monga

Thank you Chris, I will try. I had not seen your reply.... I will post back with the results.

Sorry for the delay: I did merge those files with the registry as you said. Should I now go back to this sequence you posted before? "Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall This uninstalls all of ComboFix's components. Delete SecurityCheck. After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present): ESET Online Scanner v3 Restart your computer." Please let me know, I'll follow your instructions once I know what to do. Thank you again!!

The files read: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Group Mail] "DisplayName"="Group Mail" "UninstallString"="C:\\WINDOWS\\UNWISE.EXE C:\\WINDOWS\\ungm31pl.log" "RegCompany"="" "RegOwner"="My Name replaced with this string for privacy reasons" "Publisher"="infacta Ltd." "URLInfoAbout"="http://www.infacta.com/support.asp" and Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\PRO50] "UninstallString"="C:\\WINDOWS\\IsUninst.exe -ff:\\pro25\\Uninst.isu" "DisplayName"="PRO50" I definitely would not want to uninstall the accounting program or the mail program if possible. I did replace my name on the first file as I do not feel comfortable broadcasting my info, but will be glad to message you the info if needed. Thank you very much for your help.

Thanks for your reply, before I remove Combofix, I'd like to say I don't have a way to reinstall the accounting program and the email program is quite old and has been updated to the point where now they want you to pay a yearly subscription so I'd rather stick tot he old version which still works for me... The files I was referring to seem to be in C:\Qoobox\Quarantine\Registry_backups there are some files called: AddRemove-Group Mail.reg.dat also AddRemove-Pro50.reg.dat not sure if once Combofix is removed it will affect the functionality of my programs... The ComboFix-quarantined-files.txt reads: 2011-08-09 07:13:29 . 2011-08-09 07:13:29 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt 2011-08-06 02:20:16 . 2011-08-06 02:20:16 434 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-PRO50.reg.dat 2011-08-06 02:20:16 . 2011-08-06 02:20:16 704 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Group Mail.reg.dat 2011-08-06 02:19:37 . 2011-08-06 02:19:37 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Ulead AutoDetector v2.reg.dat 2011-08-06 02:19:36 . 2011-08-06 02:19:36 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-WinUtilities Quick Launcher.reg.dat 2011-08-06 02:05:10 . 2011-08-09 07:23:48 7,155 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2011-08-06 01:01:07 . 2011-08-09 07:08:29 153 ----a-w- C:\Qoobox\Quarantine\catchme.log 2009-10-17 04:53:32 . 2002-07-27 00:02:06 153,088 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\UNWISE.EXE.vir 2007-11-07 15:03:18 . 2007-11-07 15:03:18 562,688 ----a-w- C:\Qoobox\Quarantine\C\install.exe.vir Don't know if this means anything to you... Please let me know and I'll gladly follow your instructions! :-)

Do you have any idea how long the malicious proxy would have been there or how it got in? I've always had MS Security Essentials and MBAM Pro so I wonder how this thing got through... Here's the ESET log: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6528 # api_version=3.0.2 # EOSSerial=e2a7508a0a66d840ad3527f44fc5151e # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-07-30 10:46:49 # local_time=2011-07-30 03:46:49 (-0800, Pacific Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 433418 433418 0 0 # compatibility_mode=5891 16776869 42 87 0 23104262 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=116586 # found=0 # cleaned=0 # scan_time=12610 # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6528 # api_version=3.0.2 # EOSSerial=e2a7508a0a66d840ad3527f44fc5151e # end=stopped # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-08-10 10:16:43 # local_time=2011-08-10 03:16:43 (-0800, Pacific Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 1436842 1436842 0 0 # compatibility_mode=5891 16776869 42 87 0 24107686 0 0 # compatibility_mode=8192 67108863 100 0 82475 82475 0 0 # scanned=1579 # found=0 # cleaned=0 # scan_time=984 esets_scanner_update returned -1 esets_gle=53251 # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6528 # api_version=3.0.2 # EOSSerial=e2a7508a0a66d840ad3527f44fc5151e # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-08-11 03:17:00 # local_time=2011-08-10 08:17:00 (-0800, Pacific Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 1437967 1437967 0 0 # compatibility_mode=5891 16776869 42 87 0 24108811 0 0 # compatibility_mode=8192 67108863 100 0 83600 83600 0 0 # scanned=115413 # found=0 # cleaned=0 # scan_time=17874 Here's the log of the security check: (I had disabled bot MS Security Essentials and MBAM prior to running this program) Results of screen317's Security Check version 0.99.18 Windows XP Service Pack 3 Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Security Center service is not running! This report may not be accurate! Windows Firewall Disabled! ESET Online Scanner v3 Microsoft Security Essentials Antivirus up to date! (On Access scanning disabled!) ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Adobe Flash Player 10.3.181.26 Mozilla Firefox (x86 en-US..) ```````````````````````````````` Process Check: objlist.exe by Laurent Windows Defender MSMpEng.exe Malwarebytes' Anti-Malware mbamservice.exe Malwarebytes' Anti-Malware mbamgui.exe Microsoft Security Essentials msseces.exe Microsoft Security Client Antimalware MsMpEng.exe ``````````End of Log```````````` Actually the notification of that 208.87.32.75 being blocked successfully by MBAM Pro, stopped after we ran Combofix the first time around but I wanted to run through the whole process and follow your instructions. Is my PC cured? Any ideas on how to avoid getting reinfected? If I remember correctly Combofix identified 2 items (GroupMail and Pro50) as being in quarantine or needing to be. These are actually 2 programs I use, PRO50 is an accounting program by a company called SBT and GroupMail is a program I purchased years ago from a reputable company called Infacta and which allows me to send emails to my customers. Is there any way to avoid having these 2 items deleted or disabled? They are not malicious. Thanks again for all your help!!

