Wooster

Since I am unable to run DDS.scr, I ran HijackThis instead. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 4:04:44 PM, on 12/20/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\AVAST Software\Avast\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\AVAST Software\Avast\avastUI.exe C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe C:\Program Files\I8kfanGUI\I8kfanGUI.exe C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Spybot\TeaTimer.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Dell\Bluetooth Software\BTTray.exe C:\Program Files\YZ Dock\YzDock.exe C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Wooster\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup O4 - HKCU\..\Run: [speedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe O4 - Startup: YzDock.lnk = C:\Program Files\YZ Dock\YzDock.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: PEVSystemStart - Unknown owner - C:\Combo-Fix\pev.3XE (file missing) O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 7007 bytes

I had an isse with a virus called XP Antispyware 2012. I ran Malwarebytes and it seemed to remove all the obvious traces of the program, but right now the computer still has the following problems: 1) Unable to start Windows Firewall 2) Unable to turn on Avast's web shield 3) Unable to connect to the internet Malwarebyte's quick scan finds nothing anymore, as does Avast. I downloaded and ran DDS.scr as per the instructions, but every time it hung and failed to run to completion. Any help you could provide would be most appreciated. Bump.

Malwarebytes log: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3989 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/15/2010 12:59:27 AM mbam-log-2010-04-15 (00-59-27).txt Scan type: Quick scan Objects scanned: 108548 Time elapsed: 8 minute(s), 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

ComboFix log: ComboFix 10-04-14.01 - User 04/15/2010 0:02.6.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.221 [GMT -7:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt AV: avast! antivirus 4.8.1368 [VPS 100413-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . --------------- FCopy --------------- c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys . ((((((((((((((((((((((((( Files Created from 2010-03-15 to 2010-04-15 ))))))))))))))))))))))))))))))) . 2010-04-13 20:30 . 2010-04-13 20:30 -------- d-----w- c:\documents and settings\User\DoctorWeb 2010-04-12 01:41 . 2010-04-12 01:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-04-11 06:57 . 2010-04-11 18:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft 2010-04-11 06:57 . 2010-04-11 06:58 -------- d-----w- c:\documents and settings\Administrator 2010-04-09 05:13 . 2010-04-11 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-03-28 23:08 . 2010-03-28 23:10 -------- d-----w- c:\program files\HRBlock2009 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-13 21:39 . 2004-08-04 12:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys 2010-04-13 19:04 . 2004-08-04 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys 2010-04-13 07:33 . 2005-08-19 03:11 -------- d-----w- c:\program files\QuickTime 2010-04-13 07:33 . 2009-01-22 03:44 -------- d-----w- c:\program files\iTunes 2010-04-12 08:13 . 2005-08-13 18:50 -------- d-----w- c:\program files\Common Files\Adobe 2010-04-12 01:39 . 2010-04-12 00:01 -------- d-----w- c:\program files\Spybot 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\program files\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-12 00:10 . 2005-08-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-11 21:58 . 2010-04-11 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-11 18:21 . 2010-04-11 18:21 279816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-11 15:03 . 2010-04-11 15:02 -------- d-----w- c:\program files\Scanner 2010-04-07 03:20 . 2007-11-23 06:41 -------- d-----w- c:\program files\Avast 2010-04-05 06:27 . 2006-08-29 03:43 -------- d-----w- c:\documents and settings\User\Application Data\Azureus 2010-03-30 07:46 . 2010-04-12 00:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 07:45 . 2010-04-12 00:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-28 23:12 . 2008-01-29 01:49 -------- d-----w- c:\documents and settings\User\Application Data\TaxCut 2010-03-28 22:59 . 2008-01-29 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-02-25 06:24 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X] "NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472] "nwiz"="nwiz.exe" [2003-07-28 323584] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-05 180269] "avast!"="c:\progra~1\Avast\ashDisp.exe" [2009-11-24 81000] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] c:\documents and settings\User\Start Menu\Programs\Startup\ Watch.lnk - c:\windows\twain_32\A4S2_600\WATCH.EXE [2005-9-25 184320] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 5:27 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 5:27 PM 20560] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4bgulz0o.default\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-15 00:18 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2504) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avast\aswUpdSv.exe c:\program files\Avast\ashServ.exe c:\mscan\Msoffice\panel.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\nvsvc32.exe c:\program files\Avast\ashWebSv.exe c:\program files\Avast\ashMaiSv.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2010-04-15 00:30:15 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-15 07:30 ComboFix2.txt 2010-04-14 22:00 ComboFix3.txt 2010-04-13 08:07 ComboFix4.txt 2010-04-13 06:53 ComboFix5.txt 2010-04-15 06:23 Pre-Run: 15,259,136,000 bytes free Post-Run: 15,218,479,104 bytes free - - End Of File - - C4736639F86389E703799D13E03C4A95 HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:38:17 AM, on 4/15/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avast\aswUpdSv.exe C:\Program Files\Avast\ashServ.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Avast\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE C:\WINDOWS\system32\spoolsv.exe C:\MSCAN\Msoffice\panel.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Avast\ashWebSv.exe C:\Program Files\Avast\ashMaiSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'Default user') O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.mumbojumbo.com/assets/22/webgame/ReflexiveWebGameLoader.cab O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.drsclinic.com/XTSAC.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123648936968 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/assets/mjolauncher.cab O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://www.mumbojumbo.com/assets/HLGLauncher.CAB O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://webgames.d.tmsrv.com/c=1e991847199ced6add9da66556822a7f/aff=t_03cm_wg/p/release/playfirst/wg_zenerchi/zenerchi/ZenerchiWeb.1.0.0.10.cab O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6958 bytes Internet connection is back, and I can now enable the firewall. I haven't seen any popups yet, but they were pretty sporadic to start with.

