I downloaded something I should not have.

[Doug]

This computer is starting to drive me mad.  Combofix produced a log and I copied it.  Then, I tried to open IE and no shortcuts work again.  I restarted the computer and didn't save the log.  So, ran again and saved.

ComboFix 12-01-16.02 - SuperDuperUserOne 01/16/2012  16:35:22.4.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3033.2022 [GMT -5:00]
Running from: c:\users\SuperDuperUserOne\Desktop\ComboFix.exe
AV: Trend Micro Titanium Internet Security 2012 *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Trend Micro Titanium Internet Security 2012 *Enabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2011-12-16 to 2012-01-16  )))))))))))))))))))))))))))))))
.
.
2012-01-16 21:40 . 2012-01-16 21:40   --------   d-----w-   c:\users\SuperDuperUserOne\AppData\Local\temp
2012-01-16 21:40 . 2012-01-16 21:40   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-01-15 15:23 . 2012-01-15 15:23   --------   d-----w-   c:\users\Non-Admin
2012-01-14 21:45 . 2012-01-14 21:45   --------   d-----w-   c:\program files\ESET
2012-01-13 18:02 . 2012-01-13 18:02   --------   d-----w-   c:\users\loridousDex
2012-01-12 23:24 . 2008-01-21 02:24   184320   ----a-w-   c:\windows\system32\drivers\netbt.sys
2012-01-11 20:02 . 2012-01-11 20:02   --------   d-----w-   c:\users\SuperDuperUserOne\AppData\Roaming\Template
2012-01-11 14:54 . 2011-11-17 06:48   440192   ----a-w-   c:\windows\system32\drivers\ksecdd.sys
2012-01-11 14:54 . 2011-11-16 16:23   377344   ----a-w-   c:\windows\system32\winhttp.dll
2012-01-11 14:54 . 2011-11-16 16:23   72704   ----a-w-   c:\windows\system32\secur32.dll
2012-01-11 14:54 . 2011-11-16 16:23   278528   ----a-w-   c:\windows\system32\schannel.dll
2012-01-11 14:54 . 2011-11-16 16:21   1259008   ----a-w-   c:\windows\system32\lsasrv.dll
2012-01-11 14:54 . 2011-11-16 14:12   9728   ----a-w-   c:\windows\system32\lsass.exe
2012-01-11 00:55 . 2011-10-14 16:03   189952   ----a-w-   c:\windows\system32\winmm.dll
2012-01-11 00:55 . 2011-10-14 16:00   23552   ----a-w-   c:\windows\system32\mciseq.dll
2012-01-11 00:55 . 2011-11-18 20:23   1205064   ----a-w-   c:\windows\system32\ntdll.dll
2012-01-11 00:55 . 2011-11-25 15:59   376320   ----a-w-   c:\windows\system32\winsrv.dll
2012-01-11 00:55 . 2011-11-18 17:47   66560   ----a-w-   c:\windows\system32\packager.dll
2012-01-11 00:55 . 2011-12-01 15:21   2409784   ----a-w-   c:\program files\Windows Mail\OESpamFilter.dat
2012-01-11 00:55 . 2011-10-25 15:58   1314816   ----a-w-   c:\windows\system32\quartz.dll
2012-01-11 00:55 . 2011-10-25 15:58   497152   ----a-w-   c:\windows\system32\qdvd.dll
2012-01-08 14:08 . 2011-12-10 20:24   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-01-06 17:28 . 2012-01-06 17:28   --------   d-----w-   c:\program files\Safari
2012-01-06 14:52 . 2012-01-16 11:38   --------   d-----w-   c:\users\SuperDuperUserOne\AppData\Roaming\Skype
2012-01-06 14:52 . 2012-01-06 14:52   --------   d-----r-   c:\program files\Skype
2012-01-06 14:52 . 2012-01-06 14:52   --------   d-----w-   c:\program files\Common Files\Skype
2012-01-06 14:52 . 2012-01-06 14:52   --------   d-----w-   c:\programdata\Skype
2012-01-03 23:24 . 2012-01-05 04:18   --------   d-----w-   c:\users\SuperDuperUserOne\Tracing
2012-01-03 23:14 . 2012-01-04 06:26   --------   d-----w-   c:\program files\Microsoft
2012-01-03 23:14 . 2009-09-04 22:44   69464   ----a-w-   c:\windows\system32\XAPOFX1_3.dll