It did not reboot. Here are the logs: Combofix.txt ComboFix 11-08-08.03 - ester 08/09/2011 0:13.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.488 [GMT -7:00] Running from: c:\documents and settings\ester\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\ester\Desktop\CFScript.txt AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((( Files Created from 2011-07-09 to 2011-08-09 ))))))))))))))))))))))))))))))) . . 2011-08-09 02:35 . 2011-08-09 02:35 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6E4F3834-E71A-4221-B153-2C93DD00C02F}\MpKsld1f442ed.sys 2011-08-09 02:32 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6E4F3834-E71A-4221-B153-2C93DD00C02F}\mpengine.dll 2011-07-30 07:05 . 2011-07-30 07:05 -------- d-----w- c:\program files\ESET 2011-07-22 03:21 . 2011-07-22 03:21 -------- d-----w- c:\documents and settings\QBDataServiceUser18 2011-07-14 18:06 . 2011-07-14 18:06 -------- d-----w- c:\program files\Webroot 2011-07-14 14:53 . 2011-07-14 14:53 388096 ----a-r- c:\documents and settings\ester\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-07-14 14:53 . 2011-07-14 14:53 -------- d-----w- c:\program files\Trend Micro . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-07-13 03:39 . 2009-06-25 18:34 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-07-07 02:52 . 2010-02-14 18:25 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-07 02:52 . 2010-02-14 18:25 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-24 04:07 . 2011-05-20 18:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-06-02 14:02 . 2003-07-16 16:45 1858944 ------w- c:\windows\system32\win32k.sys 2011-06-21 21:53 . 2011-05-20 16:01 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((( SnapShot@2011-08-06_02.16.14 ))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\ester\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\ester\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\ester\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\ester\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-20 68856] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VMware Tools"="c:\program files\VMware\VMware Tools\VMwareTray.exe" [2008-09-11 428592] "VMware User Process"="c:\program files\VMware\VMware Tools\VMwareUser.exe" [2008-09-11 862768] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-21 30192] "AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096] . c:\documents and settings\ester\Start Menu\Programs\Startup\ Dropbox.lnk - c:\documents and settings\ester\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-2-27 972064] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc] 2008-09-11 00:52 423208 ------r- c:\windows\system32\TPSvc.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\CalgooConnect\\CalgooConnect.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [1/10/2009 1:29 AM 17968] R0 VSP;Veritas Snapshot Provider;c:\windows\system32\drivers\VSP.SYS [5/4/2006 4:16 PM 51896] R1 MpKsld1f442ed;MpKsld1f442ed;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6E4F3834-E71A-4221-B153-2C93DD00C02F}\MpKsld1f442ed.sys [8/8/2011 7:35 PM 28752] R1 vmhgfs;vmhgfs;c:\windows\system32\drivers\vmhgfs.sys [1/10/2009 1:29 AM 118576] R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [8/26/2010 8:35 PM 401920] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/14/2010 11:25 AM 366640] R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [10/5/2009 10:08 AM 188736] R2 Seagate-Replica-Service;Seagate-Replica-Service;c:\program files\Seagate Replica\bin\Seagate-Replica-Service.exe [3/10/2010 11:39 PM 1814016] R2 Seagate-Replica-SysMon;Seagate-Replica-SysMon;c:\program files\Seagate Replica\bin\Seagate-Replica-SysMon.exe [3/10/2010 11:39 PM 162256] R2 VMMEMCTL;Memory Control Driver;c:\program files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys [9/10/2008 5:53 PM 14384] R2 VMTools;VMware Tools Service;c:\program files\VMware\VMware Tools\VMwareService.exe [9/10/2008 5:54 PM 539184] R2 VMware Physical Disk Helper Service;VMware Physical Disk Helper Service;c:\program files\VMware\VMware Tools\vmacthlp.exe [9/10/2008 5:53 PM 358960] R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [11/20/2009 10:13 AM 55016] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/14/2010 11:25 AM 22712] R3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\VMware\VMware Tools\TPAutoConnSvc.exe [9/10/2008 5:52 PM 238832] R3 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys [1/10/2009 1:29 AM 53424] R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [1/10/2009 1:29 AM 11696] R3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [1/10/2009 1:29 AM 63920] R3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [1/10/2009 1:29 AM 36400] S1 MpKsl0d79e836;MpKsl0d79e836;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F05D555A-3232-41B9-A7E6-C7B79C3D03FC}\MpKsl0d79e836.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F05D555A-3232-41B9-A7E6-C7B79C3D03FC}\MpKsl0d79e836.sys [?] S1 MpKsl10ac8e75;MpKsl10ac8e75;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{24D53BCA-18A9-4852-80DF-AE6B1E83B5FA}\MpKsl10ac8e75.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{24D53BCA-18A9-4852-80DF-AE6B1E83B5FA}\MpKsl10ac8e75.sys [?] S1 MpKsl2fe9f741;MpKsl2fe9f741;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B80AD19F-1F48-4FA9-B021-A2F2095A899B}\MpKsl2fe9f741.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B80AD19F-1F48-4FA9-B021-A2F2095A899B}\MpKsl2fe9f741.sys [?] S1 MpKslc6d22bcd;MpKslc6d22bcd;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{358D38EE-85FA-4D81-A546-8C7FA96CE586}\MpKslc6d22bcd.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{358D38EE-85FA-4D81-A546-8C7FA96CE586}\MpKslc6d22bcd.sys [?] S1 MpKsle1b24590;MpKsle1b24590;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E1ED8D8E-8EF7-4561-A9EB-06302ECC26AC}\MpKsle1b24590.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E1ED8D8E-8EF7-4561-A9EB-06302ECC26AC}\MpKsle1b24590.sys [?] S1 MpKslf8bc5d4a;MpKslf8bc5d4a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A98144E-1F03-46DE-96AD-6A2DD8E14B59}\MpKslf8bc5d4a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A98144E-1F03-46DE-96AD-6A2DD8E14B59}\MpKslf8bc5d4a.sys [?] S1 vmdebug;VMware Replay Debugging Helper;c:\windows\system32\drivers\vmdebug.sys [9/10/2008 5:54 PM 19504] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 10:43 PM 135664] S2 NetBackup SAN Client Fibre Transport Service;NetBackup SAN Client Fibre Transport Service;c:\progra~1\Veritas\NETBAC~1\bin\nbftclnt.exe [5/1/2009 5:10 AM 804184] S2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?] S2 VRTSpbx;Symantec Private Branch Exchange;c:\windows\system32\cmd.exe [7/16/2003 9:19 AM 389120] S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [5/21/2009 10:46 PM 30192] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 10:43 PM 135664] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MPKSLBD39D90E *NewlyCreated* - MPKSLD1F442ED *NewlyCreated* - MPKSLE4983C18 *Deregistered* - MpKslbd39d90e *Deregistered* - MpKsle4983c18 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 . Contents of the 'Scheduled Tasks' folder . 2011-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 05:43] . 