 01:13 . 2009-10-26 04:09 1657112 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2009-11-03 04:37 . 2009-10-11 09:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-03 02:32 . 2009-11-03 02:32 2 --shatr- c:\windows\winstart.bat
2009-11-03 02:31 . 2009-11-03 02:31 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-03 02:31 . 2009-11-03 12:31 -------- d-----w- c:\users\Scott\AppData\Roaming\SUPERAntiSpyware.com
2009-11-03 02:31 . 2009-11-03 12:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 02:30 . 2009-11-03 12:31 -------- d-----w- c:\program files\UnHackMe
2009-11-03 02:04 . 2009-11-03 02:03 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-03 02:01 . 2009-11-04 04:44 -------- d-----w- c:\programdata\Lavasoft
2009-11-01 21:02 . 2009-11-01 21:02 -------- d-----w- c:\program files\ESET
2009-10-31 02:03 . 2009-10-31 02:04 -------- d-----w- c:\users\Scott\AppData\Roaming\vlc
2009-10-31 01:15 . 2009-08-16 15:08 178176 ----a-w- c:\windows\system32\unrar.dll
2009-10-31 01:15 . 2009-10-31 01:16 4096 d-----w- c:\program files\K-Lite Codec Pack
2009-10-28 02:46 . 2009-10-28 02:46 -------- d-----w- c:\program files\Windows Portable Devices
2009-10-27 23:46 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-27 23:45 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-27 23:45 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-27 23:45 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-27 23:37 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-27 23:37 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-27 00:17 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-27 00:17 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-27 00:17 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-27 00:17 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-27 00:16 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-27 00:16 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-27 00:16 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-27 00:16 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-27 00:16 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-26 04:09 . 2009-10-27 00:10 -------- d-----w- C:\$AVG
2009-10-26 04:09 . 2009-10-26 04:09 4096 d-----w- c:\programdata\avg9
2009-10-19 03:49 . 2009-10-19 03:49 -------- d-----w- c:\users\Scott\AppData\Roaming\Malwarebytes
2009-10-19 03:49 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 03:49 . 2009-10-19 04:08 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 03:49 . 2009-10-19 03:49 -------- d-----w- c:\programdata\Malwarebytes
2009-10-19 03:49 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 17:27 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 17:27 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 17:27 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-13 12:58 . 2009-10-13 12:58 -------- d-----w- c:\users\Scott\AppData\Local\AIM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-11 01:01 . 2009-11-10 02:33 31871 ----a-w- c:\programdata\nvModes.dat
2009-11-10 02:33 . 2007-10-01 22:11 -------- d-----w- c:\programdata\NVIDIA
2009-11-10 02:28 . 2007-10-11 01:08 4096 d-----w- c:\program files\Java
2009-11-10 01:13 . 2009-02-03 03:24 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-04 22:53 . 2007-11-11 03:44 4096 d-----w- c:\users\Scott\AppData\Roaming\FileZilla
2009-11-04 04:53 . 2008-09-19 18:04 4096 d-----w- c:\program files\Coupons
2009-11-04 04:28 . 2007-10-01 22:04 1356 ----a-w- c:\users\Scott\AppData\Local\d3d9caps.dat
2009-11-03 12:31 . 2008-06-27 01:09 4096 d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-03 05:46 . 2007-10-12 23:40 8192 d-----w- c:\program files\Steam
2009-11-01 23:44 . 2007-10-21 20:09 20480 d-----w- c:\programdata\DVD Shrink
2009-10-28 02:46 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-28 02:46 . 2009-10-28 02:46 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-28 02:46 . 2009-10-28 02:46 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-26 04:09 . 2009-02-03 03:24 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-26 04:09 . 2009-02-03 03:24 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-26 04:09 . 2009-02-03 03:24 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-26 04:09 . 2008-04-24 02:27 -------- d-----w- c:\program files\AVG
2009-10-19 03:44 . 2009-03-29 01:46 4096 d-----w- c:\users\Scott\AppData\Roaming\dvdcss
2009-10-16 01:21 . 2007-10-13 01:55 4096 d-----w- c:\program files\Common Files\Adobe
2009-10-14 21:13 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-10-14 18:20 . 2007-10-02 00:08 20480 d-----w- c:\programdata\Microsoft Help
