Request for malware removal assistance

[maine]

I seem to have a google redirect virus.  I am running vista and firefox and using trend micro.  I've run scans from microsoft one care, trend micro and malwarebytes to no avail and updated Java. Hope someone can help. Thanks so much!

I've downloaded hijack this, named it and here is the log: 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:29 PM, on 1/9/2010
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Mouse Driver\StartAutorun.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Mouse Driver\KMConfig.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mouse Driver\KMProcess.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Mouse Driver\StartAutorun.exe KMConfig.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Bditikolake] rundll32.exe "C:\Users\Mary Kate\AppData\Local\ixuzazowemulule.dll",Startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Mouse Driver\KMWDSrv.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7373 bytes

[SuperDave]

Please go to this link and follow the directions and post the required logs. We really need SAS and MBAM followed by HJT

[maine]

Hi,

I went to the link and followed the instructions.

Step 1:  I looked for questionable programs and deleted Viewpoint Media Player.
Step 2:  I ran CCleaner
Step 3:  I ran SAS and got the following log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/10/2010 at 01:28 AM

Application Version : 4.33.1000

Core Rules Database Version : 4462
Trace Rules Database Version: 2283

Scan type       : Complete Scan
Total Scan Time : 02:45:18

Memory items scanned      : 694
Memory threats detected   : 0
Registry items scanned    : 8969
Registry threats detected : 0
File items scanned        : 152056
File threats detected     : 20

Adware.Tracking Cookie
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\guest@atwola[1].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@atwola[1].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@insightexpressai[2].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@kontera[2].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@screensavers[1].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][3].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@specificclick[2].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt

Step 4:  I ran MBAM and got the following log:

Malwarebytes' Anti-Malware 1.44
Database version: 3533
Windows 6.0.6000
Internet Explorer 7.0.6000.16945

1/10/2010 9:09:07 AM
mbam-log-2010-01-10 (09-09-07).txt

Scan type: Quick Scan
Objects scanned: 111117
Time elapsed: 10 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bditikolake (Trojan.Agent.U) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Step 5:  I made sure Java is up to date and removed the older version using JavaRA
Step 6:  I ran Hijack This and got the following log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:10 AM, on 1/10/2010
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Mouse Driver\StartAutorun.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Mouse Driver\KMConfig.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mouse Driver\KMProcess.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Mouse Driver\StartAutorun.exe KMConfig.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Bditikolake] rundll32.exe "C:\Users\Mary Kate\AppData\Local\ixuzazowemulule.dll",Startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Mouse Driver\KMWDSrv.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7416 bytes

I hope I have provided enough info for now.  Thank you in advance for any help you can provide

[SuperDave]

Hello maine and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Bditikolake] rundll32.exe "C:\Users\Mary Kate\AppData\Local\ixuzazowemulule.dll",Startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
(Description: Nvidia system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)
O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[maine]

Dear SD,
Thank you for all your assistance.  I ran the the two scans you requested and here are their results.


ComboFix 10-01-12.04 - Mary Kate 01/12/2010  21:43:30.1.1 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.1.1033.18.958.415 [GMT -5:00]
Running from: c:\users\Mary Kate\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1448429526-2781183220-21410950-500
c:\users\Mary Kate\AppData\Local\ixuzazowemulule.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Apple Mobile Device


(((((((((((((((((((((((((   Files Created from 2009-12-13 to 2010-01-13  )))))))))))))))))))))))))))))))
.

