Computer Hope Hijack This Log Overview

[distrutled]

After I updated my plug ins using the system process tool, I was curious to see what the hijack this log overview tool was all about.  I was shocked to find out it said I had a file called lms.exe in the wrong directory, I had numerous possible DNS hijacks, it also said I had some ie functions disabled that may need to be enabled, and that I didn't have an anti-virus program. 

I am currently using Comodo Internet Security which is supposed to be a Firewall/Anti Virus bundle.  Do I need to consider something else?  It seems to be working and running scans as scheduled.

As, far as the lms.exe and DNS, I will post my logs hoping someone can help me tell whether or not I am hijacked.

Thanks in advance

Logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/07/2011 at 12:54 PM

Application Version : 4.50.1002

Core Rules Database Version : 6081
Trace Rules Database Version: 3893

Scan type       : Complete Scan
Total Scan Time : 00:43:21

Memory items scanned      : 593
Memory threats detected   : 0
Registry items scanned    : 5698
Registry threats detected : 0
File items scanned        : 50958
File threats detected     : 36

Adware.Tracking Cookie
   .avgtechnologies.112.2o7.net [ C:\Documents and Settings\Aidan\Application Data\Mozilla\Firefox\Profiles\tklyyh92.default\cookies.sqlite ]
   media.mtvnservices.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Macromedia\Flash Player\#SharedObjects\G5WLV7FP ]
   msnbcmedia.msn.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Macromedia\Flash Player\#SharedObjects\G5WLV7FP ]
   secure-us.imrworldwide.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Macromedia\Flash Player\#SharedObjects\G5WLV7FP ]
   .apmebf.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   .fastclick.net [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   .fastclick.net [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   .fastclick.net [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   .atdmt.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   .atdmt.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   .kontera.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   .doubleclick.net [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   .microsoftsto.112.2o7.net [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   statse.webtrendslive.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   segment-pixel.invitemedia.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   g-pixel.invitemedia.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   .overture.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   .overture.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   .2o7.net [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   .imrworldwide.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   .imrworldwide.com [ C:\Documents and Settings\AIDAN.MICHAEL\Application Data\Mozilla\Firefox\Profiles\8e6n0u4m.default\cookies.sqlite ]
   C:\Documents and Settings\AIDAN.MICHAEL\Cookies\[email protected][2].txt
   C:\Documents and Settings\AIDAN.MICHAEL\Cookies\aidan@2o7[1].txt
   C:\Documents and Settings\AIDAN.MICHAEL\Cookies\[email protected][2].txt
   C:\Documents and Settings\AIDAN.MICHAEL\Cookies\aidan@advertising[2].txt
   C:\Documents and Settings\AIDAN.MICHAEL\Cookies\[email protected][2].txt
   C:\Documents and Settings\AIDAN.MICHAEL\Cookies\aidan@atdmt[2].txt
   C:\Documents and Settings\AIDAN.MICHAEL\Cookies\aidan@doubleclick[1].txt
   C:\Documents and Settings\AIDAN.MICHAEL\Cookies\aidan@media6degrees[1].txt
   C:\Documents and Settings\AIDAN.MICHAEL\Cookies\aidan@questionmarket[1].txt
   C:\Documents and Settings\AIDAN.MICHAEL\Cookies\[email protected][1].txt
   C:\Documents and Settings\AIDAN.MICHAEL\Cookies\[email protected][1].txt

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6302

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/7/2011 1:09:38 PM
mbam-log-2011-04-07 (13-09-38).txt

Scan type: Quick scan
Objects scanned: 177542
Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:57 PM, on 4/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\Squeezebox\SqueezeTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
O4 - HKLM\..\Run: [FUFAXSTM] "C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O4 - Global Startup: Squeezebox Server Tray Tool.lnk = C:\Program Files\Squeezebox\SqueezeTray.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259633329522
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08254751-F0E0-4DC7-9FCA-06A52E8C9869}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE3A5C69-763A-45FF-A999-71154F23952B}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{08254751-F0E0-4DC7-9FCA-06A52E8C9869}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS2\Services\Tcpip\..\{08254751-F0E0-4DC7-9FCA-06A52E8C9869}: NameServer = 156.154.70.22,156.154.71.22
O20 - AppInit_DLLs:     C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: SqueezeMySQL - Unknown owner - C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe

--
End of file - 7248 bytes

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
**************************************************

I am currently using Comodo Internet Security which is supposed to be a Firewall/Anti Virus bundle.  Do I need to consider something else?  It seems to be working and running scans as scheduled.