2009-10-01 14:29 . 2009-10-02 20:07 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-01 01:02 . 2009-10-27 23:46 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-10-27 23:46 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-10-27 23:46 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-10-27 23:46 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-10-27 23:46 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-10-27 23:46 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-10-27 23:46 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-10-27 23:46 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-10-27 23:46 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-10-27 23:46 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-10-27 23:46 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-10-27 23:46 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-10-27 23:46 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-10-27 23:46 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01 . 2009-10-27 23:46 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-25 02:17 . 2009-09-25 02:17 -------- d-----w- c:\users\Scott\AppData\Roaming\Canneverbe_Limited
2009-09-25 02:17 . 2009-09-25 02:17 -------- d-----w- c:\programdata\Canneverbe Limited
2009-09-25 02:10 . 2009-10-27 23:47 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-10-27 23:47 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-10-27 23:47 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-10-27 23:47 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-10-27 23:47 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-10-27 23:47 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-10-27 23:47 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-10-27 23:47 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-10-27 23:47 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-10-27 23:47 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-10-27 23:47 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-10-27 23:47 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-10-27 23:47 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-10-27 23:47 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-10-27 23:47 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-10-27 23:47 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-10-27 23:47 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-10-27 23:47 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-10-27 23:47 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-10-27 23:47 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-10-27 23:47 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-10-27 23:47 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-10-27 23:47 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-10-27 23:47 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-10-27 23:47 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-10-27 23:47 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-10-27 23:47 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-24 00:28 . 2008-06-27 01:10 4096 d-----w- c:\program files\Seagate
2009-09-14 09:29 . 2009-10-14 17:26 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 02:01 . 2009-10-27 23:47 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-09-10 02:00 . 2009-10-27 23:47 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-09-10 02:00 . 2009-10-27 23:47 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-09-04 11:41 . 2009-10-14 17:26 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 07:09 . 2009-09-02 07:09 176128 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2009-08-29 00:27 . 2009-09-02 23:16 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 23:16 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 21:42 . 2009-08-27 21:42 161632 ----a-w- c:\users\Scott\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
2009-08-27 21:42 . 2009-08-27 21:42 291696 ----a-w- c:\users\Scott\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
2009-08-27 05:22 . 2009-10-14 17:26 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 17:26 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 05:17 . 2009-10-14 17:26 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 03:42 . 2009-10-14 17:26 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-15 20:01 . 2007-10-01 22:04 147736 ----a-w- c:\users\Scott\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-14 16:27 . 2009-09-10 13:20 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-10 13:20 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-10 13:20 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-10 13:20 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-10 13:20 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-10 13:20 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-10 13:20 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-10 13:20 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-10 13:20 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-10 13:20 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-10 13:20 105984 ----a-w- c:\windows\system32\netiohlp.dll