2011-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 05:43] . 2011-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1058685564-607745707-111032338-1013Core.job - c:\documents and settings\ester\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 18:33] . 2011-08-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1058685564-607745707-111032338-1013UA.job - c:\documents and settings\ester\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 18:33] . 2011-08-07 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 20:26] . 2011-08-09 c:\windows\Tasks\User_Feed_Synchronization-{8AD08D0A-F078-4878-A192-399B31AF25A1}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.netvibes.com/ uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html LSP: c:\program files\VMware\VMware Tools\VSock SDK\bin\win32\vsocklib.dll TCP: DhcpNameServer = 192.168.0.4 192.168.0.1 FF - ProfilePath - c:\documents and settings\ester\Application Data\Mozilla\Firefox\Profiles\213gklny.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.protopage.com/gorgeous FF - prefs.js: network.proxy.http - 192.168.0.4 FF - prefs.js: network.proxy.http_port - 8080 FF - prefs.js: network.proxy.type - 1 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-08-09 00:28 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Seagate-Replica-Service] "ImagePath"="c:\program files\Seagate Replica\bin\Seagate-Replica-Service.exe /startedbyscm:FE2355B7-40E2EE35-RebitSvcModule" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(688) c:\windows\System32\vmhgfs.dll . - - - - - - - > 'lsass.exe'(744) c:\program files\Bonjour\mdnsNSP.dll . - - - - - - - > 'explorer.exe'(3792) c:\windows\system32\WININET.dll c:\documents and settings\ester\Application Data\Dropbox\bin\DropboxExt.14.dll c:\windows\system32\addressbar.dll c:\windows\System32\vmhgfs.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll c:\progra~1\SEAGAT~1\bin\SEAGAT~3.DLL c:\progra~1\SEAGAT~1\bin\cqt.dll c:\progra~1\SEAGAT~1\bin\zlib1.dll c:\windows\system32\wpdshext.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\Audiodev.dll c:\windows\system32\WMVCore.DLL c:\windows\system32\WMASF.DLL c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll . Completion time: 2011-08-09 00:32:32 ComboFix-quarantined-files.txt 2011-08-09 07:32 ComboFix2.txt 2011-08-06 02:21 . Pre-Run: 4,640,124,928 bytes free Post-Run: 4,694,011,904 bytes free . - - End Of File - - 056DDA376B12C0237D155C54B914D8B2 DDS.txt . DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by ester at 0:38:28 on 2011-08-09 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.501 [GMT -7:00] . AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . ============== Running Processes =============== . C:\Program Files\VMware\VMware Tools\vmacthlp.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe C:\WINDOWS\system32\ASTSRV.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe -k HPService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\PROGRA~1\Veritas\NETBAC~1\bin\bpinetd.exe C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\VMware\VMware Tools\VMwareService.exe C:\PROGRA~1\Veritas\NETBAC~1\bin\BPJAVA-msvc.EXE C:\Program Files\VERITAS\VxPBX\bin\pbx_exchange.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Xobni\XobniService.exe C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareUser.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\PROGRA~1\Discover\SOAN\DISCOV~1.EXE C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\WINDOWS\system32\OBroker.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Pidgin\pidgin.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Seagate Replica\bin\Seagate-Replica-SysMon.exe C:\Program Files\Seagate Replica\bin\Seagate-Replica-AutoPlay.exe C:\Program Files\Seagate Replica\bin\Seagate-Replica-Service.exe C:\Program Files\Seagate Replica\bin\Seagate-Replica-Tray.exe C:\WINDOWS\explorer.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\SearchProtocolHost.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.netvibes.com/ uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Secure Online Account Numbers Helper: {435eaa86-d32b-484f-869c-53745fcb1642} - c:\program files\discover\soan\DiscoverSOANHelper.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll TB: Secure Online Account Numbers: {a8c7c2ca-6dfd-4e16-8458-592361564d38} - c:\program files\discover\soan\DiscoverSOANToolbar.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler mRun: [VMware Tools] "c:\program files\vmware\vmware tools\VMwareTray.exe" mRun: [VMware User Process] "c:\program files\vmware\vmware tools\VMwareUser.exe" mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [AmazonGSDownloaderTray] "c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey mRun: [secure Online Account Numbers] "c:\progra~1\discover\soan\DISCOV~1.EXE" /dontopenmycards mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\ester\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\ester\application data\dropbox\bin\Dropbox.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/55.16/uploader2.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231576270321 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab TCP: DhcpNameServer = 192.168.0.4 192.168.0.1 TCP: Interfaces\{1B33972D-F512-42E6-B7D4-ECA75C5EDE48} : DhcpNameServer = 192.168.0.4 192.168.0.1 Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll Notify: TPSvc - TPSvc.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\ester\application data\mozilla\firefox\profiles\213gklny.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.protopage.com/gorgeous FF - prefs.js: network.proxy.http - 192.168.0.4 FF - prefs.js: network.proxy.http_port - 8080 FF - prefs.js: network.proxy.type - 1 FF - plugin: c:\documents and settings\ester\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll . ============= SERVICES / DRIVERS =============== . R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2009-1-10 17968] R0 VSP;Veritas Snapshot Provider;c:\windows\system32\drivers\VSP.SYS [2006-5-4 51896] R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264] R1 MpKsld1f442ed;MpKsld1f442ed;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6e4f3834-e71a-4221-b153-2c93dd00c02f}\MpKsld1f442ed.sys [2011-8-8 28752] R1 vmhgfs;vmhgfs;c:\windows\system32\drivers\vmhgfs.sys [2009-1-10 118576] R2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2010-8-26 401920] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-14 366640] R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2009-10-5 188736] R2 Seagate-Replica-Service;Seagate-Replica-Service;c:\program files\seagate replica\bin\Seagate-Replica-Service.exe [2010-3-10 1814016] R2 Seagate-Replica-SysMon;Seagate-Replica-SysMon;c:\program files\seagate replica\bin\Seagate-Replica-SysMon.exe [2010-3-10 162256] R2 VMMEMCTL;Memory Control Driver;c:\program files\vmware\vmware tools\drivers\memctl\vmmemctl.sys [2008-9-10 14384] R2 VMTools;VMware Tools Service;c:\program files\vmware\vmware tools\VMwareService.exe [2008-9-10 539184] R2 VMware Physical Disk Helper Service;VMware Physical Disk Helper Service;c:\program files\vmware\vmware tools\vmacthlp.exe [2008-9-10 358960] R2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2009-11-20 55016] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-14 22712] R3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\vmware\vmware tools\TPAutoConnSvc.exe [2008-9-10 238832] R3 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys [2009-1-10 53424] R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2009-1-10 11696] R3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2009-1-10 63920] R3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2009-1-10 36400] S1 MpKsl0d79e836;MpKsl0d79e836;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f05d555a-3232-41b9-a7e6-c7b79c3d03fc}\mpksl0d79e836.