ComboFix log: ComboFix 10-04-14.01 - User 04/14/2010 14:31:40.4.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.162 [GMT -7:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe AV: avast! antivirus 4.8.1368 [VPS 100413-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_PRAGMAyycvksevpe -------\Service_PRAGMAyycvksevpe ((((((((((((((((((((((((( Files Created from 2010-03-14 to 2010-04-14 ))))))))))))))))))))))))))))))) . 2010-04-13 20:30 . 2010-04-13 20:30 -------- d-----w- c:\documents and settings\User\DoctorWeb 2010-04-12 01:41 . 2010-04-12 01:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-04-11 06:57 . 2010-04-11 18:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft 2010-04-11 06:57 . 2010-04-11 06:58 -------- d-----w- c:\documents and settings\Administrator 2010-04-09 05:13 . 2010-04-11 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-03-28 23:08 . 2010-03-28 23:10 -------- d-----w- c:\program files\HRBlock2009 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-13 21:41 . 2004-08-04 12:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys 2010-04-13 19:04 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-04-13 07:33 . 2005-08-19 03:11 -------- d-----w- c:\program files\QuickTime 2010-04-13 07:33 . 2009-01-22 03:44 -------- d-----w- c:\program files\iTunes 2010-04-12 08:13 . 2005-08-13 18:50 -------- d-----w- c:\program files\Common Files\Adobe 2010-04-12 01:39 . 2010-04-12 00:01 -------- d-----w- c:\program files\Spybot 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\program files\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-12 00:10 . 2005-08-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-11 21:58 . 2010-04-11 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-11 18:21 . 2010-04-11 18:21 279816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-11 15:03 . 2010-04-11 15:02 -------- d-----w- c:\program files\Scanner 2010-04-07 03:20 . 2007-11-23 06:41 -------- d-----w- c:\program files\Avast 2010-04-05 06:27 . 2006-08-29 03:43 -------- d-----w- c:\documents and settings\User\Application Data\Azureus 2010-03-30 07:46 . 2010-04-12 00:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 07:45 . 2010-04-12 00:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-28 23:14 . 2010-03-28 23:13 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe 2010-03-28 23:12 . 2008-01-29 01:49 -------- d-----w- c:\documents and settings\User\Application Data\TaxCut 2010-03-28 22:59 . 2008-01-29 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-02-25 06:24 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll . ------- Sigcheck ------- [-] 2010-04-13 21:41 . F8B2F0BB355F55573D7738B96D8A36E2 . 361600 . . [------] . . c:\windows\system32\drivers\tcpip.sys [7] 2010-04-13 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\ERDNT\cache\tcpip.sys [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys [-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtServicePackUninstall$\tcpip.sys [-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys [-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys [-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys [-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys [-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys [-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys [-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X] "NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472] "nwiz"="nwiz.exe" [2003-07-28 323584] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-05 180269] "avast!"="c:\progra~1\Avast\ashDisp.exe" [2009-11-24 81000] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] c:\documents and settings\User\Start Menu\Programs\Startup\ Watch.lnk - c:\windows\twain_32\A4S2_600\WATCH.EXE [2005-9-25 184320] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 5:27 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 5:27 PM 20560] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4bgulz0o.default\ . - - - - ORPHANS REMOVED - - - - SafeBoot-klmdb.sys ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-14 14:50 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(132) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avast\aswUpdSv.exe c:\program files\Avast\ashServ.exe c:\mscan\Msoffice\panel.exe c:\windows\system32\nvsvc32.exe c:\program files\Avast\ashMaiSv.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-04-14 15:00:11 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-14 22:00 ComboFix2.txt 2010-04-13 08:07 ComboFix3.txt 2010-04-13 06:53 ComboFix4.txt 2010-04-12 07:41 Pre-Run: 15,390,220,288 bytes free Post-Run: 15,274,008,576 bytes free - - End Of File - - 836780DBFCBB06C3D86EA803AB879A4C

DrWeb log: A0101706.sys;C:\System Volume Information\_restore{8CC6B88E-C138-43A8-906D-A7A1EF8D664E}\RP1576;BackDoor.Tdss.2459;Cured.; App06868.exe\hp/tmp/Install.JS;D:\I386\APPS\APP06868\App06868.exe;Probably SCRIPT.Virus;; App06868.exe;D:\I386\APPS\APP06868;Archive contains infected objects;Moved.; A0101720.exe\hp/tmp/Install.JS;D:\System Volume Information\_restore{8CC6B88E-C138-43A8-906D-A7A1EF8D664E}\RP1577\A0101720.exe;Probably SCRIPT.Virus;; A0101720.exe;D:\System Volume Information\_restore{8CC6B88E-C138-43A8-906D-A7A1EF8D664E}\RP1577;Archive contains infected objects;Moved.; The quick scan also found BackDoor.Tdss.2459 in c:\windows\system32\drivers\tcpip.sys and cured it. HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:45:32 PM, on 4/14/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avast\aswUpdSv.exe C:\Program Files\Avast\ashServ.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Avast\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE C:\MSCAN\Msoffice\panel.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Avast\ashMaiSv.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'Default user') O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.mumbojumbo.com/assets/22/webgame/ReflexiveWebGameLoader.cab O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.drsclinic.com/XTSAC.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123648936968 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/assets/mjolauncher.cab O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://www.mumbojumbo.com/assets/HLGLauncher.CAB O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://webgames.d.tmsrv.com/c=1e991847199ced6add9da66556822a7f/aff=t_03cm_wg/p/release/playfirst/wg_zenerchi/zenerchi/ZenerchiWeb.1.0.0.10.cab O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6719 bytes I am also getting 4 Avast errors on startup (all Error 10050) and can't connect to the internet (won't recognize the connection).

I'm still running the complete scan. It's taking a long time.

The quick scan seems to be curing the same file (c:\windows\system32\drivers\tcpip.sys) over and over again.