That should do.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you insist on using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[distrutled]

Here is the Combofix log

ComboFix 11-04-07.07 - Mike 04/07/2011  22:28:58.13.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.998.532 [GMT -5:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-2856\20252d6e001ae3774b425e81ba09b666\Fcntl.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-2856\2076671ee5d0a5323570c92c74abac6f\Process.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-2856\23ae7fb85999872530b5a5d4d67a4f44\Registry.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-2856\23fe5d76b9491fa255db2281ac7687d5\Service.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-2856\2d2847f7dd2a1fddd0fdb79d9d64ba93\List.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-2856\6a834a555edd63cb8706466e7c1666f2\Hostname.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-2856\7020d50af327e3fc94b98242c307fc81\Cwd.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-2856\7dd16cc839f33995d1a58e2773aa29b8\WinError.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-2856\855297e7b4b860331fdbdd53426f5e15\Dumper.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-2856\86351894c58e4804ca004825fea78bbb\Encode.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-2856\a7c0cce4e1ac2c1f6d3e71bbe3c9bdd3\Socket.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-2856\b7b4505cb0a127c242f14d779e410e03\POSIX.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-2856\c3da4aa4c02db51c7f94d5eaf2438023\OLE.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-2856\f48694173221cfa9bad4275e2389b498\Win32.dll
c:\docume~1\Mike\LOCALS~1\Temp\pdk-Mike-2856\perl510.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-2856\20252d6e001ae3774b425e81ba09b666\Fcntl.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-2856\2076671ee5d0a5323570c92c74abac6f\Process.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-2856\23ae7fb85999872530b5a5d4d67a4f44\Registry.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-2856\23fe5d76b9491fa255db2281ac7687d5\Service.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-2856\2d2847f7dd2a1fddd0fdb79d9d64ba93\List.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-2856\6a834a555edd63cb8706466e7c1666f2\Hostname.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-2856\7020d50af327e3fc94b98242c307fc81\Cwd.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-2856\7dd16cc839f33995d1a58e2773aa29b8\WinError.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-2856\855297e7b4b860331fdbdd53426f5e15\Dumper.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-2856\86351894c58e4804ca004825fea78bbb\Encode.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-2856\a7c0cce4e1ac2c1f6d3e71bbe3c9bdd3\Socket.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-2856\b7b4505cb0a127c242f14d779e410e03\POSIX.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-2856\c3da4aa4c02db51c7f94d5eaf2438023\OLE.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-2856\f48694173221cfa9bad4275e2389b498\Win32.dll
c:\documents and settings\Mike\Local Settings\temp\pdk-Mike-2856\perl510.dll
c:\rootrepeal\RootRepeal.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-03-08 to 2011-04-08  )))))))))))))))))))))))))))))))
.
.
2011-04-07 16:09 . 2011-04-07 16:09   --------   d-----w-   c:\documents and settings\Mike\Local Settings\Application Data\Apple
2011-04-07 16:09 . 2011-04-07 16:09   --------   d-----w-   c:\program files\Apple Software Update
2011-04-07 16:09 . 2011-04-07 16:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple
2011-04-07 16:08 . 2011-04-07 16:08   --------   d-----w-   c:\documents and settings\Mike\Local Settings\Application Data\Apple Computer
2011-04-07 16:05 . 2011-04-07 16:05   --------   d-----w-   c:\program files\Microsoft Silverlight
2011-04-07 16:04 . 2011-04-07 16:04   --------   d-----w-   c:\windows\system32\Adobe
2011-04-07 15:42 . 2011-04-07 15:42   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-04-07 15:42 . 2011-04-07 15:42   --------   d-----w-   c:\program files\Java
2011-04-07 15:37 . 2011-04-07 15:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2011-03-29 02:18 . 2011-04-07 17:57   --------   d-----w-   c:\documents and settings\AIDAN.MICHAEL
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-07 15:42 . 2010-07-25 16:57   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-02-09 13:53 . 2009-09-21 20:29   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2009-09-21 20:29   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-02 13:31 . 2011-02-02 13:31   499712   ----a-w-   c:\windows\system32\msvcp71.dll
2011-02-02 13:31 . 2011-02-02 13:31   348160   ----a-w-   c:\windows\system32\msvcr71.dll
2011-02-02 07:58 . 2009-09-21 20:40   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-09-21 20:40   677888   ----a-w-   c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2009-09-21 20:29   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-12 11:05 . 2010-12-29 07:41   94784   ----a-w-   c:\windows\system32\drivers\inspect.sys
2011-01-12 11:05 . 2010-12-29 07:41   27576   ----a-w-   c:\windows\system32\drivers\cmdhlp.sys
2011-01-12 11:05 . 2010-12-29 07:41   239368   ----a-w-   c:\windows\system32\drivers\cmdGuard.sys
2011-01-12 11:05 . 2010-12-29 07:41   15592   ----a-w-   c:\windows\system32\drivers\cmderd.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-29 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-29 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-29 81920]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-07-13 9134080]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-02-06 843776]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-02-16 2548552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
c:\documents and settings\Mike\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2004-10-15 65588]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-7-1 2326528]
Squeezebox Server Tray Tool.lnk - c:\program files\Squeezebox\SqueezeTray.exe [2010-10-20 2351191]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:Squeezebox Server 9000 tcp (UI)
"9001:TCP"= 9001:TCP:Squeezebox Server 9001 tcp (UI)
"9002:TCP"= 9002:TCP:Squeezebox Server 9002 tcp (UI)
"9003:TCP"= 9003:TCP:Squeezebox Server 9003 tcp (UI)
"9004:TCP"= 9004:TCP:Squeezebox Server 9004 tcp (UI)
"9005:TCP"= 9005:TCP:Squeezebox Server 9005 tcp (UI)
"9006:TCP"= 9006:TCP:Squeezebox Server 9006 tcp (UI)
"9007:TCP"= 9007:TCP:Squeezebox Server 9007 tcp (UI)
"9008:TCP"= 9008:TCP:Squeezebox Server 9008 tcp (UI)
"9009:TCP"= 9009:TCP:Squeezebox Server 9009 tcp (UI)
"9010:TCP"= 9010:TCP:Squeezebox Server 9010 tcp (UI)
"9100:TCP"= 9100:TCP:Squeezebox Server 9100 tcp (UI)
"8000:TCP"= 8000:TCP:Squeezebox Server 8000 tcp (UI)
"10000:TCP"= 10000:TCP:Squeezebox Server 10000 tcp (UI)
"9090:TCP"= 9090:TCP:Squeezebox Server 9090 tcp (UI)
"3483:UDP"= 3483:UDP:Squeezebox Server 3483 udp
"3483:TCP"= 3483:TCP:Squeezebox Server 3483 tcp
.
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [12/29/2010 2:41 AM 15592]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [12/29/2010 2:41 AM 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [12/29/2010 2:41 AM 27576]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 4:13 PM 38144]
R2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 6:02 PM 287232]
S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\Mike\Desktop\SysProt\SysProt\SysProtDrv.sys --> c:\documents and settings\Mike\Desktop\SysProt\SysProt\SysProtDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
uInternet Settings,ProxyOverride = <local>
TCP: {08254751-F0E0-4DC7-9FCA-06A52E8C9869} = 156.154.70.22,156.154.71.22
TCP: {DE3A5C69-763A-45FF-A999-71154F23952B} = 156.154.70.22,156.154.71.22
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\uk3k73oz.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-07 22:35
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(756)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(3592)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2011-04-07  22:38:45 - machine was rebooted
ComboFix-quarantined-files.txt  2011-04-08 03:38
.
Pre-Run: 65,110,790,144 bytes free
Post-Run: 65,109,069,824 bytes free
.
- - End Of File - - 8958E1E1623B8ACC90C0AF7933373622