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f05d555a-3232-41b9-a7e6-c7b79c3d03fc}\MpKsl0d79e836.sys [?] S1 MpKsl10ac8e75;MpKsl10ac8e75;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{24d53bca-18a9-4852-80df-ae6b1e83b5fa}\mpksl10ac8e75.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{24d53bca-18a9-4852-80df-ae6b1e83b5fa}\MpKsl10ac8e75.sys [?] S1 MpKsl2fe9f741;MpKsl2fe9f741;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b80ad19f-1f48-4fa9-b021-a2f2095a899b}\mpksl2fe9f741.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b80ad19f-1f48-4fa9-b021-a2f2095a899b}\MpKsl2fe9f741.sys [?] S1 MpKslc6d22bcd;MpKslc6d22bcd;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{358d38ee-85fa-4d81-a546-8c7fa96ce586}\mpkslc6d22bcd.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{358d38ee-85fa-4d81-a546-8c7fa96ce586}\MpKslc6d22bcd.sys [?] S1 MpKsle1b24590;MpKsle1b24590;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e1ed8d8e-8ef7-4561-a9eb-06302ecc26ac}\mpksle1b24590.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e1ed8d8e-8ef7-4561-a9eb-06302ecc26ac}\MpKsle1b24590.sys [?] S1 MpKslf8bc5d4a;MpKslf8bc5d4a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a98144e-1f03-46de-96ad-6a2dd8e14b59}\mpkslf8bc5d4a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a98144e-1f03-46de-96ad-6a2dd8e14b59}\MpKslf8bc5d4a.sys [?] S1 vmdebug;VMware Replay Debugging Helper;c:\windows\system32\drivers\vmdebug.sys [2008-9-10 19504] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664] S2 NetBackup SAN Client Fibre Transport Service;NetBackup SAN Client Fibre Transport Service;c:\progra~1\veritas\netbac~1\bin\nbftclnt.exe [2009-5-1 804184] S2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB18 [?] S2 VRTSpbx;Symantec Private Branch Exchange;c:\windows\system32\cmd.exe [2003-7-16 389120] S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-5-21 30192] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664] . =============== Created Last 30 ================ . 2011-08-09 02:35:45 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6e4f3834-e71a-4221-b153-2c93dd00c02f}\MpKsld1f442ed.sys 2011-08-09 02:32:01 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6e4f3834-e71a-4221-b153-2c93dd00c02f}\mpengine.dll 2011-08-06 01:04:58 -------- d-sha-r- C:\cmdcons 2011-08-06 01:01:23 98816 ----a-w- c:\windows\sed.exe 2011-08-06 01:01:23 518144 ----a-w- c:\windows\SWREG.exe 2011-08-06 01:01:23 256000 ----a-w- c:\windows\PEV.exe 2011-08-06 01:01:23 208896 ----a-w- c:\windows\MBR.exe 2011-07-30 07:05:49 -------- d-----w- c:\program files\ESET 2011-07-14 18:06:02 -------- d-----w- c:\program files\Webroot 2011-07-14 14:53:18 388096 ----a-r- c:\documents and settings\ester\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe 2011-07-14 14:53:02 -------- d-----w- c:\program files\Trend Micro . ==================== Find3M ==================== . 2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-24 04:07:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-06-12 02:51:30 74 --sh--r- c:\windows\FFSSET.BIN 2011-06-02 14:02:05 1858944 ------w- c:\windows\system32\win32k.sys . ============= FINISH: 0:39:23.45 =============== What do you think I have? Am I/Was I infected? Any info is appreciated, I do thank you for helping me out!! attach.zip

Ok, here goes everything you requested... I hope it helps, it's all Greek to me!! Thank you very much for your help! MBAM Protection Log: 00:51:02 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 01:51:32 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 01:51:34 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 02:51:38 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 02:51:40 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 03:52:16 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 04:52:24 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 04:52:26 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 05:52:30 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 05:52:32 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 06:52:42 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 06:52:45 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 07:52:48 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 07:52:50 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 08:52:55 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 08:52:57 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 09:53:09 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 09:53:12 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 10:53:33 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 10:53:36 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 11:53:44 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 11:53:47 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 12:53:55 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 12:54:00 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 13:54:05 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 13:54:07 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 14:54:17 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 14:54:20 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 15:54:35 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 15:54:38 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 16:32:58 ester MESSAGE IP Protection stopped 16:42:30 ester MESSAGE Database updated successfully 16:42:32 ester MESSAGE IP Protection started successfully 16:56:15 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 17:56:37 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 17:56:42 ester IP-BLOCK 208.87.32.75 (Type: outgoing) 17:59:59 ester MESSAGE IP Protection stopped 19:23:41 ester MESSAGE Protection started successfully 19:23:46 ester MESSAGE IP Protection started successfully I stopped the protection to be able to run Combofix, but I disconnected my computer from the internet at that time. MBAM Log after Quick Scan: Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7390 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 8/5/2011 5:38:50 PM mbam-log-2011-08-05 (17-38-49).txt Scan type: Quick scan Objects scanned: 241900 Time elapsed: 1 hour(s), 5 minute(s), 29 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Combofix Log: ComboFix 11-08-05.02 - ester 08/05/2011 18:57:12.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.427 [GMT -7:00] Running from: c:\documents and settings\ester\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\ester\WINDOWS C:\install.exe c:\windows\UNWISE.EXE . . ((((((((((((((((((((((((( Files Created from 2011-07-06 to 2011-08-06 ))))))))))))))))))))))))))))))) . . 