2012-01-03 23:14 . 2009-09-04 22:44   515416   ----a-w-   c:\windows\system32\XAudio2_5.dll
2012-01-03 23:14 . 2009-09-04 22:29   453456   ----a-w-   c:\windows\system32\d3dx10_42.dll
2012-01-03 23:13 . 2006-11-29 18:06   3426072   ----a-w-   c:\windows\system32\d3dx9_32.dll
2012-01-03 23:12 . 2009-08-04 08:02   754688   ----a-w-   c:\windows\system32\webservices.dll
2012-01-03 23:10 . 2012-01-03 23:22   --------   d-----w-   c:\users\SuperDuperUserOne\AppData\Local\Windows Live
2012-01-03 23:10 . 2012-01-03 23:10   --------   d-----w-   c:\program files\Common Files\Windows Live
2012-01-01 23:07 . 2012-01-01 23:07   --------   d-----w-   c:\program files\VS Revo Group
2012-01-01 04:42 . 2012-01-01 05:07   --------   d-----w-   C:\Downloads
2012-01-01 04:38 . 2012-01-01 04:38   --------   d-----w-   c:\users\SuperDuperUserOne\AppData\Local\PLX_Technology
2012-01-01 04:36 . 2010-05-25 14:14   24880   ----a-w-   c:\windows\system32\drivers\OXUDIDRV_x32.sys
2012-01-01 04:36 . 2012-01-01 04:36   --------   d-----w-   c:\program files\Iomega
2011-12-31 10:16 . 2012-01-09 09:33   --------   d-----w-   c:\program files\MyDefrag v4.3.1
2011-12-30 07:12 . 2011-12-30 07:21   22032   ----a-w-   c:\windows\DCEBoot.exe
2011-12-28 08:50 . 2011-12-28 08:50   --------   d-----w-   c:\users\SuperDuperUserOne\AppData\Local\DDMSettings
2011-12-26 02:07 . 2011-12-26 02:07   --------   d-----w-   c:\users\SuperDuperUserOne\AppData\Roaming\FlashGet
2011-12-23 00:50 . 2011-12-23 00:50   --------   d-----w-   c:\program files\iPod
2011-12-23 00:50 . 2011-12-23 00:50   --------   d-----w-   c:\program files\iTunes
2011-12-22 23:29 . 2012-01-02 03:49   --------   d-----w-   c:\users\SuperDuperUserOne\AppData\Roaming\Media Player Classic
2011-12-22 18:13 . 2011-12-22 23:29   --------   d-----w-   c:\users\SuperDuperUserOne\AppData\Roaming\DivX
2011-12-22 18:13 . 2011-12-22 18:13   --------   d-----w-   c:\program files\Common Files\PX Storage Engine
2011-12-22 18:12 . 2011-12-28 08:43   --------   d-----w-   c:\program files\Common Files\DivX Shared
2011-12-22 18:11 . 2011-12-28 08:44   --------   d-----w-   c:\program files\DivX
2011-12-22 18:11 . 2011-12-28 08:44   --------   d-----w-   c:\programdata\DivX
2011-12-22 18:08 . 2011-03-02 11:43   175616   ----a-w-   c:\windows\system32\unrar.dll
2011-12-18 04:30 . 2011-12-18 04:30   --------   d-----w-   c:\users\SuperDuperUserOne\AppData\Roaming\Malwarebytes
2011-12-18 04:30 . 2011-12-18 04:30   --------   d-----w-   c:\programdata\Malwarebytes
2011-12-18 04:30 . 2012-01-08 14:08   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-18 04:57 . 2008-07-07 16:18   319456   ----a-w-   c:\windows\DIFxAPI.dll
2011-12-04 01:31 . 2011-12-04 01:31   677136   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-12-01 18:32 . 2011-12-01 18:32   413696   ----a-w-   c:\windows\system32\wrap_oal.dll
2011-12-01 18:32 . 2011-12-01 18:32   110592   ----a-w-   c:\windows\system32\OpenAL32.dll
2011-12-01 13:10 . 2011-12-01 13:10   86528   ----a-w-   c:\windows\system32\iesysprep.dll
2011-12-01 13:10 . 2011-12-01 13:10   76800   ----a-w-   c:\windows\system32\SetIEInstalledDate.exe
2011-12-01 13:10 . 2011-12-01 13:10   74752   ----a-w-   c:\windows\system32\RegisterIEPKEYs.exe
2011-12-01 13:10 . 2011-12-01 13:10   48640   ----a-w-   c:\windows\system32\mshtmler.dll
2011-12-01 13:10 . 2011-12-01 13:10   161792   ----a-w-   c:\windows\system32\msls31.dll
2011-12-01 13:10 . 2011-12-01 13:10   74752   ----a-w-   c:\windows\system32\iesetup.dll