2010-01-13 02:40 . 2010-01-13 02:40   --------   d-----w-   C:\Temp
2010-01-13 02:28 . 2010-01-13 02:42   --------   d-----w-   C:\32788R22FWJFW
2010-01-12 22:59 . 2010-01-12 22:59   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{6BAF7A6F-C530-45D9-9789-ECFAF9BFDDF2}
2010-01-11 18:09 . 2010-01-11 18:10   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{A8FFFAA9-FE10-424E-A3EB-69CCF85B4075}
2010-01-10 23:05 . 2007-08-29 03:06   542720   ----a-w-   c:\windows\system32\sysmain.dll
2010-01-10 23:04 . 2007-09-11 02:20   356864   ----a-w-   c:\windows\system32\MediaMetadataHandler.dll
2010-01-10 23:04 . 2009-08-31 15:16   428032   ----a-w-   c:\windows\system32\EncDec.dll
2010-01-10 23:04 . 2009-08-31 15:21   292352   ----a-w-   c:\windows\system32\psisdecd.dll
2010-01-10 23:04 . 2009-08-31 15:17   1244672   ----a-w-   c:\windows\system32\mcmde.dll
2010-01-10 23:04 . 2007-10-26 11:14   211000   ----a-w-   c:\windows\system32\drivers\volsnap.sys
2010-01-10 23:04 . 2008-01-19 05:08   109624   ----a-w-   c:\windows\system32\drivers\ataport.sys
2010-01-10 23:04 . 2008-01-19 05:07   45112   ----a-w-   c:\windows\system32\drivers\pciidex.sys
2010-01-10 23:04 . 2008-01-19 05:06   21560   ----a-w-   c:\windows\system32\drivers\atapi.sys
2010-01-10 23:04 . 2008-01-19 05:06   15928   ----a-w-   c:\windows\system32\drivers\pciide.sys
2010-01-10 23:04 . 2008-01-19 03:06   154624   ----a-w-   c:\windows\system32\drivers\nwifi.sys
2010-01-10 23:04 . 2008-10-21 05:16   1645568   ----a-w-   c:\windows\system32\connect.dll
2010-01-10 23:02 . 2009-08-29 03:41   1686528   ----a-w-   c:\windows\system32\gameux.dll
2010-01-10 23:02 . 2009-08-29 03:40   28672   ----a-w-   c:\windows\system32\Apphlpdm.dll
2010-01-10 23:02 . 2009-08-28 23:31   4247552   ----a-w-   c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-10 22:58 . 2007-01-26 03:00   974336   ----a-w-   c:\windows\system32\crypt32.dll
2010-01-10 22:56 . 2009-09-10 15:29   311296   ----a-w-   c:\windows\system32\unregmp2.exe
2010-01-10 22:56 . 2009-09-10 17:39   7680   ----a-w-   c:\windows\system32\spwmp.dll
2010-01-10 22:55 . 2009-09-10 17:40   4096   ----a-w-   c:\windows\system32\dxmasf.dll
2010-01-10 22:55 . 2009-09-10 15:29   8147968   ----a-w-   c:\windows\system32\wmploc.DLL
2010-01-10 22:01 . 2010-01-10 22:01   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{C6E8522D-C5C1-4F4B-89A5-77A2C5760C1F}
2010-01-10 18:58 . 2010-01-10 18:58   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{9E06EAA5-533A-4F87-B916-9597182D73BE}
2010-01-10 12:49 . 2010-01-10 12:49   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{2FADB93F-5DB7-4BD9-A96D-E633F27F0DDF}
2010-01-10 06:36 . 2010-01-10 06:36   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{0B3977F2-E717-4456-BD6B-947A79D1F1E8}
2010-01-10 03:34 . 2010-01-10 03:34   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-01-10 03:33 . 2010-01-10 03:34   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-01-10 03:33 . 2010-01-10 03:33   --------   d-----w-   c:\users\Mary Kate\AppData\Roaming\SUPERAntiSpyware.com
2010-01-10 03:31 . 2010-01-10 03:31   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-01-09 23:53 . 2010-01-09 23:53   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{478113E6-71FE-4C2A-AEC3-0AD2E4930CD7}
2010-01-09 21:09 . 2010-01-09 21:09   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{9B2F4782-907F-4245-B4EA-2B37CE798041}
2010-01-09 17:38 . 2010-01-09 17:38   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{F5FF984D-C90C-488B-B3E8-5FB4C604CA40}
2010-01-09 17:13 . 2010-01-09 17:13   --------   d-----w-   c:\users\Mary Kate\AppData\Roaming\Malwarebytes
2010-01-09 17:13 . 2010-01-07 21:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 17:12 . 2010-01-09 17:12   --------   d-----w-   c:\programdata\Malwarebytes
2010-01-09 17:12 . 2010-01-09 17:13   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-09 17:12 . 2010-01-07 21:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-09 16:20 . 2010-01-09 16:20   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{11C626D8-64DD-4B50-BE50-F6A91DD40781}
2010-01-09 16:08 . 2010-01-09 16:07   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-01-09 14:39 . 2010-01-09 14:39   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{223AC774-2053-4D95-A2BA-19D17C2633F8}
2010-01-08 15:30 . 2010-01-08 15:30   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{63F192F2-6498-43DF-B8A6-A4F8D2DE063C}
2010-01-07 22:29 . 2010-01-07 22:29   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{2188F2C8-523D-42AB-BA98-DA8275A137E1}
2010-01-07 16:30 . 2010-01-07 22:21   --------   d-----w-   c:\program files\Windows Live Safety Center
2010-01-07 01:39 . 2010-01-07 01:39   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{8B0F77DB-0DB8-4628-9DF8-C434ACC6443F}
2010-01-06 17:43 . 2010-01-06 18:09   --------   d-----w-   c:\users\Mary Kate\AppData\Local\ElevatedDiagnostics
2010-01-06 17:38 . 2010-01-06 17:38   --------   d-----w-   c:\program files\Microsoft ATS
2010-01-04 04:49 . 2010-01-04 04:49   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{17F531F5-BD41-438B-805F-EAD27BE2352D}
2010-01-03 04:16 . 2010-01-12 22:59   0   ----a-w-   c:\users\Mary Kate\AppData\Local\Tkuki.bin
2010-01-03 04:16 . 2010-01-11 23:01   120   ----a-w-   c:\users\Mary Kate\AppData\Local\Amupova.dat
2010-01-03 01:33 . 2010-01-03 01:33   --------   d-----w-   c:\program files\Belkin
2010-01-03 01:32 . 2010-01-09 17:37   --------   d-----w-   c:\windows\{D9FAE986-A4C1-4A2D-8B20-60F92F4222AD}
2009-12-20 00:20 . 2009-12-20 00:21   --------   d-----w-   c:\users\Mary Kate\AppData\Roaming\GTek