2011-08-05 23:47 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1C6704EA-9747-4D59-90F0-115A8310F0D8}\mpengine.dll 2011-07-30 07:05 . 2011-07-30 07:05 -------- d-----w- c:\program files\ESET 2011-07-22 03:21 . 2011-07-22 03:21 -------- d-----w- c:\documents and settings\QBDataServiceUser18 2011-07-14 18:06 . 2011-07-14 18:06 -------- d-----w- c:\program files\Webroot 2011-07-14 14:53 . 2011-07-14 14:53 388096 ----a-r- c:\documents and settings\ester\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-07-14 14:53 . 2011-07-14 14:53 -------- d-----w- c:\program files\Trend Micro . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-07-13 03:39 . 2009-06-25 18:34 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-07-07 02:52 . 2010-02-14 18:25 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-07 02:52 . 2010-02-14 18:25 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-24 04:07 . 2011-05-20 18:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-06-02 14:02 . 2003-07-16 16:45 1858944 ------w- c:\windows\system32\win32k.sys 2011-06-21 21:53 . 2011-05-20 16:01 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\ester\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\ester\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\ester\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\ester\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-20 68856] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112] "Calgoo Connect"="c:\program files\CalgooConnect\CalgooConnect.exe" [2008-09-06 6409216] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VMware Tools"="c:\program files\VMware\VMware Tools\VMwareTray.exe" [2008-09-11 428592] "VMware User Process"="c:\program files\VMware\VMware Tools\VMwareUser.exe" [2008-09-11 862768] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-21 30192] "AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096] . c:\documents and settings\ester\Start Menu\Programs\Startup\ Dropbox.lnk - c:\documents and settings\ester\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-2-27 972064] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc] 2008-09-11 00:52 423208 ------r- c:\windows\system32\TPSvc.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\CalgooConnect\\CalgooConnect.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [1/10/2009 1:29 AM 17968] R0 VSP;Veritas Snapshot Provider;c:\windows\system32\drivers\VSP.SYS [5/4/2006 4:16 PM 51896] R1 vmhgfs;vmhgfs;c:\windows\system32\drivers\vmhgfs.sys [1/10/2009 1:29 AM 118576] R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [8/26/2010 8:35 PM 401920] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/14/2010 11:25 AM 366640] R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [10/5/2009 10:08 AM 188736] R2 Seagate-Replica-Service;Seagate-Replica-Service;c:\program files\Seagate Replica\bin\Seagate-Replica-Service.exe [3/10/2010 11:39 PM 1814016] R2 Seagate-Replica-SysMon;Seagate-Replica-SysMon;c:\program files\Seagate Replica\bin\Seagate-Replica-SysMon.exe [3/10/2010 11:39 PM 162256] R2 VMMEMCTL;Memory Control Driver;c:\program files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys [9/10/2008 5:53 PM 14384] R2 VMTools;VMware Tools Service;c:\program files\VMware\VMware Tools\VMwareService.exe [9/10/2008 5:54 PM 539184] R2 VMware Physical Disk Helper Service;VMware Physical Disk Helper Service;c:\program files\VMware\VMware Tools\vmacthlp.exe [9/10/2008 5:53 PM 358960] R2 VRTSpbx;Symantec Private Branch Exchange;c:\windows\system32\cmd.exe [7/16/2003 9:19 AM 389120] R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [11/20/2009 10:13 AM 55016] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/14/2010 11:25 AM 22712] R3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\VMware\VMware Tools\TPAutoConnSvc.exe [9/10/2008 5:52 PM 238832] R3 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys [1/10/2009 1:29 AM 53424] R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [1/10/2009 1:29 AM 11696] R3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [1/10/2009 1:29 AM 63920] R3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [1/10/2009 1:29 AM 36400] S1 MpKsl0d79e836;MpKsl0d79e836;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F05D555A-3232-41B9-A7E6-C7B79C3D03FC}\MpKsl0d79e836.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F05D555A-3232-41B9-A7E6-C7B79C3D03FC}\MpKsl0d79e836.sys [?] S1 MpKsl10ac8e75;MpKsl10ac8e75;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{24D53BCA-18A9-4852-80DF-AE6B1E83B5FA}\MpKsl10ac8e75.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{24D53BCA-18A9-4852-80DF-AE6B1E83B5FA}\MpKsl10ac8e75.sys [?] S1 MpKsl2fe9f741;MpKsl2fe9f741;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B80AD19F-1F48-4FA9-B021-A2F2095A899B}\MpKsl2fe9f741.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B80AD19F-1F48-4FA9-B021-A2F2095A899B}\MpKsl2fe9f741.sys [?] S1 MpKslc6d22bcd;MpKslc6d22bcd;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{358D38EE-85FA-4D81-A546-8C7FA96CE586}\MpKslc6d22bcd.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{358D38EE-85FA-4D81-A546-8C7FA96CE586}\MpKslc6d22bcd.sys [?] S1 MpKsle1b24590;MpKsle1b24590;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E1ED8D8E-8EF7-4561-A9EB-06302ECC26AC}\MpKsle1b24590.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E1ED8D8E-8EF7-4561-A9EB-06302ECC26AC}\MpKsle1b24590.sys [?] S1 MpKslf8bc5d4a;MpKslf8bc5d4a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A98144E-1F03-46DE-96AD-6A2DD8E14B59}\MpKslf8bc5d4a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A98144E-1F03-46DE-96AD-6A2DD8E14B59}\MpKslf8bc5d4a.sys [?] S1 vmdebug;VMware Replay Debugging Helper;c:\windows\system32\drivers\vmdebug.sys [9/10/2008 5:54 PM 19504] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 10:43 PM 135664] S2 NetBackup SAN Client Fibre Transport Service;NetBackup SAN Client Fibre Transport Service;c:\progra~1\Veritas\NETBAC~1\bin\nbftclnt.exe [5/1/2009 5:10 AM 804184] S2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?] S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [5/21/2009 10:46 PM 30192] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 10:43 PM 135664] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 . Contents of the 'Scheduled Tasks' folder . 2011-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 05:43] . 2011-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 05:43] . 2011-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1058685564-607745707-111032338-1013Core.job - c:\documents and settings\ester\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 18:33] . 2011-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1058685564-607745707-111032338-1013UA.job - c:\documents and settings\ester\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 18:33] . 2011-08-06 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 20:26] . 2011-08-05 c:\windows\Tasks\User_Feed_Synchronization-{8AD08D0A-F078-4878-A192-399B31AF25A1}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.netvibes.com/ uInternet Settings,ProxyOverride = *.local uInternet Settings,ProxyServer = 192.168.0.4:8080 uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html LSP: c:\program files\VMware\VMware Tools\VSock SDK\bin\win32\vsocklib.dll FF - ProfilePath - c:\documents and settings\ester\Application Data\Mozilla\Firefox\Profiles\213gklny.