2007-11-08 00:15 . 2007-11-08 00:15 0 --sh--w- c:\windows\SDA72777C.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-11-06_23.32.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-01 22:13 . 2009-11-11 01:03 74296 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-11-11 01:03 83010 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-10-01 22:05 . 2009-11-11 01:03 19816 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2725499745-1328295949-1772943228-1000_UserData.bin
+ 2009-07-07 21:46 . 2009-07-07 21:46 92704 c:\windows\System32\nvmctray.dll
- 2007-09-12 02:28 . 2009-03-28 04:03 92704 c:\windows\System32\nvmctray.dll
- 2006-11-02 13:02 . 2009-11-06 23:15 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-11-11 00:09 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2009-11-06 23:15 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2009-11-11 00:09 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2009-11-11 00:09 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:02 . 2009-11-06 23:15 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 10:25 . 2009-11-10 02:32 86016 c:\windows\inf\infpub.dat
- 2006-11-02 10:25 . 2009-10-28 02:46 86016 c:\windows\inf\infpub.dat
+ 2009-11-11 01:01 . 2009-11-11 01:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-11-06 23:15 . 2009-11-06 23:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-11-06 23:15 . 2009-11-06 23:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-11-11 01:01 . 2009-11-11 01:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-07 21:46 . 2009-07-07 21:46 211488 c:\windows\System32\nvvsvc.exe
+ 2007-10-04 22:14 . 2009-07-08 09:29 485920 c:\windows\System32\nvuninst.exe
+ 2009-07-08 09:29 . 2009-07-08 09:29 485920 c:\windows\System32\nvudisp.exe
+ 2009-07-07 21:46 . 2009-07-07 21:46 768544 c:\windows\System32\nvsvc.dll
+ 2009-07-07 21:46 . 2009-07-07 21:46 143360 c:\windows\System32\nvshext.dll
- 2009-03-28 04:03 . 2009-03-28 04:03 195104 c:\windows\System32\nvmccss.dll
+ 2009-07-07 21:46 . 2009-07-07 21:46 195104 c:\windows\System32\nvmccss.dll
+ 2009-07-08 09:29 . 2009-07-08 09:29 678432 c:\windows\System32\nvcuvid.dll
+ 2009-07-08 09:29 . 2009-07-08 09:29 151552 c:\windows\System32\nvcod157.dll
+ 2009-07-08 09:29 . 2009-07-08 09:29 151552 c:\windows\System32\nvcod.dll
+ 2007-09-12 02:28 . 2009-07-08 09:29 989696 c:\windows\System32\nvapi.dll
- 2009-11-03 04:37 . 2009-11-03 04:37 149280 c:\windows\System32\javaws.exe
+ 2009-11-10 02:28 . 2009-10-11 09:17 149280 c:\windows\System32\javaws.exe
+ 2009-11-10 02:28 . 2009-10-11 09:17 145184 c:\windows\System32\javaw.exe
- 2009-11-03 04:37 . 2009-11-03 04:37 145184 c:\windows\System32\javaw.exe
- 2009-11-03 04:37 . 2009-11-03 04:37 145184 c:\windows\System32\java.exe
+ 2009-11-10 02:28 . 2009-10-11 09:17 145184 c:\windows\System32\java.exe
+ 2009-07-08 09:29 . 2009-07-08 09:29 485920 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_aab49ce7\nvudisp.exe
+ 2009-07-08 09:29 . 2009-07-08 09:29 256544 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_aab49ce7\nvdecodemft.dll
+ 2009-07-08 09:29 . 2009-07-08 09:29 678432 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_aab49ce7\nvcuvid.dll
+ 2009-07-08 09:29 . 2009-07-08 09:29 151552 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_aab49ce7\nvcod.dll
+ 2009-07-08 09:29 . 2009-07-08 09:29 989696 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_aab49ce7\nvapi.dll
+ 2009-07-08 09:29 . 2009-07-08 09:29 795104 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_aab49ce7\dpinst.exe
+ 2009-05-07 23:42 . 2009-11-11 00:09 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-05-07 23:42 . 2009-11-06 23:15 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-11-10 02:28 . 2009-11-10 02:28 262144 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2006-11-02 10:25 . 2009-10-28 02:46 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-11-10 02:32 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-11-10 02:31 143360 c:\windows\inf\infstor.dat
- 2006-11-02 10:25 . 2009-10-28 02:46 143360 c:\windows\inf\infstor.dat
+ 2009-07-07 21:46 . 2009-07-07 21:46 3123744 c:\windows\System32\nvwss.dll
+ 2009-07-08 09:29 . 2009-07-08 09:29 3148288 c:\windows\System32\nvwgf2um.dll
+ 2009-07-07 21:46 . 2009-07-07 21:46 4045344 c:\windows\System32\nvvitvs.dll
+ 2009-07-07 21:46 . 2009-07-07 21:46 1296928 c:\windows\System32\nvsvs.dll
+ 2009-07-07 21:46 . 2009-07-07 21:46 1288736 c:\windows\System32\nvmobls.dll
+ 2009-07-07 21:46 . 2009-07-07 21:46 3516960 c:\windows\System32\nvgames.dll
+ 2009-07-07 21:46 . 2009-07-07 21:46 4028960 c:\windows\System32\nvdisps.dll
+ 2007-09-12 02:28 . 2009-07-08 09:29 7611904 c:\windows\System32\nvd3dum.dll
+ 2009-07-08 09:29 . 2009-07-08 09:29 1317408 c:\windows\System32\nvcuvenc.dll
+ 2009-07-08 09:29 . 2009-07-08 09:29 1704960 c:\windows\System32\nvcuda.dll
+ 2009-07-07 21:46 . 2009-07-07 21:46 1194528 c:\windows\System32\nvcplui.exe
+ 2009-07-08 09:29 . 2009-07-08 09:29 3148288 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_aab49ce7\nvwgf2um.dll