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-13 02:40 . 2009-12-03 02:50   --------   d-----w-   c:\program files\Trend Micro
2010-01-13 01:59 . 2007-05-28 01:12   25515   ----a-w-   c:\users\Mary Kate\AppData\Roaming\nvModes.dat
2010-01-11 17:59 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Calendar
2010-01-11 17:58 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Defender
2010-01-11 17:58 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-01-11 17:57 . 2006-11-02 10:25   665600   ----a-w-   c:\windows\inf\drvindex.dat
2010-01-10 03:35 . 2010-01-10 03:35   52224   ----a-w-   c:\users\Mary Kate\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-10 03:35 . 2010-01-10 03:35   117760   ----a-w-   c:\users\Mary Kate\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-10 02:46 . 2007-06-04 21:59   --------   d-----w-   c:\programdata\Viewpoint
2010-01-09 23:32 . 2010-01-09 23:31   862040   ----a-w-   c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-09 23:31 . 2010-01-09 23:31   206944   ----a-w-   c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-09 23:31 . 2010-01-09 23:31   390288   ----a-w-   c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-09 23:31 . 2010-01-09 23:31   537576   ----a-w-   c:\programdata\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-09 23:31 . 2010-01-09 23:31   370744   ----a-w-   c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-09 23:31 . 2010-01-09 23:31   194104   ----a-w-   c:\programdata\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-09 23:31 . 2010-01-09 23:31   6296864   ----a-w-   c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-09 23:31 . 2010-01-09 23:31   933120   ----a-w-   c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-09 23:31 . 2010-01-09 23:31   816272   ----a-w-   c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-09 23:31 . 2010-01-09 23:31   822904   ----a-w-   c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-09 23:31 . 2010-01-09 23:30   1643272   ----a-w-   c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-09 23:30 . 2010-01-09 23:30   788880   ----a-w-   c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-09 23:30 . 2010-01-09 23:30   1181328   ----a-w-   c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-09 16:07 . 2007-01-19 01:10   --------   d-----w-   c:\program files\Java
2010-01-07 22:31 . 2007-05-27 15:11   92456   ----a-w-   c:\users\Mary Kate\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-04 05:01 . 2010-01-04 05:01   658184   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-03 01:34 . 2007-01-19 00:10   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-12-19 00:49 . 2008-11-04 03:46   1356   ----a-w-   c:\users\Mary Kate\AppData\Local\d3d9caps.dat
2009-12-13 15:18 . 2007-06-04 20:40   20274   ----a-w-   c:\users\Mary Kate\AppData\Roaming\wklnhst.dat
2009-12-12 23:30 . 2009-12-12 22:34   --------   d-----w-   c:\programdata\Lavasoft
2009-12-12 22:35 . 2009-12-12 22:17   --------   dc-h--w-   c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-12 22:34 . 2009-12-12 22:34   --------   d-----w-   c:\program files\Lavasoft
2009-12-11 02:17 . 2009-12-11 02:17   --------   dc----w-   c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-11 01:30 . 2009-12-11 01:30   --------   d-----w-   c:\programdata\AVP 2009
2009-12-07 14:10 . 2009-12-12 22:35   2953352   -c--a-w-   c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-12-03 02:34 . 2008-08-28 17:17   --------   d-----w-   c:\programdata\avg8
2009-12-02 13:19 . 2009-12-12 23:30   64288   ----a-w-   c:\windows\system32\drivers\Lbd.sys
2009-12-02 13:19 . 2009-12-13 07:34   15880   ----a-w-   c:\windows\system32\lsdelete.exe
2009-11-17 01:47 . 2010-01-06 18:11   65264   ----a-w-   c:\windows\AppPatch\MATSShim.DLL
2009-11-09 13:34 . 2009-12-11 03:12   24064   ----a-w-   c:\windows\system32\nshhttp.dll
2009-11-09 13:30 . 2009-12-11 03:11   31232   ----a-w-   c:\windows\system32\httpapi.dll
2009-11-09 11:17 . 2009-12-11 03:11   396800   ----a-w-   c:\windows\system32\drivers\http.sys
2009-11-03 01:42 . 2009-10-02 20:48   195456   ------w-   c:\windows\system32\MpSigStub.exe
2009-10-29 07:59 . 2009-12-02 04:41   2048   ----a-w-   c:\windows\system32\tzres.dll
2009-10-27 15:05 . 2009-12-11 02:35   832512   ----a-w-   c:\windows\system32\wininet.dll
2009-10-27 15:01 . 2009-12-11 02:35   56320   ----a-w-   c:\windows\system32\iesetup.dll
2009-10-27 15:01 . 2009-12-11 02:35   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-10-27 15:01 . 2009-12-11 02:35   52736   ----a-w-   c:\windows\AppPatch\iebrshim.dll
2009-10-27 14:59 . 2009-12-11 02:35   72704   ----a-w-   c:\windows\system32\admparse.dll
2009-10-27 12:27 . 2009-12-11 02:35   26624   ----a-w-   c:\windows\system32\ieUnatt.exe
2009-10-27 10:56 . 2009-12-11 02:35   48128   ----a-w-   c:\windows\system32\mshtmler.dll
2007-06-28 20:43 . 2007-06-28 20:43   774144   ----a-w-   c:\program files\RngInterstitial.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-15 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-01-17 1006264]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-27 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-27 7757824]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-12-03 167936]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
"KMCONFIG"="c:\program files\Mouse Driver\StartAutorun.exe" [2007-03-06 212992]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe [2007-1-18 34520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16   39792   ----a-w-   c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2007-04-03 13:54   753664   ----a-w-   c:\windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-06-02 15:13   267048   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 14:50   413696   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-01-19 01:11   77824   ----a-w-   c:\program files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-06-15 23:11   185896   ----a-w-   c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2009-09-04 17:16   158448   ----a-w-   c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [12/12/2009 6:30 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Mouse Driver\KMWDSrv.exe [4/5/2007 10:29 AM 208896]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [3/22/2007 6:04 PM 9728]
R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 3:29 AM 29178224]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\System32\drivers\athrusb.sys [1/29/2007 8:56 PM 451072]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
S3 rcmirror;rcmirror;c:\windows\System32\drivers\rcmirror.sys [12/14/2007 12:48 PM 5120]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\System32\drivers\TM_CFW.sys [4/20/2007 5:44 PM 307984]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Mary Kate\AppData\Roaming\Mozilla\Firefox\Profiles\8eegdjyd.default\
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\Chem3D\npChem3DPlugin.dll
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\ChemDraw\NPCDP32.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\users\Mary Kate\AppData\Local\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\users\Mary Kate\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKCU-Run-Bditikolake - c:\users\Mary Kate\AppData\Local\ixuzazowemulule.dll
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-12 21:57
Windows 6.0.6000  NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Zune\ZuneNss.exe
.
**************************************************************************
.
Completion time: 2010-01-12  22:05:03 - machine was rebooted
ComboFix-quarantined-files.txt  2010-01-13 03:04