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.protopage.com/gorgeous FF - prefs.js: network.proxy.http - 192.168.0.4 FF - prefs.js: network.proxy.http_port - 8080 FF - prefs.js: network.proxy.type - 1 . - - - - ORPHANS REMOVED - - - - . HKLM-Run-WinUtilities Quick Launcher - c:\program files\WinUtilities\WinUtil.exe HKLM-Run-Ulead AutoDetector v2 - c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe AddRemove-Group Mail - c:\windows\UNWISE.EXE AddRemove-PRO50 - f:\pro25\Uninst.isu . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-08-05 19:16 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Seagate-Replica-Service] "ImagePath"="c:\program files\Seagate Replica\bin\Seagate-Replica-Service.exe /startedbyscm:FE2355B7-40E2EE35-RebitSvcModule" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(688) c:\windows\System32\vmhgfs.dll . - - - - - - - > 'explorer.exe'(2352) c:\windows\system32\WININET.dll c:\documents and settings\ester\Application Data\Dropbox\bin\DropboxExt.14.dll c:\windows\system32\addressbar.dll c:\windows\System32\vmhgfs.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll c:\progra~1\SEAGAT~1\bin\SEAGAT~3.DLL c:\progra~1\SEAGAT~1\bin\cqt.dll c:\progra~1\SEAGAT~1\bin\zlib1.dll c:\windows\system32\wpdshext.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\Audiodev.dll c:\windows\system32\WMVCore.DLL c:\windows\system32\WMASF.DLL c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe c:\windows\system32\ASTSRV.EXE c:\program files\Bonjour\mDNSResponder.exe c:\progra~1\Veritas\NETBAC~1\bin\bpinetd.exe c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe c:\progra~1\Veritas\NETBAC~1\bin\BPJAVA-msvc.EXE c:\program files\VERITAS\VxPBX\bin\pbx_exchange.exe c:\windows\system32\SearchIndexer.exe c:\program files\VMware\VMware Tools\TPAutoConnect.exe c:\program files\Seagate Replica\bin\Seagate-Replica-AutoPlay.exe c:\program files\Seagate Replica\bin\Seagate-Replica-Tray.exe c:\progra~1\Discover\SOAN\DISCOV~1.EXE c:\windows\system32\OBroker.exe . ************************************************************************** . Completion time: 2011-08-05 19:21:52 - machine was rebooted ComboFix-quarantined-files.txt 2011-08-06 02:21 . Pre-Run: 3,946,532,864 bytes free Post-Run: 6,042,157,056 bytes free . - - End Of File - - 9BC91006107427EBF9F1D9EB1714134B DDS.txt Log: . DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by ester at 19:37:08 on 2011-08-05 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.283 [GMT -7:00] . AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . ============== Running Processes =============== . C:\Program Files\VMware\VMware Tools\vmacthlp.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe C:\WINDOWS\system32\ASTSRV.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe -k HPService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\PROGRA~1\Veritas\NETBAC~1\bin\bpinetd.exe C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\VMware\VMware Tools\VMwareService.exe C:\PROGRA~1\Veritas\NETBAC~1\bin\BPJAVA-msvc.EXE C:\Program Files\VERITAS\VxPBX\bin\pbx_exchange.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Xobni\XobniService.exe C:\Program Files\Seagate Replica\bin\Seagate-Replica-Service.exe C:\Program Files\Seagate Replica\bin\Seagate-Replica-SysMon.exe C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe C:\Program Files\Seagate Replica\bin\Seagate-Replica-AutoPlay.exe C:\Program Files\Seagate Replica\bin\Seagate-Replica-Tray.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareUser.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\PROGRA~1\Discover\SOAN\DISCOV~1.EXE C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\CalgooConnect\CalgooConnect.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\WINDOWS\system32\OBroker.exe C:\Documents and Settings\ester\Application Data\Dropbox\bin\Dropbox.exe C:\WINDOWS\explorer.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.netvibes.com/ uInternet Settings,ProxyOverride = *.local uInternet Settings,ProxyServer = 192.168.0.4:8080 uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Secure Online Account Numbers Helper: {435eaa86-d32b-484f-869c-53745fcb1642} - c:\program files\discover\soan\DiscoverSOANHelper.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll TB: Secure Online Account Numbers: {a8c7c2ca-6dfd-4e16-8458-592361564d38} - c:\program files\discover\soan\DiscoverSOANToolbar.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler uRun: [Calgoo Connect] "c:\program files\calgooconnect\CalgooConnect.exe" -S mRun: [VMware Tools] "c:\program files\vmware\vmware tools\VMwareTray.exe" mRun: [VMware User Process] "c:\program files\vmware\vmware tools\VMwareUser.exe" mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [AmazonGSDownloaderTray] "c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey mRun: [secure Online Account Numbers] "c:\progra~1\discover\soan\DISCOV~1.EXE" /dontopenmycards mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\ester\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\ester\application data\dropbox\bin\Dropbox.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/55.16/uploader2.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231576270321 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll Notify: TPSvc - TPSvc.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\ester\application data\mozilla\firefox\profiles\213gklny.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.protopage.com/gorgeous FF - prefs.js: network.proxy.http - 192.168.0.4 FF - prefs.js: network.proxy.http_port - 8080 FF - prefs.js: network.proxy.type - 1 . ============= SERVICES / DRIVERS =============== . R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2009-1-10 17968] R0 VSP;Veritas Snapshot Provider;c:\windows\system32\drivers\VSP.SYS [2006-5-4 51896] R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264] R1 MpKsle4983c18;MpKsle4983c18;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{21518747-4c55-48be-aa27-babf8ca1aaae}\MpKsle4983c18.sys [2011-8-5 28752] R1 vmhgfs;vmhgfs;c:\windows\system32\drivers\vmhgfs.sys [2009-1-10 118576] R2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2010-8-26 401920] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-14 366640] R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2009-10-5 188736] R2 Seagate-Replica-Service;Seagate-Replica-Service;c:\program files\seagate replica\bin\Seagate-Replica-Service.exe [2010-3-10 1814016] R2 Seagate-Replica-SysMon;Seagate-Replica-SysMon;c:\program files\seagate replica\bin\Seagate-Replica-SysMon.exe [2010-3-10 162256] R2 VMMEMCTL;Memory Control Driver;c:\program files\vmware\vmware tools\drivers\memctl\vmmemctl.sys [2008-9-10 14384] R2 VMTools;VMware Tools Service;c:\program files\vmware\vmware tools\VMwareService.exe [2008-9-10 539184] R2 VMware Physical Disk Helper Service;VMware Physical Disk Helper Service;c:\program files\vmware\vmware tools\vmacthlp.exe [2008-9-10 358960] R2 VRTSpbx;Symantec Private Branch Exchange;c:\windows\system32\cmd.exe [2003-7-16 389120] R2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2009-11-20 55016] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-14 22712] R3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\vmware\vmware tools\TPAutoConnSvc.exe [2008-9-10 238832] R3 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys [2009-1-10 53424] R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2009-1-10 11696] R3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2009-1-10 63920] R3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2009-1-10 36400] S1 MpKsl0d79e836;MpKsl0d79e836;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f05d555a-3232-41b9-a7e6-c7b79c3d03fc}\mpksl0d79e836.