2011-12-01 13:10 . 2011-12-01 13:10   63488   ----a-w-   c:\windows\system32\tdc.ocx
2011-12-01 13:10 . 2011-12-01 13:10   367104   ----a-w-   c:\windows\system32\html.iec
2011-12-01 13:10 . 2011-12-01 13:10   23552   ----a-w-   c:\windows\system32\licmgr10.dll
2011-12-01 13:10 . 2011-12-01 13:10   420864   ----a-w-   c:\windows\system32\vbscript.dll
2011-12-01 13:10 . 2011-12-01 13:10   35840   ----a-w-   c:\windows\system32\imgutil.dll
2011-12-01 13:10 . 2011-12-01 13:10   152064   ----a-w-   c:\windows\system32\wextract.exe
2011-12-01 13:10 . 2011-12-01 13:10   150528   ----a-w-   c:\windows\system32\iexpress.exe
2011-12-01 13:10 . 2011-12-01 13:10   142848   ----a-w-   c:\windows\system32\ieUnatt.exe
2011-12-01 13:10 . 2011-12-01 13:10   11776   ----a-w-   c:\windows\system32\mshta.exe
2011-12-01 13:10 . 2011-12-01 13:10   101888   ----a-w-   c:\windows\system32\admparse.dll
2011-12-01 13:10 . 2011-12-01 13:10   110592   ----a-w-   c:\windows\system32\IEAdvpack.dll
2011-12-01 13:09 . 2011-12-01 13:09   979456   ----a-w-   c:\windows\system32\MFH264Dec.dll
2011-12-01 13:09 . 2011-12-01 13:09   357376   ----a-w-   c:\windows\system32\MFHEAACdec.dll
2011-12-01 13:09 . 2011-12-01 13:09   98816   ----a-w-   c:\windows\system32\mfps.dll
2011-12-01 13:09 . 2011-12-01 13:09   586240   ----a-w-   c:\windows\system32\stobject.dll
2011-12-01 13:09 . 2011-12-01 13:09   302592   ----a-w-   c:\windows\system32\mfmp4src.dll
2011-12-01 13:09 . 2011-12-01 13:09   2873344   ----a-w-   c:\windows\system32\mf.dll
2011-12-01 13:09 . 2011-12-01 13:09   261632   ----a-w-   c:\windows\system32\mfreadwrite.dll
2011-12-01 13:09 . 2011-12-01 13:09   209920   ----a-w-   c:\windows\system32\mfplat.dll
2011-12-01 13:09 . 2011-12-01 13:09   683008   ----a-w-   c:\windows\system32\d2d1.dll
2011-12-01 13:09 . 2011-12-01 13:09   486400   ----a-w-   c:\windows\system32\d3d10level9.dll
2011-12-01 13:09 . 2011-12-01 13:09   135680   ----a-w-   c:\windows\system32\XpsRasterService.dll
2011-12-01 13:09 . 2011-12-01 13:09   1172480   ----a-w-   c:\windows\system32\d3d10warp.dll
2011-12-01 13:09 . 2011-12-01 13:09   638336   ----a-w-   c:\windows\system32\drivers\dxgkrnl.sys
2011-12-01 13:09 . 2011-12-01 13:09   478720   ----a-w-   c:\windows\system32\dxgi.dll
2011-12-01 13:09 . 2011-12-01 13:09   37376   ----a-w-   c:\windows\system32\cdd.dll
2011-12-01 13:09 . 2011-12-01 13:09   258048   ----a-w-   c:\windows\system32\winspool.drv
2011-12-01 13:09 . 2011-12-01 13:09   219648   ----a-w-   c:\windows\system32\d3d10_1core.dll
2011-12-01 13:09 . 2011-12-01 13:09   189952   ----a-w-   c:\windows\system32\d3d10core.dll
2011-12-01 13:09 . 2011-12-01 13:09   160768   ----a-w-   c:\windows\system32\d3d10_1.dll
2011-12-01 13:09 . 2011-12-01 13:09   1029120   ----a-w-   c:\windows\system32\d3d10.dll
2011-12-01 13:09 . 2011-12-01 13:09   847360   ----a-w-   c:\windows\system32\OpcServices.dll
2011-12-01 13:09 . 2011-12-01 13:09   667648   ----a-w-   c:\windows\system32\printfilterpipelinesvc.exe
2011-12-01 13:09 . 2011-12-01 13:09   26112   ----a-w-   c:\windows\system32\printfilterpipelineprxy.dll
2011-12-01 13:09 . 2011-12-01 13:09   1554432   ----a-w-   c:\windows\system32\xpsservices.dll
2011-12-01 13:07 . 2011-12-01 13:07   4096   ----a-w-   c:\windows\system32\drivers\en-US\dxgkrnl.sys.mui
2011-12-01 13:07 . 2011-12-01 13:07   974848   ----a-w-   c:\windows\system32\WindowsCodecs.dll
2011-12-01 13:07 . 2011-12-01 13:07   519680   ----a-w-   c:\windows\system32\d3d11.dll
2011-12-01 13:07 . 2011-12-01 13:07   369664   ----a-w-   c:\windows\system32\WMPhoto.dll