[SuperDave]

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

[distrutled]

Here is the SysProt log:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: AA2CA000
Module End: AA2E2000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7A3C000
Module End: F7A3E000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAdjustPrivilegesToken
Address: AA53C80A
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwConnectPort
Address: AA53BD8A
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateFile
Address: AA53C470
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateKey
Address: AA53D07E
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreatePort
Address: AA53BC66
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateSection
Address: AA53F13C
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateSymbolicLinkObject
Address: AA53F4C2
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateThread
Address: AA53B652
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwDeleteKey
Address: AA53C9F6
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwDeleteValueKey
Address: AA53CBF6
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwDuplicateObject
Address: AA53B458
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwEnumerateKey
Address: AA53D7BC
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwEnumerateValueKey
Address: AA53DA12
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwLoadDriver
Address: AA53EB4C
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwMakeTemporaryObject
Address: AA53C052
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenFile
Address: AA53C64C
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenKey
Address: AA53D06E
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenProcess
Address: AA53B086
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenSection
Address: AA53C2F6
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenThread
Address: AA53B28A
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwQueryKey
Address: AA53DC20
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwQueryMultipleValueKey
Address: AA53E074
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwQueryValueKey
Address: AA53DE32
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwRenameKey
Address: AA53D5D4
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwRequestWaitReplyPort
Address: AA53E5E4
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSecureConnectPort
Address: AA53E898
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSetSecurityObject
Address: AA53CE46
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSetSystemInformation
Address: AA53EE44
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSetValueKey
Address: AA53D34C
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwShutdownSystem
Address: AA53BFBC
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSystemDebugControl
Address: AA53C1E2
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwTerminateProcess
Address: AA53BA68
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwTerminateThread
Address: AA53B856
Driver Base: AA532000
Driver End: AA56B000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

[SuperDave]

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[distrutled]

I did the ESET scan and it said No Threats Found.  I didn't see anywhere to export files and closed it.  Is that okay?

[SuperDave]

Excellent. If there are no other issues, let's do some cleanup.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

**********************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
*********************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!