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f05d555a-3232-41b9-a7e6-c7b79c3d03fc}\MpKsl0d79e836.sys [?] S1 MpKsl10ac8e75;MpKsl10ac8e75;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{24d53bca-18a9-4852-80df-ae6b1e83b5fa}\mpksl10ac8e75.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{24d53bca-18a9-4852-80df-ae6b1e83b5fa}\MpKsl10ac8e75.sys [?] S1 MpKsl2fe9f741;MpKsl2fe9f741;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b80ad19f-1f48-4fa9-b021-a2f2095a899b}\mpksl2fe9f741.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b80ad19f-1f48-4fa9-b021-a2f2095a899b}\MpKsl2fe9f741.sys [?] S1 MpKslc6d22bcd;MpKslc6d22bcd;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{358d38ee-85fa-4d81-a546-8c7fa96ce586}\mpkslc6d22bcd.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{358d38ee-85fa-4d81-a546-8c7fa96ce586}\MpKslc6d22bcd.sys [?] S1 MpKsle1b24590;MpKsle1b24590;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e1ed8d8e-8ef7-4561-a9eb-06302ecc26ac}\mpksle1b24590.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e1ed8d8e-8ef7-4561-a9eb-06302ecc26ac}\MpKsle1b24590.sys [?] S1 MpKslf8bc5d4a;MpKslf8bc5d4a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a98144e-1f03-46de-96ad-6a2dd8e14b59}\mpkslf8bc5d4a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a98144e-1f03-46de-96ad-6a2dd8e14b59}\MpKslf8bc5d4a.sys [?] S1 vmdebug;VMware Replay Debugging Helper;c:\windows\system32\drivers\vmdebug.sys [2008-9-10 19504] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664] S2 NetBackup SAN Client Fibre Transport Service;NetBackup SAN Client Fibre Transport Service;c:\progra~1\veritas\netbac~1\bin\nbftclnt.exe [2009-5-1 804184] S2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB18 [?] S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-5-21 30192] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664] . =============== Created Last 30 ================ . 2011-08-06 02:25:01 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{21518747-4c55-48be-aa27-babf8ca1aaae}\MpKsle4983c18.sys 2011-08-06 02:24:22 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{21518747-4c55-48be-aa27-babf8ca1aaae}\mpengine.dll 2011-08-06 01:04:58 -------- d-sha-r- C:\cmdcons 2011-08-06 01:01:23 98816 ----a-w- c:\windows\sed.exe 2011-08-06 01:01:23 518144 ----a-w- c:\windows\SWREG.exe 2011-08-06 01:01:23 256000 ----a-w- c:\windows\PEV.exe 2011-08-06 01:01:23 208896 ----a-w- c:\windows\MBR.exe 2011-07-30 07:05:49 -------- d-----w- c:\program files\ESET 2011-07-14 18:06:02 -------- d-----w- c:\program files\Webroot 2011-07-14 14:53:18 388096 ----a-r- c:\documents and settings\ester\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe 2011-07-14 14:53:02 -------- d-----w- c:\program files\Trend Micro . ==================== Find3M ==================== . 2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-24 04:07:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-06-12 02:51:30 74 --sh--r- c:\windows\FFSSET.BIN 2011-06-02 14:02:05 1858944 ------w- c:\windows\system32\win32k.sys . ============= FINISH: 19:37:54.66 =============== Thanks again, I look forward to your reply! attach.zip

Thank you very much for helping, Screen317 - I did all the steps you mentioned and while I was running Combofix I got a blue screen message that windows had encountered an error and had been shut down to prevent further damage to my computer. "Plug and Play detected an error most likely caused by a faulty driver" Siince this is the first time I see this kind of error I will restart the computer & check to see if Combofix had any logs already in which case I will post them - or I will re-run it & post once it's done... Just wanted to give you a heads up.

I use Malwarebytes Pro which hasn't detected anything even though I've run it several times. I've also been running Microsoft Security Essentials since forever and it does not seem to detect anything. Could someone please help me? I followed all the steps on http://forums.malwarebytes.org/index.php?showtopic=9573 - Here are my logs: MBAM Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7362 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 8/3/2011 12:44:44 PM mbam-log-2011-08-03 (12-44-44).txt Scan type: Quick scan Objects scanned: 240578 Time elapsed: 27 minute(s), 19 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS.txt . DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by ester at 16:41:51 on 2011-08-03 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.283 [GMT -7:00] . AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . ============== Running Processes =============== . C:\Program Files\VMware\VMware Tools\vmacthlp.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe C:\WINDOWS\system32\ASTSRV.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe -k HPService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\PROGRA~1\Veritas\NETBAC~1\bin\bpinetd.exe C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\VMware\VMware Tools\VMwareService.exe C:\PROGRA~1\Veritas\NETBAC~1\bin\BPJAVA-msvc.EXE C:\Program Files\VERITAS\VxPBX\bin\pbx_exchange.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\Program Files\Seagate Replica\bin\Seagate-Replica-Service.exe C:\Program Files\Seagate Replica\bin\Seagate-Replica-SysMon.exe C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe C:\Program Files\Seagate Replica\bin\Seagate-Replica-AutoPlay.exe C:\Program Files\Seagate Replica\bin\Seagate-Replica-Tray.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareUser.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\PROGRA~1\Discover\SOAN\DISCOV~1.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\CalgooConnect\CalgooConnect.exe C:\WINDOWS\system32\OBroker.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Documents and Settings\ester\Application Data\Dropbox\bin\Dropbox.exe C:\WINDOWS\system32\SearchProtocolHost.exe . ============== Pseudo HJT Report =============== . uSearch Page = hxxp://www.google.com uStart Page = hxxp://www.netvibes.com/ uSearch Bar = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = *.local uInternet Settings,ProxyServer = 192.168.0.4:8080 uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s mSearchAssistant = hxxp://www.google.com/ie BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Secure Online Account Numbers Helper: {435eaa86-d32b-484f-869c-53745fcb1642} - c:\program files\discover\soan\DiscoverSOANHelper.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll TB: Secure Online Account Numbers: {a8c7c2ca-6dfd-4e16-8458-592361564d38} - c:\program files\discover\soan\DiscoverSOANToolbar.