2011-12-01 13:07 . 2011-12-01 13:07   321024   ----a-w-   c:\windows\system32\PhotoMetadataHandler.dll
2011-12-01 13:07 . 2011-12-01 13:07   252928   ----a-w-   c:\windows\system32\dxdiag.exe
2011-12-01 13:07 . 2011-12-01 13:07   195584   ----a-w-   c:\windows\system32\dxdiagn.dll
2011-12-01 13:07 . 2011-12-01 13:07   189440   ----a-w-   c:\windows\system32\WindowsCodecsExt.dll
2011-12-01 06:21 . 2011-12-01 06:21   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-01 00:44 . 2011-12-01 00:44   56   ----a-w-   c:\windows\system32\SupportTool.exe.bat
2011-12-01 00:39 . 2011-12-01 00:47   92432   ----a-w-   c:\windows\system32\drivers\tmtdi.sys
2011-12-01 00:39 . 2011-12-01 00:45   81168   ----a-w-   c:\windows\system32\drivers\tmactmon.sys
2011-12-01 00:39 . 2011-12-01 00:45   68368   ----a-w-   c:\windows\system32\drivers\tmevtmgr.sys
2011-12-01 00:39 . 2011-12-01 00:45   205072   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2011-11-30 08:46 . 2011-11-30 08:46   652296   ----a-w-   c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-11-30 08:46 . 2011-11-30 08:46   416128   ----a-w-   c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2011-11-23 13:37 . 2011-12-14 03:11   2043904   ----a-w-   c:\windows\system32\win32k.sys
2011-11-10 10:54 . 2011-12-01 01:12   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-11-08 14:42 . 2011-12-14 03:10   2048   ----a-w-   c:\windows\system32\tzres.dll
2011-11-03 22:47 . 2011-12-14 03:38   1798144   ----a-w-   c:\windows\system32\jscript9.dll
2011-11-03 22:40 . 2011-12-14 03:38   1427456   ----a-w-   c:\windows\system32\inetcpl.cpl
2011-11-03 22:39 . 2011-12-14 03:38   1127424   ----a-w-   c:\windows\system32\wininet.dll
2011-11-03 22:31 . 2011-12-14 03:38   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2011-10-27 08:01 . 2011-12-14 03:11   3602816   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2011-10-27 08:01 . 2011-12-14 03:11   3550080   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-10-25 15:56 . 2011-12-14 03:10   49152   ----a-w-   c:\windows\system32\csrsrv.dll
2011-10-20 23:26 . 2011-10-20 23:26   94208   ----a-w-   c:\windows\system32\dpl100.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-12-01 129304]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2010-04-10 1310720]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-06-03 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-06-03 171288]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-06-03 172824]
"DLCCCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2006-02-24 73728]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-24 981680]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54   551296   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndt
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - h:\flashget\jc_all.htm
IE: &Download with FlashGet - h:\flashget\jc_link.htm
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-16 16:40
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  DLCCCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16??
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.smb]
"ImagePath"="\*"
.
Completion time: 2012-01-16  16:42:05
ComboFix-quarantined-files.txt  2012-01-16 21:42
ComboFix2.txt  2012-01-16 21:18
ComboFix3.txt  2012-01-12 23:55
ComboFix4.txt  2012-01-12 23:41
.
Pre-Run: 391,656,218,624 bytes free
Post-Run: 391,627,489,280 bytes free
.
- - End Of File - - EB0AC340BA55BEB6C4628FB681240293