I noticed that there was an option to update DrWeb. Should I have done this before starting the scan?

There does not appear to be any change. Still getting occasional popups and I can't enable the firewall.

TDSSKiller log: 12:03:14:187 2508 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04 12:03:14:187 2508 =========================================================================== ===== 12:03:14:187 2508 SystemInfo: 12:03:14:187 2508 OS Version: 5.1.2600 ServicePack: 3.0 12:03:14:187 2508 Product type: Workstation 12:03:14:187 2508 ComputerName: FAMILYCOMPUTER 12:03:14:187 2508 UserName: User 12:03:14:187 2508 Windows directory: C:\WINDOWS 12:03:14:187 2508 Processor architecture: Intel x86 12:03:14:187 2508 Number of processors: 1 12:03:14:187 2508 Page size: 0x1000 12:03:14:234 2508 Boot type: Normal boot 12:03:14:234 2508 =========================================================================== ===== 12:03:14:250 2508 UnloadDriverW: NtUnloadDriver error 2 12:03:14:250 2508 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2 12:03:14:359 2508 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system 12:03:14:359 2508 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 12:03:14:359 2508 wfopen_ex: Trying to KLMD file open 12:03:14:359 2508 wfopen_ex: File opened ok (Flags 2) 12:03:14:359 2508 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software 12:03:14:359 2508 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 12:03:14:359 2508 wfopen_ex: Trying to KLMD file open 12:03:14:359 2508 wfopen_ex: File opened ok (Flags 2) 12:03:14:359 2508 Initialize success 12:03:14:359 2508 12:03:14:359 2508 Scanning Services ... 12:03:16:000 2508 Raw services enum returned 314 services 12:03:16:015 2508 12:03:16:015 2508 Scanning Kernel memory ... 12:03:16:015 2508 Devices to scan: 3 12:03:16:015 2508 12:03:16:015 2508 Driver Name: Disk 12:03:16:015 2508 IRP_MJ_CREATE : F865CBB0 12:03:16:015 2508 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E 12:03:16:015 2508 IRP_MJ_CLOSE : F865CBB0 12:03:16:015 2508 IRP_MJ_READ : F8656D1F 12:03:16:015 2508 IRP_MJ_WRITE : F8656D1F 12:03:16:015 2508 IRP_MJ_QUERY_INFORMATION : 804FA88E 12:03:16:015 2508 IRP_MJ_SET_INFORMATION : 804FA88E 12:03:16:015 2508 IRP_MJ_QUERY_EA : 804FA88E 12:03:16:015 2508 IRP_MJ_SET_EA : 804FA88E 12:03:16:015 2508 IRP_MJ_FLUSH_BUFFERS : F86572E2 12:03:16:015 2508 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E 12:03:16:015 2508 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E 12:03:16:015 2508 IRP_MJ_DIRECTORY_CONTROL : 804FA88E 12:03:16:015 2508 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E 12:03:16:015 2508 IRP_MJ_DEVICE_CONTROL : F86573BB 12:03:16:015 2508 IRP_MJ_INTERNAL_DEVICE_CONTROL : F865AF28 12:03:16:015 2508 IRP_MJ_SHUTDOWN : F86572E2 12:03:16:015 2508 IRP_MJ_LOCK_CONTROL : 804FA88E 12:03:16:015 2508 IRP_MJ_CLEANUP : 804FA88E 12:03:16:015 2508 IRP_MJ_CREATE_MAILSLOT : 804FA88E 12:03:16:015 2508 IRP_MJ_QUERY_SECURITY : 804FA88E 12:03:16:015 2508 IRP_MJ_SET_SECURITY : 804FA88E 12:03:16:015 2508 IRP_MJ_POWER : F8658C82 12:03:16:015 2508 IRP_MJ_SYSTEM_CONTROL : F865D99E 12:03:16:015 2508 IRP_MJ_DEVICE_CHANGE : 804FA88E 12:03:16:015 2508 IRP_MJ_QUERY_QUOTA : 804FA88E 12:03:16:015 2508 IRP_MJ_SET_QUOTA : 804FA88E 12:03:16:046 2508 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 12:03:16:046 2508 12:03:16:046 2508 Driver Name: Disk 12:03:16:046 2508 IRP_MJ_CREATE : F865CBB0 12:03:16:046 2508 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E 12:03:16:046 2508 IRP_MJ_CLOSE : F865CBB0 12:03:16:046 2508 IRP_MJ_READ : F8656D1F 12:03:16:046 2508 IRP_MJ_WRITE : F8656D1F 12:03:16:046 2508 IRP_MJ_QUERY_INFORMATION : 804FA88E 12:03:16:046 2508 IRP_MJ_SET_INFORMATION : 804FA88E 12:03:16:046 2508 IRP_MJ_QUERY_EA : 