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler uRun: [Calgoo Connect] "c:\program files\calgooconnect\CalgooConnect.exe" -S uRun: [Google Update] "c:\documents and settings\ester\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [VMware Tools] "c:\program files\vmware\vmware tools\VMwareTray.exe" mRun: [VMware User Process] "c:\program files\vmware\vmware tools\VMwareUser.exe" mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [WinUtilities Quick Launcher] c:\program files\winutilities\WinUtil.exe /autorun mRun: [AmazonGSDownloaderTray] "c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey mRun: [secure Online Account Numbers] "c:\progra~1\discover\soan\DISCOV~1.EXE" /dontopenmycards mRun: [ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\ester\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\ester\application data\dropbox\bin\Dropbox.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/55.16/uploader2.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231576270321 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab TCP: DhcpNameServer = 192.168.0.4 192.168.0.1 TCP: Interfaces\{1B33972D-F512-42E6-B7D4-ECA75C5EDE48} : DhcpNameServer = 192.168.0.4 192.168.0.1 Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll Notify: TPSvc - TPSvc.dll AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll Hosts: 192.168.5.1 rainier Hosts: 192.168.5.2 orlando Hosts: 192.168.5.3 colorado Hosts: 192.168.5.5 maui Hosts: 192.168.5.25 queenie . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\ester\application data\mozilla\firefox\profiles\213gklny.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.protopage.com/gorgeous FF - prefs.js: network.proxy.http - 192.168.0.4 FF - prefs.js: network.proxy.http_port - 8080 FF - prefs.js: network.proxy.type - 1 FF - component: c:\program files\discover\soan\components\SlimOrbAddonDiscoverSOAN.dll FF - plugin: c:\documents and settings\ester\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll . ============= SERVICES / DRIVERS =============== . R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2009-1-10 17968] R0 VSP;Veritas Snapshot Provider;c:\windows\system32\drivers\VSP.SYS [2006-5-4 51896] R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264] R1 MpKsl4b3f90a7;MpKsl4b3f90a7;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{358d38ee-85fa-4d81-a546-8c7fa96ce586}\MpKsl4b3f90a7.sys [2011-8-3 28752] R1 MpKslc6d22bcd;MpKslc6d22bcd;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{358d38ee-85fa-4d81-a546-8c7fa96ce586}\MpKslc6d22bcd.sys [2011-8-2 28752] R1 vmhgfs;vmhgfs;c:\windows\system32\drivers\vmhgfs.sys [2009-1-10 118576] R2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2010-8-26 401920] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-14 366640] R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2009-10-5 188736] R2 Seagate-Replica-Service;Seagate-Replica-Service;c:\program files\seagate replica\bin\Seagate-Replica-Service.exe [2010-3-10 1814016] R2 Seagate-Replica-SysMon;Seagate-Replica-SysMon;c:\program files\seagate replica\bin\Seagate-Replica-SysMon.exe [2010-3-10 162256] R2 VMMEMCTL;Memory Control Driver;c:\program files\vmware\vmware tools\drivers\memctl\vmmemctl.sys [2008-9-10 14384] R2 VMTools;VMware Tools Service;c:\program files\vmware\vmware tools\VMwareService.exe [2008-9-10 539184] R2 VMware Physical Disk Helper Service;VMware Physical Disk Helper Service;c:\program files\vmware\vmware tools\vmacthlp.exe [2008-9-10 358960] R2 VRTSpbx;Symantec Private Branch Exchange;c:\windows\system32\cmd.exe [2003-7-16 389120] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-14 22712] R3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\vmware\vmware tools\TPAutoConnSvc.exe [2008-9-10 238832] R3 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys [2009-1-10 53424] R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2009-1-10 11696] R3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2009-1-10 63920] R3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2009-1-10 36400] S1 MpKsl0d79e836;MpKsl0d79e836;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f05d555a-3232-41b9-a7e6-c7b79c3d03fc}\mpksl0d79e836.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f05d555a-3232-41b9-a7e6-c7b79c3d03fc}\MpKsl0d79e836.sys [?] S1 MpKsl10ac8e75;MpKsl10ac8e75;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{24d53bca-18a9-4852-80df-ae6b1e83b5fa}\mpksl10ac8e75.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{24d53bca-18a9-4852-80df-ae6b1e83b5fa}\MpKsl10ac8e75.sys [?] S1 MpKsl2fe9f741;MpKsl2fe9f741;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b80ad19f-1f48-4fa9-b021-a2f2095a899b}\mpksl2fe9f741.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b80ad19f-1f48-4fa9-b021-a2f2095a899b}\MpKsl2fe9f741.sys [?] S1 MpKsle1b24590;MpKsle1b24590;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e1ed8d8e-8ef7-4561-a9eb-06302ecc26ac}\mpksle1b24590.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e1ed8d8e-8ef7-4561-a9eb-06302ecc26ac}\MpKsle1b24590.sys [?] S1 MpKslf8bc5d4a;MpKslf8bc5d4a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a98144e-1f03-46de-96ad-6a2dd8e14b59}\mpkslf8bc5d4a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a98144e-1f03-46de-96ad-6a2dd8e14b59}\MpKslf8bc5d4a.sys [?] S1 vmdebug;VMware Replay Debugging Helper;c:\windows\system32\drivers\vmdebug.sys [2008-9-10 19504] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664] S2 NetBackup SAN Client Fibre Transport Service;NetBackup SAN Client Fibre Transport Service;c:\progra~1\veritas\netbac~1\bin\nbftclnt.exe [2009-5-1 804184] S2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB18 [?] S2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2009-11-20 55016] S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-5-21 30192] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664] . =============== Created Last 30 ================ . 2011-08-03 23:31:16 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{358d38ee-85fa-4d81-a546-8c7fa96ce586}\MpKsl4b3f90a7.sys 2011-08-03 05:55:48 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{358d38ee-85fa-4d81-a546-8c7fa96ce586}\MpKslc6d22bcd.sys 2011-08-03 05:52:38 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{358d38ee-85fa-4d81-a546-8c7fa96ce586}\mpengine.dll 2011-07-30 07:05:49 -------- d-----w- c:\program files\ESET 2011-07-14 18:06:02 -------- d-----w- c:\program files\Webroot 2011-07-14 14:53:18 388096 ----a-r- c:\documents and settings\ester\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe 2011-07-14 14:53:02 -------- d-----w- c:\program files\Trend Micro . ==================== Find3M ==================== . 2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-24 04:07:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-06-12 02:51:30 74 --sh--r- c:\windows\FFSSET.BIN 2011-06-02 14:02:05 1858944 ------w- c:\windows\system32\win32k.sys . ============= FINISH: 16:43:50.49 =============== My computer is a Mac, but I'm running Windows under VMWware Fusion. I keep getting these messages in the Windows portion referring to MBAM successfully blocked access to 208.87.32.75 I have no idea why. I do not get redirects, everything else seems to be working pretty normal, but these pop-up notifications are driving me insane... I would really appreciate any assistance you can offer. Thank you very much in advance! attach.zip