[SuperDave]

It says the above real time scanner is active (Trend Micro) but will run anyway.  Last time I just ran any.  Is this a major problem?

Not really. This next one is necessary to find a replacement file.

Please download SystemLook from one of the links below and save it to your desktop.

Link # 1
Link # 2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click SystemLook.exe to run it.

Copy the contents of the following codebox into the main textfield.

Code: [Select]

:filefind
jureg.exe 
Click the Look button to start the scan.

Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).

When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt

[Doug]

SystemLook 30.07.11 by jpshortstuff
Log created at 18:47 on 16/01/2012 by SuperDuperUserOne
Administrator - Elevation successful

========== filefind ==========

Searching for "jureg.exe  "
C:\WINDOWS\System32\jureg.exe   --a---- 54936 bytes   [16:29 07/07/2008]   [09:56 07/04/2007] 4F89DD4EA74C66916E15A6E7D74A50B5

-= EOF =-

[SuperDave]

Do you have your OS  CD/DVD?

If so,

1/ Click the Start button.

2/ From the Start Menu, Click All programs followed by Accessories.

3/ In the Accessories menu, Right Click on the Command Prompt option.

4/ From the drop down menu that appears, Click on the Run as administrator option.

5/ If you have the User Account Control (UAC) enabled you will be asked for authorisation prior to the command prompt opening. You may simply need to press the Continue button if you are the administrator or insert the administrator password etc.

6/ In the Command Prompt window, type: sfc /scannow and then press Enter.

7/ A message will appear stating that the system scan will begin.

8/ Be patient because the scan may take some time.

9/ If any files require replacing SFC will replace them. You may be asked to insert your Vista DVD for this process to continue.

10/ If everything is okay you should, after the scan, see the following message Windows resource protection did not find any integrity violations.

11/ After the scan has completed, Close the command prompt window.

[Doug]

I ran it and it fixed something but I cannot view the log located in windows\logs\CBS\CBS.log.  When I try and open it I just get "access is denied." 