Pre-Run: 35,802,632,192 bytes free
Post-Run: 35,325,259,776 bytes free

- - End Of File - - D9CF8986599BD383F93D0C182B023210




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:09 PM, on 1/12/2010
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\Explorer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Mouse Driver\StartAutorun.exe KMConfig.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Mouse Driver\KMWDSrv.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4887 bytes



Also, after running these scans I am unable to use any programs unless I select "run as administator."
For exaple when trying to run internet explorer or firefox a box pops up: "Illegal operation on registry key that has been marked for deletion"

Thank you for all your help, I really appreciate it!

[SuperDave]

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
C:\Temp
C:\32788R22FWJFW


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[maine]

Hi, I followed your instructions and here are the 2 logs:
Thanks Superdave!

ComboFix 10-01-12.04 - Mary Kate 01/13/2010  12:10:37.2.1 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.1.1033.18.958.224 [GMT -5:00]
Running from: c:\users\Mary Kate\Desktop\ComboFix.exe
Command switches used :: c:\users\Mary Kate\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"C:\32788R22FWJFW"
"C:\Temp"
.

(((((((((((((((((((((((((   Files Created from 2009-12-13 to 2010-01-13  )))))))))))))))))))))))))))))))
.

2010-01-13 17:23 . 2010-01-13 17:28   --------   d-----w-   c:\users\Mary Kate\AppData\Local\temp
2010-01-13 17:23 . 2010-01-13 17:23   --------   d-----w-   c:\users\Sega\AppData\Local\temp
2010-01-13 17:23 . 2010-01-13 17:23   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-01-13 17:23 . 2010-01-13 17:23   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-01-13 17:23 . 2010-01-13 17:23   --------   d-----w-   c:\users\Guest\AppData\Local\temp
2010-01-13 16:36 . 2010-01-13 16:36   --------   d-----w-   C:\32788R22FWJFW
2010-01-13 16:07 . 2010-01-13 16:10   --------   d-----w-   c:\windows\LastGood.Tmp
2010-01-13 03:53 . 2010-01-13 03:53   --------   d-----w-   c:\windows\system32\config\systemprofile\{1d30e7a1-2a41-43cc-b339-46892ab7ddfd}
2010-01-13 02:40 . 2010-01-13 02:40   --------   d-----w-   C:\Temp
2010-01-12 23:50 . 2009-10-19 14:42   156672   ----a-w-   c:\windows\system32\t2embed.dll
2010-01-12 23:50 . 2009-10-19 14:39   24064   ----a-w-   c:\windows\system32\lpk.dll
2010-01-12 23:50 . 2009-10-19 14:37   72704   ----a-w-   c:\windows\system32\fontsub.dll
2010-01-12 23:50 . 2009-10-19 14:37   10240   ----a-w-   c:\windows\system32\dciman32.dll
2010-01-12 23:50 . 2009-10-19 14:36   34304   ----a-w-   c:\windows\system32\atmlib.dll
2010-01-12 23:50 . 2009-10-19 11:45   289792   ----a-w-   c:\windows\system32\atmfd.dll
2010-01-12 22:59 . 2010-01-12 22:59   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{6BAF7A6F-C530-45D9-9789-ECFAF9BFDDF2}
2010-01-11 18:09 . 2010-01-11 18:10   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{A8FFFAA9-FE10-424E-A3EB-69CCF85B4075}
2010-01-10 23:05 . 2007-08-29 03:06   542720   ----a-w-   c:\windows\system32\sysmain.dll
2010-01-10 23:04 . 2007-09-11 02:20   356864   ----a-w-   c:\windows\system32\MediaMetadataHandler.dll
2010-01-10 23:04 . 2009-08-31 15:16   428032   ----a-w-   c:\windows\system32\EncDec.dll
2010-01-10 23:04 . 2009-08-31 15:21   292352   ----a-w-   c:\windows\system32\psisdecd.dll
2010-01-10 23:04 . 2009-08-31 15:17   1244672   ----a-w-   c:\windows\system32\mcmde.dll
2010-01-10 23:04 . 2007-10-26 11:14   211000   ----a-w-   c:\windows\system32\drivers\volsnap.sys
2010-01-10 23:04 . 2008-01-19 05:08   109624   ----a-w-   c:\windows\system32\drivers\ataport.sys
2010-01-10 23:04 . 2008-01-19 05:07   45112   ----a-w-   c:\windows\system32\drivers\pciidex.sys
2010-01-10 23:04 . 2008-01-19 05:06   21560   ----a-w-   c:\windows\system32\drivers\atapi.sys
2010-01-10 23:04 . 2008-01-19 05:06   15928   ----a-w-   c:\windows\system32\drivers\pciide.sys
2010-01-10 23:04 . 2008-01-19 03:06   154624   ----a-w-   c:\windows\system32\drivers\nwifi.sys