804FA88E 12:03:16:046 2508 IRP_MJ_SET_EA : 804FA88E 12:03:16:046 2508 IRP_MJ_FLUSH_BUFFERS : F86572E2 12:03:16:046 2508 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E 12:03:16:046 2508 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E 12:03:16:046 2508 IRP_MJ_DIRECTORY_CONTROL : 804FA88E 12:03:16:046 2508 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E 12:03:16:046 2508 IRP_MJ_DEVICE_CONTROL : F86573BB 12:03:16:046 2508 IRP_MJ_INTERNAL_DEVICE_CONTROL : F865AF28 12:03:16:046 2508 IRP_MJ_SHUTDOWN : F86572E2 12:03:16:046 2508 IRP_MJ_LOCK_CONTROL : 804FA88E 12:03:16:046 2508 IRP_MJ_CLEANUP : 804FA88E 12:03:16:046 2508 IRP_MJ_CREATE_MAILSLOT : 804FA88E 12:03:16:046 2508 IRP_MJ_QUERY_SECURITY : 804FA88E 12:03:16:046 2508 IRP_MJ_SET_SECURITY : 804FA88E 12:03:16:046 2508 IRP_MJ_POWER : F8658C82 12:03:16:046 2508 IRP_MJ_SYSTEM_CONTROL : F865D99E 12:03:16:046 2508 IRP_MJ_DEVICE_CHANGE : 804FA88E 12:03:16:046 2508 IRP_MJ_QUERY_QUOTA : 804FA88E 12:03:16:046 2508 IRP_MJ_SET_QUOTA : 804FA88E 12:03:16:078 2508 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 12:03:16:078 2508 12:03:16:078 2508 Driver Name: atapi 12:03:16:078 2508 IRP_MJ_CREATE : 826DEAC8 12:03:16:078 2508 IRP_MJ_CREATE_NAMED_PIPE : 826DEAC8 12:03:16:078 2508 IRP_MJ_CLOSE : 826DEAC8 12:03:16:078 2508 IRP_MJ_READ : 826DEAC8 12:03:16:078 2508 IRP_MJ_WRITE : 826DEAC8 12:03:16:078 2508 IRP_MJ_QUERY_INFORMATION : 826DEAC8 12:03:16:078 2508 IRP_MJ_SET_INFORMATION : 826DEAC8 12:03:16:078 2508 IRP_MJ_QUERY_EA : 826DEAC8 12:03:16:078 2508 IRP_MJ_SET_EA : 826DEAC8 12:03:16:078 2508 IRP_MJ_FLUSH_BUFFERS : 826DEAC8 12:03:16:078 2508 IRP_MJ_QUERY_VOLUME_INFORMATION : 826DEAC8 12:03:16:078 2508 IRP_MJ_SET_VOLUME_INFORMATION : 826DEAC8 12:03:16:078 2508 IRP_MJ_DIRECTORY_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_FILE_SYSTEM_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_DEVICE_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_INTERNAL_DEVICE_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_SHUTDOWN : 826DEAC8 12:03:16:078 2508 IRP_MJ_LOCK_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_CLEANUP : 826DEAC8 12:03:16:078 2508 IRP_MJ_CREATE_MAILSLOT : 826DEAC8 12:03:16:078 2508 IRP_MJ_QUERY_SECURITY : 826DEAC8 12:03:16:078 2508 IRP_MJ_SET_SECURITY : 826DEAC8 12:03:16:078 2508 IRP_MJ_POWER : 826DEAC8 12:03:16:078 2508 IRP_MJ_SYSTEM_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_DEVICE_CHANGE : 826DEAC8 12:03:16:078 2508 IRP_MJ_QUERY_QUOTA : 826DEAC8 12:03:16:078 2508 IRP_MJ_SET_QUOTA : 826DEAC8 12:03:16:078 2508 Driver "atapi" infected by TDSS rootkit! 12:03:16:140 2508 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1 12:03:16:140 2508 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 12:03:16:140 2508 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys 12:03:16:140 2508 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3 12:03:17:109 2508 vfvi6 12:03:17:890 2508 !dsvbh1 12:03:27:203 2508 dsvbh2 12:03:27:203 2508 fdfb2 12:03:27:203 2508 Backup copy found, using it.. 12:03:27:250 2508 will be cured on next reboot 12:03:27:250 2508 Reboot required for cure complete.. 12:03:27:250 2508 Cure on reboot scheduled successfully 12:03:27:250 2508 12:03:27:250 2508 Completed 12:03:27:250 2508 12:03:27:250 2508 Results: 12:03:27:250 2508 Memory objects infected / cured / cured on reboot: 1 / 0 / 0 12:03:27:250 2508 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 12:03:27:250 2508 File objects infected / cured / cured on reboot: 1 / 0 / 1 12:03:27:250 2508 12:03:27:250 2508 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system 12:03:27:250 2508 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software 12:03:27:250 2508 UnloadDriverW: NtUnloadDriver error 1 12:03:27:250 2508 KLMD(ARK) unloaded successfully