[SuperDave]

Please run the aswMBR scan again as described in Reply # 11

[Doug]

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-17 14:10:29
-----------------------------
14:10:29.423    OS Version: Windows 6.0.6002 Service Pack 2
14:10:29.423    Number of processors: 2 586 0x1706
14:10:29.423    ComputerName: SUPERDUPERUS-PC  UserName:
14:10:45.633    Initialize success
14:29:00.122    AVAST engine defs: 12011700
14:30:23.043    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
14:30:23.043    Disk 0 Vendor: WDC_WD5000AAKS-65A7B0 01.03B01 Size: 476940MB BusType: 3
14:30:23.058    Disk 0 MBR read successfully
14:30:23.058    Disk 0 MBR scan
14:30:23.074    Disk 0 unknown MBR code
14:30:23.074    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       466158 MB offset 63
14:30:23.105    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        10778 MB offset 954691920
14:30:23.121    Disk 0 scanning sectors +976767120
14:30:23.262    Disk 0 scanning C:\Windows\system32\drivers
14:30:38.381    Service scanning
14:30:38.896    Service .smb \* **LOCKED** 123
14:30:39.662    Modules scanning
14:30:51.522    Disk 0 trace - called modules:
14:30:51.538    ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll pciide.sys PCIIDEX.SYS atapi.sys
14:30:51.538    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85c78960]
14:30:51.554    3 CLASSPNP.SYS[8a3a28b3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0x8531c660]
14:30:52.679    AVAST engine scan C:\Windows
14:30:56.085    AVAST engine scan C:\Windows\system32
14:31:50.541    File: C:\Windows\system32\jureg.exe  **INFECTED** Win32:SMSSend-IG [Trj]
14:33:33.805    AVAST engine scan C:\Windows\system32\drivers
14:33:45.433    AVAST engine scan C:\Users\SuperDuperUserOne
14:34:39.005    AVAST engine scan C:\ProgramData
14:35:04.110    Scan finished successfully
14:35:25.268    Disk 0 MBR has been saved successfully to "C:\Users\SuperDuperUserOne\Desktop\MBR.dat"
14:35:25.268    The log file has been saved successfully to "C:\Users\SuperDuperUserOne\Desktop\aswMBR_Tuesday.txt"

[SuperDave]

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  
• Double click the setup file to run it.
• Click Next to continue.
• Accept the License agreement and click on next.
• It will, by default, install it to your desktop folder. Click Next.
• It will then open a box There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.
• Hidden Startup Objects
  
• System Memory
  
• Disk Boot Sectors.
  
• My Computer.
  
• Also any other drives (Removable that you may have)
  

Leave the rest of the settings as they appear as default.
•Then click on Scan at the to right hand Corner.
•It will automatically Neutralize any objects found.
•If some objects are left un-neutralized then click the button that says Neutralize all
•If it says it cannot be neutralized then choose the delete option when prompted.
•After that is done click on the reports button at the bottom and save it to file name it Kas.
•Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Please run another aswMBR scan and post the log after doing the above.

[Doug]

The Kaspersky tool didn't find any threats.  There were password protected files that appeared as locked in a box in the bottom right corner. 