+ 2009-07-08 09:29 . 2009-07-08 09:29 9899296 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_aab49ce7\nvlddmkm.sys
+ 2009-07-08 09:29 . 2009-07-08 09:29 1530400 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_aab49ce7\nvencodemft.dll
+ 2009-07-08 09:29 . 2009-07-08 09:29 7611904 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_aab49ce7\nvd3dum.dll
+ 2009-07-08 09:29 . 2009-07-08 09:29 1317408 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_aab49ce7\nvcuvenc.dll
+ 2009-07-08 09:29 . 2009-07-08 09:29 1704960 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_aab49ce7\nvcuda.dll
+ 2009-07-08 09:29 . 2009-07-08 09:29 9899296 c:\windows\System32\drivers\nvlddmkm.sys
+ 2009-07-08 09:29 . 2009-07-08 09:29 10379264 c:\windows\System32\nvoglv32.dll
+ 2009-07-07 21:46 . 2009-07-07 21:46 13785632 c:\windows\System32\nvcpl.dll
+ 2009-07-08 09:29 . 2009-07-08 09:29 10379264 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_aab49ce7\nvoglv32.dll
+ 2009-07-08 09:29 . 2009-07-08 09:29 38186637 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_aab49ce7\NvCplSetupInt.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Google Update"="c:\users\Scott\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-10 2016536]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-07 13785632]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-11 4702208]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-25 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:14,89,c9,c9,4c,df,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2725499745-1328295949-1772943228-1000]
"EnableNotificationsRef"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2/2/2009 10:24 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2/2/2009 10:24 PM 360584]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\System32\drivers\RtlProt.sys [4/23/2007 9:50 AM 25896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/25/2009 11:09 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/25/2009 11:09 PM 285392]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\System32\drivers\RtNdPt60.sys [7/1/2008 3:59 PM 27648]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\System32\drivers\wg111v3.sys [7/12/2009 12:35 AM 289280]
S2 Seagate Sync Service;Seagate Sync Service;"c:\program files\Seagate\Sync\SeaSyncServices.exe" --> c:\program files\Seagate\Sync\SeaSyncServices.exe [?]
S2 SessionLauncher;SessionLauncher;c:\users\Scott\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\users\Scott\AppData\Local\Temp\DX9\SessionLauncher.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [3/18/2008 5:00 PM 21504]
S4 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rsmsvcs REG_MULTI_SZ ntmssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-11-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2725499745-1328295949-1772943228-1000Core.job
- c:\users\Scott\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 20:21]

2009-11-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2725499745-1328295949-1772943228-1000UA.job
- c:\users\Scott\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 20:21]

2009-11-11 c:\windows\Tasks\User_Feed_Synchronization-{317E82E1-DFBC-4603-B7A9-A772026AC47C}.job
- c:\windows\system32\msfeedssync.exe [2009-10-14 03:41]

2009-11-11 c:\windows\Tasks\User_Feed_Synchronization-{6B738A42-E589-466E-BE43-FF0ED232C195}.job
- c:\windows\system32\msfeedssync.exe [2009-10-14 03:41]
.
.
------- Supplementary Scan -------
.
Trusted Zone: turbotax.com
DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} - hxxp://www.priv.njmls.xmlsweb.com/XMLSearch/XMLCache.CAB
DPF: {6BA21C22-53A5-463F-BBE8-5CF7FFA0132B} - hxxps://epsdev.bankofny.com/dct/data/officeviewer.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://jpass1.bnymellon.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\np54roo0.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-10 20:01
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll atapi.sys >>UNKNOWN [0x8767EF61]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2725499745-1328295949-1772943228-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:71,0f,e7,10,1a,c3,53,52,b3,14,1f,70,cd,db,08,64,b5,a6,98,38,43,3d,9f,
c1,e0,f4,3d,d8,2f,10,6d,9e,db,88,4f,2f,57,3e,d4,f5,ae,10,de,0b,56,cf,ce,85,\
"??"=hex:23,1f,67,c9,24,00,50,a7,00,4d,0c,cc,c3,ad,32,c4
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3848)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\FileZilla Client\fzshellext.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\AUDIODG.EXE
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-11-11 20:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-11 01:09
ComboFix2.txt 2009-11-10 01:37
ComboFix3.txt 2009-11-07 16:24
ComboFix4.txt 2009-11-06 23:35

Pre-Run: 44,282,892,288 bytes free
Post-Run: 44,161,372,160 bytes free

- - End Of File - - 90EF01BB0F198D55D8CF0FF1FF12772D