Sample sent, still getting popups. I am also still unable to start Windows Firewall (unsure if this is related to other issues).

ComboFix log: ComboFix 10-04-12.04 - User 04/13/2010 0:34.3.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.314 [GMT -7:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt AV: avast! antivirus 4.8.1368 [VPS 100412-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} file zipped: c:\documents and settings\All Users\Application Data\7JN6Jyf3W.dat file zipped: c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe file zipped: c:\windows\Fonts\On6WEm.com . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\7JN6Jyf3W.dat c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe c:\windows\Fonts\On6WEm.com c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job . ((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 ))))))))))))))))))))))))))))))) . 2010-04-12 01:41 . 2010-04-12 01:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-04-11 06:57 . 2010-04-11 18:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft 2010-04-11 06:57 . 2010-04-11 06:58 -------- d-----w- c:\documents and settings\Administrator 2010-04-09 05:13 . 2010-04-11 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-03-28 23:08 . 2010-03-28 23:10 -------- d-----w- c:\program files\HRBlock2009 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-13 07:33 . 2005-08-19 03:11 -------- d-----w- c:\program files\QuickTime 2010-04-13 07:33 . 2009-01-22 03:44 -------- d-----w- c:\program files\iTunes 2010-04-12 08:13 . 2005-08-13 18:50 -------- d-----w- c:\program files\Common Files\Adobe 2010-04-12 01:39 . 2010-04-12 00:01 -------- d-----w- c:\program files\Spybot 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\program files\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-12 00:10 . 2005-08-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-11 21:58 . 2010-04-11 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-11 18:21 . 2010-04-11 18:21 279816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-11 15:03 . 2010-04-11 15:02 -------- d-----w- c:\program files\Scanner 2010-04-07 03:20 . 2007-11-23 06:41 -------- d-----w- c:\program files\Avast 2010-04-05 06:27 . 2006-08-29 03:43 -------- d-----w- c:\documents and settings\User\Application Data\Azureus 2010-03-30 07:46 . 2010-04-12 00:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 07:45 . 2010-04-12 00:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-28 23:14 . 2010-03-28 23:13 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe 2010-03-28 23:12 . 2008-01-29 01:49 -------- d-----w- c:\documents and settings\User\Application Data\TaxCut 2010-03-28 22:59 . 2008-01-29 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-02-25 06:24 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X] "NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472] "nwiz"="nwiz.exe" [2003-07-28 323584] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-05 180269] "avast!"="c:\progra~1\Avast\ashDisp.exe" [2009-11-24 81000] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] c:\documents and settings\User\Start Menu\Programs\Startup\ Watch.lnk - c:\windows\twain_32\A4S2_600\WATCH.EXE [2005-9-25 184320] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 5:27 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 5:27 PM 20560] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4bgulz0o.default\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-13 00:52 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x826DEAC8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf865af28 \Driver\ACPI -> ACPI.sys @ 0xf85adcb8 \Driver\atapi -> atapi.sys @ 0xf8565852 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf8471bb0 PacketIndicateHandler -> NDIS.sys @ 0xf847ea21 SendHandler -> NDIS.sys @ 0xf845c87b user & kernel MBR OK ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(668) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(732) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(1268) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avast\aswUpdSv.exe c:\program files\Avast\ashServ.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\nvsvc32.exe c:\mscan\Msoffice\panel.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-04-13 01:07:40 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-13 08:07 ComboFix2.txt 2010-04-13 06:53 ComboFix3.txt 2010-04-12 07:41 Pre-Run: 12,701,638,656 bytes free Post-Run: 12,670,218,240 bytes free - - End Of File - - C1013AC9FC1045731FAB51DCA312454A HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:16:08 AM, on 4/13/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avast\aswUpdSv.exe C:\Program Files\Avast\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Avast\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE C:\MSCAN\Msoffice\panel.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Avast\ashMaiSv.exe C:\Program Files\Avast\ashWebSv.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'Default user') O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.mumbojumbo.com/assets/22/webgame/ReflexiveWebGameLoader.cab O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.drsclinic.com/XTSAC.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123648936968 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/assets/mjolauncher.cab O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://www.mumbojumbo.com/assets/HLGLauncher.CAB O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://webgames.d.tmsrv.com/c=1e991847199ced6add9da66556822a7f/aff=t_03cm_wg/p/release/playfirst/wg_zenerchi/zenerchi/ZenerchiWeb.1.0.0.10.cab O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6990 bytes

File has already been analysed: MD5: 1cc9fd3ba73aaa6020eb1a23640a49c6 First received: 2010.04.12 22:36:48 UTC Date: 2010.04.13 01:37:17 UTC [<1D] Results: 5/40 Permalink: analisis/609e408839986a721d5039d1a8f5d35954c67bcea16bd171a1ed7f59038dd99a-1271122637

ComboFix log: ComboFix 10-04-12.04 - User 04/12/2010 23:24:01.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.224 [GMT -7:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe AV: avast! antivirus 4.8.1368 [VPS 100412-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 ))))))))))))))))))))))))))))))) . 2010-04-12 01:41 . 2010-04-12 01:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-04-11 06:57 . 2010-04-11 18:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft 2010-04-11 06:57 . 2010-04-11 06:58 -------- d-----w- c:\documents and settings\Administrator 2010-04-09 05:13 . 2010-04-11 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-03-28 23:08 . 2010-03-28 23:10 -------- d-----w- c:\program files\HRBlock2009 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-13 05:30 . 2010-04-12 21:58 112 ----a-w- c:\documents and settings\All Users\Application Data\7JN6Jyf3W.dat 2010-04-13 05:30 . 2010-04-13 05:30 71170 ----a-w- c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe 2010-04-13 05:30 . 2010-04-13 05:30 71170 ----a-w- c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe 2010-04-13 05:16 . 2005-08-19 03:11 -------- d-----w- c:\program files\QuickTime 2010-04-12 21:55 . 2009-01-22 03:44 -------- d-----w- c:\program files\iTunes 2010-04-12 21:55 . 2010-04-12 21:55 41472 ----a-w- c:\windows\Fonts\On6WEm.com 2010-04-12 08:13 . 2005-08-13 18:50 -------- d-----w- c:\program files\Common Files\Adobe 2010-04-12 01:39 . 2010-04-12 00:01 -------- d-----w- c:\program files\Spybot 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\program files\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-12 00:10 . 2005-08-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-11 21:58 . 2010-04-11 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-11 18:21 . 2010-04-11 18:21 279816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-11 15:03 . 2010-04-11 15:02 -------- d-----w- c:\program files\Scanner 2010-04-07 03:20 . 2007-11-23 06:41 -------- d-----w- c:\program files\Avast 2010-04-05 06:27 . 2006-08-29 03:43 -------- d-----w- c:\documents and settings\User\Application Data\Azureus 2010-03-30 07:46 . 2010-04-12 00:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 07:45 . 2010-04-12 00:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-28 23:14 . 2010-03-28 23:13 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe 2010-03-28 23:12 . 2008-01-29 01:49 -------- d-----w- c:\documents and settings\User\Application Data\TaxCut 2010-03-28 22:59 . 2008-01-29 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-02-25 06:24 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll . <pre> c:\program files\Common Files\Real\Update_OB\realsched .exe c:\program files\iTunes\iTunesHelper .exe c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X] "NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2010-04-12 41476] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472] "nwiz"="nwiz.exe" [2003-07-28 323584] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-12 41476] "avast!"="c:\progra~1\Avast\ashDisp.exe" [2009-11-24 81000] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-12 41476] c:\documents and settings\User\Start Menu\Programs\Startup\ Watch.lnk - c:\windows\twain_32\A4S2_600\WATCH.EXE [2005-9-25 184320] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 5:27 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 5:27 PM 20560] . Contents of the 'Scheduled Tasks' folder 2010-04-12 c:\windows\Tasks\At1.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At10.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At11.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At12.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At13.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At14.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At15.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At16.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At17.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At18.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At19.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At2.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At20.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At21.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At22.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At23.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At24.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At3.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At4.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At5.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At6.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At7.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At8.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At9.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4bgulz0o.default\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-12 23:39 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\TEMP\flaB.tmp 11873910 bytes scan completed successfully hidden files: 1 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x826D8AC8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf865af28 \Driver\ACPI -> ACPI.sys @ 0xf85adcb8 \Driver\atapi -> atapi.sys @ 0xf8565852 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf8471bb0 PacketIndicateHandler -> NDIS.sys @ 0xf847ea21 SendHandler -> NDIS.sys @ 0xf845c87b user & kernel MBR OK ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(656) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(716) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(856) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-04-12 23:53:52 ComboFix-quarantined-files.txt 2010-04-13 06:53 ComboFix2.txt 2010-04-12 07:41 Pre-Run: 12,227,772,416 bytes free Post-Run: 12,685,619,200 bytes free - - End Of File - - F78102C23AD23CD2FA86BB53103C8E15