2010-01-10 23:04 . 2008-10-21 05:16   1645568   ----a-w-   c:\windows\system32\connect.dll
2010-01-10 23:02 . 2009-08-29 03:41   1686528   ----a-w-   c:\windows\system32\gameux.dll
2010-01-10 23:02 . 2009-08-29 03:40   28672   ----a-w-   c:\windows\system32\Apphlpdm.dll
2010-01-10 23:02 . 2009-08-28 23:31   4247552   ----a-w-   c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-10 22:58 . 2007-01-26 03:00   974336   ----a-w-   c:\windows\system32\crypt32.dll
2010-01-10 22:56 . 2009-09-10 15:29   311296   ----a-w-   c:\windows\system32\unregmp2.exe
2010-01-10 22:56 . 2009-09-10 17:39   7680   ----a-w-   c:\windows\system32\spwmp.dll
2010-01-10 22:55 . 2009-09-10 17:40   4096   ----a-w-   c:\windows\system32\dxmasf.dll
2010-01-10 22:55 . 2009-09-10 15:29   8147968   ----a-w-   c:\windows\system32\wmploc.DLL
2010-01-10 22:01 . 2010-01-10 22:01   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{C6E8522D-C5C1-4F4B-89A5-77A2C5760C1F}
2010-01-10 18:58 . 2010-01-10 18:58   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{9E06EAA5-533A-4F87-B916-9597182D73BE}
2010-01-10 12:49 . 2010-01-10 12:49   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{2FADB93F-5DB7-4BD9-A96D-E633F27F0DDF}
2010-01-10 06:36 . 2010-01-10 06:36   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{0B3977F2-E717-4456-BD6B-947A79D1F1E8}
2010-01-10 03:34 . 2010-01-10 03:34   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-01-10 03:33 . 2010-01-10 03:34   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-01-10 03:33 . 2010-01-10 03:33   --------   d-----w-   c:\users\Mary Kate\AppData\Roaming\SUPERAntiSpyware.com
2010-01-10 03:31 . 2010-01-10 03:31   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-01-09 23:53 . 2010-01-09 23:53   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{478113E6-71FE-4C2A-AEC3-0AD2E4930CD7}
2010-01-09 21:09 . 2010-01-09 21:09   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{9B2F4782-907F-4245-B4EA-2B37CE798041}
2010-01-09 17:38 . 2010-01-09 17:38   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{F5FF984D-C90C-488B-B3E8-5FB4C604CA40}
2010-01-09 17:13 . 2010-01-09 17:13   --------   d-----w-   c:\users\Mary Kate\AppData\Roaming\Malwarebytes
2010-01-09 17:13 . 2010-01-07 21:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 17:12 . 2010-01-09 17:12   --------   d-----w-   c:\programdata\Malwarebytes
2010-01-09 17:12 . 2010-01-09 17:13   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-09 17:12 . 2010-01-07 21:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-09 16:20 . 2010-01-09 16:20   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{11C626D8-64DD-4B50-BE50-F6A91DD40781}
2010-01-09 16:08 . 2010-01-09 16:07   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-01-09 14:39 . 2010-01-09 14:39   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{223AC774-2053-4D95-A2BA-19D17C2633F8}
2010-01-08 15:30 . 2010-01-08 15:30   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{63F192F2-6498-43DF-B8A6-A4F8D2DE063C}
2010-01-07 22:29 . 2010-01-07 22:29   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{2188F2C8-523D-42AB-BA98-DA8275A137E1}
2010-01-07 16:30 . 2010-01-07 22:21   --------   d-----w-   c:\program files\Windows Live Safety Center
2010-01-07 01:39 . 2010-01-07 01:39   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{8B0F77DB-0DB8-4628-9DF8-C434ACC6443F}
2010-01-06 17:43 . 2010-01-06 18:09   --------   d-----w-   c:\users\Mary Kate\AppData\Local\ElevatedDiagnostics
2010-01-06 17:38 . 2010-01-06 17:38   --------   d-----w-   c:\program files\Microsoft ATS
2010-01-04 04:49 . 2010-01-04 04:49   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{17F531F5-BD41-438B-805F-EAD27BE2352D}
2010-01-03 04:16 . 2010-01-12 22:59   0   ----a-w-   c:\users\Mary Kate\AppData\Local\Tkuki.bin
2010-01-03 04:16 . 2010-01-11 23:01   120   ----a-w-   c:\users\Mary Kate\AppData\Local\Amupova.dat
2010-01-03 01:33 . 2010-01-03 01:33   --------   d-----w-   c:\program files\Belkin
2010-01-03 01:32 . 2010-01-09 17:37   --------   d-----w-   c:\windows\{D9FAE986-A4C1-4A2D-8B20-60F92F4222AD}
2009-12-20 00:20 . 2009-12-20 00:21   --------   d-----w-   c:\users\Mary Kate\AppData\Roaming\GTek