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-18 06:59:05
-----------------------------
06:59:05.968    OS Version: Windows 6.0.6002 Service Pack 2
06:59:05.968    Number of processors: 2 586 0x1706
06:59:05.968    ComputerName: SUPERDUPERUS-PC  UserName:
06:59:16.761    Initialize success
06:59:24.355    AVAST engine defs: 12011700
06:59:43.340    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
06:59:43.340    Disk 0 Vendor: WDC_WD5000AAKS-65A7B0 01.03B01 Size: 476940MB BusType: 3
06:59:43.387    Disk 0 MBR read successfully
06:59:43.387    Disk 0 MBR scan
06:59:43.387    Disk 0 unknown MBR code
06:59:43.387    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       466158 MB offset 63
06:59:43.434    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        10778 MB offset 954691920
06:59:43.449    Disk 0 scanning sectors +976767120
06:59:43.559    Disk 0 scanning C:\Windows\system32\drivers
07:00:04.469    Service scanning
07:00:05.578    Service .smb \* **LOCKED** 123
07:00:09.012    Modules scanning
07:00:21.091    Disk 0 trace - called modules:
07:00:21.606    ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll pciide.sys PCIIDEX.SYS atapi.sys
07:00:21.606    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x854ffa40]
07:00:21.606    3 CLASSPNP.SYS[8a3a58b3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0x852dc660]
07:00:22.936    AVAST engine scan C:\Windows
07:00:33.610    AVAST engine scan C:\Windows\system32
07:01:45.555    File: C:\Windows\system32\jureg.exe  **INFECTED** Win32:SMSSend-IG [Trj]
07:03:52.329    AVAST engine scan C:\Windows\system32\drivers
07:04:16.270    AVAST engine scan C:\Users\SuperDuperUserOne
07:06:00.213    AVAST engine scan C:\ProgramData
07:06:25.568    Scan finished successfully
07:07:31.855    Disk 0 MBR has been saved successfully to "C:\Users\SuperDuperUserOne\Desktop\MBR.dat"
07:07:31.870    The log file has been saved successfully to "C:\Users\SuperDuperUserOne\Desktop\aswMBR Wednesday.txt"

[SuperDave]

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

C:\Windows\system32\jureg.exe 
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

[Doug]

http://virusscan.jotti.org/en/scanresult/8dc3c5480653ef5777f7849e6f56ed679164f255/f821b9d414151634fa99f4acf0d80918be0c9d9a

[SuperDave]

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

[Doug]

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 8F5AB000
Module End: 8F5B6000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: 8F5B6000
Module End: 8F5BE000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateKey
Address: 868E3324
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateMutant
Address: 86AF9EA4
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateProcess
Address: 868D738C
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateProcessEx
Address: 868EB34C
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateSymbolicLinkObject
Address: 86AF9E34
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThread
Address: 86AF9FD4
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteKey
Address: 86AF77AC
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteValueKey
Address: 86AF733C
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDuplicateObject
Address: 86AF9DFC
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwLoadDriver
Address: 86AF9EDC
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenProcess
Address: 8671C16C
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenSection
Address: 86AF7304
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThread
Address: 868EC2EC
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwRenameKey
Address: 86AF7774
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwRestoreKey
Address: 86AF7374
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetSystemInformation
Address: 86AF9E6C
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetValueKey
Address: 868E32EC
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: 868CF35C
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateThread
Address: 868CF324
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwWriteVirtualMemory
Address: 86AF72CC
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThreadEx
Address: 86AF9F14
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateUserProcess
Address: 8690E3CC
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************

[SuperDave]

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[Doug]

C:\Documents and Settings\SuperDuperUserOne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\d189d59-1c85613d   a variant of Java/TrojanDownloader.Agent.NDJ trojan   deleted - quarantined
C:\Documents and Settings\SuperDuperUserOne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\60b5d41b-31e0b3c1   a variant of Java/TrojanDownloader.Agent.NDJ trojan   deleted - quarantined
C:\Documents and Settings\SuperDuperUserOne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\29b4c469-5bd4bde4   a variant of Java/TrojanDownloader.Agent.NDJ trojan   deleted - quarantined
C:\Documents and Settings\SuperDuperUserOne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\72a066eb-782c00a9   a variant of Java/TrojanDownloader.Agent.NDJ trojan   deleted - quarantined
C:\Documents and Settings\SuperDuperUserOne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\13c9a6b2-5c14c963   a variant of Java/TrojanDownloader.Agent.NDJ trojan   deleted - quarantined
C:\Documents and Settings\SuperDuperUserOne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\43c3de87-1f2733a4   a variant of Java/TrojanDownloader.Agent.NDJ trojan   deleted - quarantined


There were four items last scan and now there's six.  I still can't turn on Windows Firewall and the security center still says my AV is off.  I don't know.  Maybe Windows firewall was never on with Trend Micro.  But, I know it use to report that the Anti-virus was on and reporting to Windows.