Malwarebytes log: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3983 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/12/2010 10:53:57 PM mbam-log-2010-04-12 (22-53-57).txt Scan type: Quick scan Objects scanned: 112096 Time elapsed: 12 minute(s), 51 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Still having issues though. A randomly named process seemed to be keeping Malwarebytes from scaning until I ended it in the task manager.

I am still occasionally getting unsolicited popups (i.e. not triggered by clicking anything), and Avast just gave me another trojan warning (see below). I am also unable to start the Windows Firewall. Avast warning: Sign of "JS:FakeAV-J [Trj]" has been found in "http://goolexxro.com/hh/\{gzip}" file.

JavaRa log: JavaRa 1.15 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Mon Apr 12 01:25:44 2010 Found and removed: C:\Program Files\Java\jre1.5.0_04 Found and removed: C:\Documents and Settings\User\Application Data\Sun\Java\jre1.6.0_11 Found and removed: C:\Documents and Settings\User\Application Data\Sun\Java\jre1.6.0_15 Found and removed: Software\JavaSoft\Java2D\1.5.0_04 Found and removed: Software\JavaSoft\Java2D\1.5.0_08 Found and removed: SOFTWARE\Classes\JavaPlugin.150_08 Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_04\ ------------------------------------ Finished reporting. msiebbar.dll is no longer in the system32 folder. I am not sure why it disappeared, as I don't recall doing anything other than what was posted here. C:\windows\PRAGMAyycvksevpe is empty.