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-13 16:33 . 2009-12-03 02:50   --------   d-----w-   c:\program files\Trend Micro
2010-01-13 15:44 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-01-13 15:28 . 2007-05-28 01:12   25515   ----a-w-   c:\users\Mary Kate\AppData\Roaming\nvModes.dat
2010-01-11 17:59 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Calendar
2010-01-11 17:58 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Defender
2010-01-10 02:46 . 2007-06-04 21:59   --------   d-----w-   c:\programdata\Viewpoint
2010-01-09 16:07 . 2007-01-19 01:10   --------   d-----w-   c:\program files\Java
2010-01-07 22:31 . 2007-05-27 15:11   92456   ----a-w-   c:\users\Mary Kate\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-03 01:34 . 2007-01-19 00:10   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-12-19 00:49 . 2008-11-04 03:46   1356   ----a-w-   c:\users\Mary Kate\AppData\Local\d3d9caps.dat
2009-12-13 15:18 . 2007-06-04 20:40   20274   ----a-w-   c:\users\Mary Kate\AppData\Roaming\wklnhst.dat
2009-12-12 23:30 . 2009-12-12 22:34   --------   d-----w-   c:\programdata\Lavasoft
2009-12-12 22:35 . 2009-12-12 22:17   --------   dc-h--w-   c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-12 22:34 . 2009-12-12 22:34   --------   d-----w-   c:\program files\Lavasoft
2009-12-11 02:17 . 2009-12-11 02:17   --------   dc----w-   c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-11 01:30 . 2009-12-11 01:30   --------   d-----w-   c:\programdata\AVP 2009
2009-12-03 02:34 . 2008-08-28 17:17   --------   d-----w-   c:\programdata\avg8
2009-12-02 13:19 . 2009-12-12 23:30   64288   ----a-w-   c:\windows\system32\drivers\Lbd.sys
2009-12-02 13:19 . 2009-12-13 07:34   15880   ----a-w-   c:\windows\system32\lsdelete.exe
2009-11-09 13:34 . 2009-12-11 03:12   24064   ----a-w-   c:\windows\system32\nshhttp.dll
2009-11-09 13:30 . 2009-12-11 03:11   31232   ----a-w-   c:\windows\system32\httpapi.dll
2009-11-09 11:17 . 2009-12-11 03:11   396800   ----a-w-   c:\windows\system32\drivers\http.sys
2009-11-03 01:42 . 2009-10-02 20:48   195456   ------w-   c:\windows\system32\MpSigStub.exe
2009-10-29 07:59 . 2009-12-02 04:41   2048   ----a-w-   c:\windows\system32\tzres.dll
2009-10-27 15:05 . 2009-12-11 02:35   832512   ----a-w-   c:\windows\system32\wininet.dll
2009-10-27 15:01 . 2009-12-11 02:35   56320   ----a-w-   c:\windows\system32\iesetup.dll
2009-10-27 15:01 . 2009-12-11 02:35   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-10-27 14:59 . 2009-12-11 02:35   72704   ----a-w-   c:\windows\system32\admparse.dll
2009-10-27 12:27 . 2009-12-11 02:35   26624   ----a-w-   c:\windows\system32\ieUnatt.exe
2009-10-27 10:56 . 2009-12-11 02:35   48128   ----a-w-   c:\windows\system32\mshtmler.dll
2007-06-28 20:43 . 2007-06-28 20:43   774144   ----a-w-   c:\program files\RngInterstitial.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-15 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-01-17 1006264]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-27 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-27 7757824]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-12-03 167936]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
"KMCONFIG"="c:\program files\Mouse Driver\StartAutorun.exe" [2007-03-06 212992]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe [2007-1-18 34520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16   39792   ----a-w-   c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2007-04-03 13:54   753664   ----a-w-   c:\windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-06-02 15:13   267048   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 14:50   413696   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-01-19 01:11   77824   ----a-w-   c:\program files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-06-15 23:11   185896   ----a-w-   c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2009-09-04 17:16   158448   ----a-w-   c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [12/12/2009 6:30 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Mouse Driver\KMWDSrv.exe [4/5/2007 10:29 AM 208896]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [3/22/2007 6:04 PM 9728]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 3:29 AM 29178224]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\System32\drivers\athrusb.sys [1/29/2007 8:56 PM 451072]
S3 rcmirror;rcmirror;c:\windows\System32\drivers\rcmirror.sys [12/14/2007 12:48 PM 5120]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\System32\drivers\TM_CFW.sys [4/20/2007 5:44 PM 307984]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Mary Kate\AppData\Roaming\Mozilla\Firefox\Profiles\8eegdjyd.default\
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\Chem3D\npChem3DPlugin.dll
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\ChemDraw\NPCDP32.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\users\Mary Kate\AppData\Local\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\users\Mary Kate\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-13 12:27
Windows 6.0.6000  NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
c:\program files\Zune\ZuneNss.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\lpksetup.exe
.
**************************************************************************
.
Completion time: 2010-01-13  12:42:05 - machine was rebooted
ComboFix-quarantined-files.txt  2010-01-13 17:42
ComboFix2.txt  2010-01-13 03:05