ComboFix log: ComboFix 10-04-11.03 - User 04/12/2010 0:09.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.204 [GMT -7:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe AV: avast! antivirus 4.8.1368 [VPS 100411-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Downloaded Program Files\popcaploader.inf . ((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 ))))))))))))))))))))))))))))))) . 2010-04-12 01:41 . 2010-04-12 01:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-04-11 06:57 . 2010-04-11 18:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft 2010-04-11 06:57 . 2010-04-11 06:58 -------- d-----w- c:\documents and settings\Administrator 2010-04-11 06:28 . 2010-04-11 06:29 -------- d-----w- c:\windows\PRAGMAyycvksevpe 2010-04-09 05:13 . 2010-04-11 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-03-28 23:08 . 2010-03-28 23:10 -------- d-----w- c:\program files\HRBlock2009 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-12 01:39 . 2010-04-12 00:01 -------- d-----w- c:\program files\Spybot 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\program files\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-12 00:10 . 2005-08-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-11 21:58 . 2010-04-11 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-11 18:21 . 2010-04-11 18:21 279816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-11 15:03 . 2010-04-11 15:02 -------- d-----w- c:\program files\Scanner 2010-04-07 03:20 . 2007-11-23 06:41 -------- d-----w- c:\program files\Avast 2010-04-05 06:27 . 2006-08-29 03:43 -------- d-----w- c:\documents and settings\User\Application Data\Azureus 2010-03-30 07:46 . 2010-04-12 00:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 07:45 . 2010-04-12 00:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-28 23:14 . 2010-03-28 23:13 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe 2010-03-28 23:12 . 2008-01-29 01:49 -------- d-----w- c:\documents and settings\User\Application Data\TaxCut 2010-03-28 22:59 . 2008-01-29 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-01-13 16:03 . 2010-01-13 16:03 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2010-01-13 16:03 . 2009-11-09 21:31 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472] "nwiz"="nwiz.exe" [2003-07-28 323584] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-05 180269] "avast!"="c:\progra~1\Avast\ashDisp.exe" [2009-11-24 81000] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] c:\documents and settings\User\Start Menu\Programs\Startup\ Watch.lnk - c:\windows\twain_32\A4S2_600\WATCH.EXE [2005-9-25 184320] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Azureus\\Azureus.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 5:27 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 5:27 PM 20560] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4bgulz0o.default\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-12 00:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82696AC8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf866af28 \Driver\ACPI -> ACPI.sys @ 0xf85adcb8 \Driver\atapi -> atapi.sys @ 0xf8565852 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf8471bb0 PacketIndicateHandler -> NDIS.sys @ 0xf847ea21 SendHandler -> NDIS.sys @ 0xf845c87b user & kernel MBR OK ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(664) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(728) c:\windows\system32\WININET.dll . Completion time: 2010-04-12 00:41:13 ComboFix-quarantined-files.txt 2010-04-12 07:41 Pre-Run: 12,144,599,040 bytes free Post-Run: 12,334,379,008 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - 9D50494A7541A864E75FEA58781F96F4 Uninstall list: AC3Filter (remove only) Ad-Aware SE Personal Adobe Flash Player 10 ActiveX Adobe Reader 7.0.5 Language Support Adobe Reader 7.1.0 Amazon MP3 Downloader 1.0.2 AOL Instant Messenger Apple Mobile Device Support Apple Software Update avast! Antivirus Azureus Bonjour Civilization III Civilization III: Conquests Compatibility Pack for the 2007 Office system CoreVorbis Audio Decoder (remove only) Critical Update for Windows Media Player 11 (KB959772) Direct Show Ogg Vorbis Filter (remove only) DivX Codec DScaler 5 Mpeg Decoders ffdshow (remove only) Google Toolbar for Internet Explorer Google Toolbar for Internet Explorer H&R Block Deluxe + Efile + State 2009 HighMAT Extension to Microsoft Windows XP CD Writing Wizard HijackThis 2.0.2 Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) Huffyuv AVI lossless video codec (Remove Only) iPod for Windows 2006-03-23 IrfanView (remove only) iTunes Java(TM) 6 Update 17 Java(TM) 6 Update 2 Java(TM) 6 Update 7 Java(TM) SE Runtime Environment 6 Java(TM) SE Runtime Environment 6 Update 1 JEOPARDY! (remove only) Macromedia Shockwave Player Malwarebytes' Anti-Malware Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB953297) Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office XP Standard for Students and Teachers Microsoft Silverlight Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Web Publishing Wizard 1.52 Morgan Stream Switcher Mozilla Firefox (3.0) MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Netflix Movie Viewer NVIDIA Drivers NVIDIA Windows 2000/XP Display Drivers NvMixer Pdf995 (installed by TaxCut) PdfEdit995 (installed by TaxCut) Picture Package Music Transfer QuickTime RealPlayer Security Update for CAPICOM (KB931906) Security Update for CAPICOM (KB931906) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 8 (KB969897) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Internet Explorer 8 (KB974455) Security Update for Windows Internet Explorer 8 (KB976325) Security Update for Windows Internet Explorer 8 (KB978207) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977165) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978706) SimCity 3000 Sony Picture Utility Spybot - Search & Destroy TaxCut Premium + Efile 2008 TaxCut Premium 2007 The Print Shop 21 The Sims 2 The Sims 2 Nightlife Update for Windows Internet Explorer 8 (KB968220) Update for Windows Internet Explorer 8 (KB976662) Update for Windows Internet Explorer 8 (KB976749) Update for Windows Internet Explorer 8 (KB980182) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955759) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) Windows Defender Signatures Windows Genuine Advantage v1.3.0254.0 Windows Internet Explorer 8 Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows XP Service Pack 3 XviD MPEG-4 Video Codec HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:44:34 AM, on 4/12/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avast\aswUpdSv.exe C:\Program Files\Avast\ashServ.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Avast\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE C:\MSCAN\Msoffice\panel.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - S-1-5-18 Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'Default user') O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.mumbojumbo.com/assets/22/webgame/ReflexiveWebGameLoader.cab O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.drsclinic.com/XTSAC.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123648936968 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/assets/mjolauncher.cab O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://www.mumbojumbo.com/assets/HLGLauncher.CAB O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://webgames.d.tmsrv.com/c=1e991847199ced6add9da66556822a7f/aff=t_03cm_wg/p/release/playfirst/wg_zenerchi/zenerchi/ZenerchiWeb.1.0.0.10.cab O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 7598 bytes