Pre-Run: 34,682,777,600 bytes free
Post-Run: 34,500,608,000 bytes free

- - End Of File - - B1BCA1DB34D6C05191FDBEAF0104A89B
 Results of screen317's Security Check version 0.99.1    
 Windows Vista  (UAC is enabled)
 Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
 Ad-Aware
 SUPERAntiSpyware Free Edition   
 HijackThis 2.0.2   
 CCleaner     
 Java(TM) 6 Update 17 
 Java(TM) SE Runtime Environment 6
 Adobe Flash Player 10 
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
``````````````````````````````
Process Check: 
objlist.exe by Laurent
 Windows Defender MSASCui.exe 
 Ad-Aware AAWService.exe is disabled!
 Ad-Aware AAWTray.exe is disabled!
``````````````````````````````
DNS Vulnerability Check:
 Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

[SuperDave]

Could you please re-enable all your security programs including your Anti-Virus and run the Security again?

[SuperDave]

Let's try this one more time.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
c:\windows\LastGood.Tmp

Folder::
C:\Temp
C:\32788R22FWJFW


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[maine]

Hi,
I tried running combofix again, but it wouldn't let me because it said it may have been compromised.  Should I re-install it?

[SuperDave]

Yes. Please delete the one you have on your desktop and download a new version then run the script.

[maine]

Hello, here is the security check and combofix.  Thanks!
By the way, what is wrong with my computer, and how did I get this problem? 
Thanks!