Malwarebytes log: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3979 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/11/2010 11:26:05 PM mbam-log-2010-04-11 (23-26-05).txt Scan type: Quick scan Objects scanned: 113647 Time elapsed: 14 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection (Rogue.DigitalProtection) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\Temp\asd8.tmp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\davclnt.exe (Rogue.DigitalProtection) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully. I'm not sure which Spybot log to post, but these two should be the most relevant: 11.04.2010 17:11:36 - ##### check started ##### 11.04.2010 17:11:36 - ### Version: 1.6.2 11.04.2010 17:11:36 - ### Date: 4/11/2010 5:11:36 PM 11.04.2010 17:11:39 - ##### checking bots ##### 11.04.2010 17:20:43 - found: Microsoft.Windows.FileExe Settings 11.04.2010 17:20:52 - found: Microsoft.WindowsSecurityCenter.AntiVirusOverride Settings 11.04.2010 17:20:52 - found: Microsoft.WindowsSecurityCenter.FirewallOverride Settings 11.04.2010 17:20:52 - found: Microsoft.WindowsSecurityCenter.TaskManager Settings 11.04.2010 17:20:52 - found: Microsoft.WindowsSecurityCenter.TaskManager Settings 11.04.2010 17:20:52 - found: Microsoft.WindowsSecurityCenter_disabled Settings 11.04.2010 17:20:57 - found: Microsoft.Windows.System Settings 11.04.2010 17:52:43 - found: DoubleClick Tracking cookie (Firefox: User (default)) 11.04.2010 17:52:44 - found: Zedo Tracking cookie (Firefox: User (default)) 11.04.2010 17:52:46 - ##### check finished ##### --- Report generated: 2010-04-11 17:54 --- Microsoft.Windows.FileExe: [SBI $D204F52E] Settings (Registry change, fixed) HKEY_CLASSES_ROOT\.exe\ Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride Microsoft.WindowsSecurityCenter.FirewallOverride: [SBI $0C94D702] Settings (Registry change, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride Microsoft.WindowsSecurityCenter.TaskManager: [SBI $FD4267D3] Settings (Registry change, fixed) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr Microsoft.WindowsSecurityCenter.TaskManager: [SBI $FD4267D3] Settings (Registry change, fixed) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, fixed) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start Microsoft.Windows.System: [SBI $CA894808] Settings (Registry change, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr DoubleClick: Tracking cookie (Firefox: User (default)) (Cookie, fixed) Zedo: Tracking cookie (Firefox: User (default)) (Cookie, fixed) --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) --- 2009-01-26 blindman.exe (1.0.0.8) 2009-01-26 SDFiles.exe (1.6.1.7) 2009-01-26 SDMain.exe (1.0.0.6) 2009-01-26 SDShred.exe (1.0.2.5) 2009-01-26 SDUpdate.exe (1.6.0.12) 2009-01-26 SpybotSD.exe (1.6.2.46) 2009-01-26 TeaTimer.exe (1.6.4.26) 2010-04-11 unins000.exe (51.49.0.0) 2009-01-26 Update.exe (1.6.0.7) 2009-01-26 advcheck.dll (1.6.2.15) 2007-04-02 aports.dll (2.1.0.0) 2008-06-14 DelZip179.dll (1.79.11.1) 2009-01-26 SDHelper.dll (1.6.2.14) 2008-06-19 sqlite3.dll 2009-01-26 Tools.dll (2.1.6.10) 2009-01-16 UninsSrv.dll (1.0.0.0) 2010-02-17 Includes\Adware.sbi (*) 2010-04-06 Includes\AdwareC.sbi (*) 2010-01-25 Includes\Cookies.sbi (*) 2009-11-03 Includes\Dialer.sbi (*) 2010-04-06 Includes\DialerC.sbi (*) 2010-01-25 Includes\HeavyDuty.sbi (*) 2009-05-26 Includes\Hijackers.sbi (*) 2010-04-06 Includes\HijackersC.sbi (*) 2010-01-19 Includes\Keyloggers.sbi (*) 2010-04-06 Includes\KeyloggersC.sbi (*) 2004-11-29 Includes\LSP.sbi (*) 2010-03-02 Includes\Malware.sbi (*) 2010-04-07 Includes\MalwareC.sbi (*) 2009-03-25 Includes\PUPS.sbi (*) 2010-03-30 Includes\PUPSC.sbi (*) 2010-01-25 Includes\Revision.sbi (*) 2009-01-13 Includes\Security.sbi (*) 2010-04-06 Includes\SecurityC.sbi (*) 2008-06-03 Includes\Spybots.sbi (*) 2008-06-03 Includes\SpybotsC.sbi (*) 2010-03-02 Includes\Spyware.sbi (*) 2010-04-07 Includes\SpywareC.sbi (*) 2010-03-08 Includes\Tracks.uti 2010-03-03 Includes\Trojans.sbi (*) 2010-04-06 Includes\TrojansC-02.sbi (*) 2010-04-06 Includes\TrojansC-03.sbi (*) 2010-04-06 Includes\TrojansC-04.sbi (*) 2010-04-07 Includes\TrojansC-05.sbi (*) 2010-04-06 Includes\TrojansC.sbi (*) 2008-03-04 Plugins\Chai.dll 2008-03-05 Plugins\Fennel.dll 2008-02-26 Plugins\Mate.dll 2007-12-24 Plugins\TCPIPAddress.dll HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:46:51 PM, on 4/11/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avast\aswUpdSv.exe C:\Program Files\Avast\ashServ.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Avast\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE C:\MSCAN\Msoffice\panel.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Avast\ashMaiSv.exe C:\Program Files\Avast\ashWebSv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'Default user') O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.mumbojumbo.com/assets/22/webgame/ReflexiveWebGameLoader.cab O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.drsclinic.com/XTSAC.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123648936968 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/assets/mjolauncher.cab O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://www.mumbojumbo.com/assets/HLGLauncher.CAB O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://webgames.d.tmsrv.com/c=1e991847199ced6add9da66556822a7f/aff=t_03cm_wg/p/release/playfirst/wg_zenerchi/zenerchi/ZenerchiWeb.1.0.0.10.cab O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://webgames.d.tmsrv.com/c=3f323b08e3530152678a2a39c9bfbf66/aff=t_03cm_wg/p/release/popcap/wg_bejeweled2/popcaploader_v6.cab O18 - Filter hijack: text/html - {274c4f91-ecfc-4224-8e67-4cd65b4f9c87} - C:\WINDOWS\system32\msiebbar.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 8078 bytes

Hey Borislav, thanks for the help. I think I've already got it fixed, but I'll follow along just to make sure. Prior to your post, I ran Spybot on the advice of a friend and it knocked back the malware enough for me to run Malwarebytes. Here's the log it generated: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3930 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/11/2010 7:09:51 PM mbam-log-2010-04-11 (19-09-51).txt Scan type: Quick scan Objects scanned: 120254 Time elapsed: 20 minute(s), 45 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I can also post the Spybot logs if you want.

My parents have managed to get a virus on their computer, and I am having a terrible time trying to remove it. Initial symptoms were trojan alerts from Avast and browser redirects in IE. This later progressed to the the installation of a fake antivirus software called "XP Security". Initial scans with Avast found a few trojans, but I am no longer able to run the program. I am not able to install Malwarebytes in safe mode, even after changing the name of the install file. Following the guide here produced no results. The only thing I have been able to run is Hijack This. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:27:45 PM, on 4/11/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Administrator\Local Settings\Application Data\ave.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.mumbojumbo.com/assets/22/webgame/ReflexiveWebGameLoader.cab O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.drsclinic.com/XTSAC.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123648936968 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/assets/mjolauncher.cab O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://www.mumbojumbo.com/assets/HLGLauncher.CAB O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://webgames.d.tmsrv.com/c=1e991847199ced6add9da66556822a7f/aff=t_03cm_wg/p/release/playfirst/wg_zenerchi/zenerchi/ZenerchiWeb.1.0.0.10.cab O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://webgames.d.tmsrv.com/c=3f323b08e3530152678a2a39c9bfbf66/aff=t_03cm_wg/p/release/popcap/wg_bejeweled2/popcaploader_v6.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6794 bytes Thanks for the help.