 Results of screen317's Security Check version 0.99.1    
 Windows Vista  (UAC is enabled)
 Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 Trend Micro OfficeScan Client   
 Antivirus up to date! (On Access scanning disabled!)
``````````````````````````````
Anti-malware/Other Utilities Check:
 Ad-Aware
 SUPERAntiSpyware Free Edition   
 HijackThis 2.0.2   
 CCleaner     
 Java(TM) 6 Update 17 
 Java(TM) SE Runtime Environment 6
 Adobe Flash Player 10 
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
``````````````````````````````
Process Check: 
objlist.exe by Laurent
 Windows Defender MSASCui.exe 
 Ad-Aware AAWService.exe is disabled!
 Ad-Aware AAWTray.exe is disabled!
``````````````````````````````
DNS Vulnerability Check:
 Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````



ComboFix 10-01-14.02 - Mary Kate 01/14/2010  17:57:26.4.1 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.1.1033.18.958.194 [GMT -5:00]
Running from: c:\users\Mary Kate\Downloads\ComboFix.exe
Command switches used :: c:\users\Mary Kate\Desktop\CFScript.txt
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Trend Micro OfficeScan Anti-spyware *enabled* (Updated) {6D124117-24A2-4555-BD42-A763D52CFEB2}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\LastGood.Tmp"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\32788R22FWJFW
c:\32788r22fwjfw\EN-US\cmd.cfxxe.mui

.
(((((((((((((((((((((((((   Files Created from 2009-12-14 to 2010-01-14  )))))))))))))))))))))))))))))))
.

2010-01-14 23:09 . 2010-01-14 23:14   --------   d-----w-   c:\users\Mary Kate\AppData\Local\temp
2010-01-14 23:09 . 2010-01-14 23:09   --------   d-----w-   c:\users\Sega\AppData\Local\temp
2010-01-14 23:09 . 2010-01-14 23:09   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-01-14 23:09 . 2010-01-14 23:09   --------   d-----w-   c:\users\Guest\AppData\Local\temp
2010-01-14 23:09 . 2010-01-14 23:09   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-01-13 03:53 . 2010-01-13 03:53   --------   d-----w-   c:\windows\system32\config\systemprofile\{1d30e7a1-2a41-43cc-b339-46892ab7ddfd}
2010-01-12 23:50 . 2009-10-19 14:42   156672   ----a-w-   c:\windows\system32\t2embed.dll
2010-01-12 23:50 . 2009-10-19 14:39   24064   ----a-w-   c:\windows\system32\lpk.dll
2010-01-12 23:50 . 2009-10-19 14:37   72704   ----a-w-   c:\windows\system32\fontsub.dll
2010-01-12 23:50 . 2009-10-19 14:37   10240   ----a-w-   c:\windows\system32\dciman32.dll
2010-01-12 23:50 . 2009-10-19 14:36   34304   ----a-w-   c:\windows\system32\atmlib.dll
2010-01-12 23:50 . 2009-10-19 11:45   289792   ----a-w-   c:\windows\system32\atmfd.dll
2010-01-12 22:59 . 2010-01-12 22:59   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{6BAF7A6F-C530-45D9-9789-ECFAF9BFDDF2}
2010-01-11 18:09 . 2010-01-11 18:10   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{A8FFFAA9-FE10-424E-A3EB-69CCF85B4075}
2010-01-10 23:05 . 2007-08-29 03:06   542720   ----a-w-   c:\windows\system32\sysmain.dll
2010-01-10 23:04 . 2007-09-11 02:20   356864   ----a-w-   c:\windows\system32\MediaMetadataHandler.dll
2010-01-10 23:04 . 2009-08-31 15:16   428032   ----a-w-   c:\windows\system32\EncDec.dll
2010-01-10 23:04 . 2009-08-31 15:21   292352   ----a-w-   c:\windows\system32\psisdecd.dll
2010-01-10 23:04 . 2009-08-31 15:17   1244672   ----a-w-   c:\windows\system32\mcmde.dll
2010-01-10 23:04 . 2007-10-26 11:14   211000   ----a-w-   c:\windows\system32\drivers\volsnap.sys
2010-01-10 23:04 . 2008-01-19 05:08   109624   ----a-w-   c:\windows\system32\drivers\ataport.sys
2010-01-10 23:04 . 2008-01-19 05:07   45112   ----a-w-   c:\windows\system32\drivers\pciidex.sys
2010-01-10 23:04 . 2008-01-19 05:06   21560   ----a-w-   c:\windows\system32\drivers\atapi.sys
2010-01-10 23:04 . 2008-01-19 05:06   15928   ----a-w-   c:\windows\system32\drivers\pciide.sys
2010-01-10 23:04 . 2008-01-19 03:06   154624   ----a-w-   c:\windows\system32\drivers\nwifi.sys
2010-01-10 23:04 . 2008-10-21 05:16   1645568   ----a-w-   c:\windows\system32\connect.dll
2010-01-10 23:02 . 2009-08-29 03:41   1686528   ----a-w-   c:\windows\system32\gameux.dll
2010-01-10 23:02 . 2009-08-29 03:40   28672   ----a-w-   c:\windows\system32\Apphlpdm.dll
2010-01-10 23:02 . 2009-08-28 23:31   4247552   ----a-w-   c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-10 22:58 . 2007-01-26 03:00   974336   ----a-w-   c:\windows\system32\crypt32.dll
2010-01-10 22:56 . 2009-09-10 15:29   311296   ----a-w-   c:\windows\system32\unregmp2.exe
2010-01-10 22:56 . 2009-09-10 17:39   7680   ----a-w-   c:\windows\system32\spwmp.dll
2010-01-10 22:55 . 2009-09-10 17:40   4096   ----a-w-   c:\windows\system32\dxmasf.dll
2010-01-10 22:55 . 2009-09-10 15:29   8147968   ----a-w-   c:\windows\system32\wmploc.DLL
2010-01-10 22:01 . 2010-01-10 22:01   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{C6E8522D-C5C1-4F4B-89A5-77A2C5760C1F}
2010-01-10 18:58 . 2010-01-10 18:58   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{9E06EAA5-533A-4F87-B916-9597182D73BE}
2010-01-10 12:49 . 2010-01-10 12:49   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{2FADB93F-5DB7-4BD9-A96D-E633F27F0DDF}
2010-01-10 06:36 . 2010-01-10 06:36   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{0B3977F2-E717-4456-BD6B-947A79D1F1E8}
2010-01-10 03:34 . 2010-01-10 03:34   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-01-10 03:33 . 2010-01-10 03:34   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-01-10 03:33 . 2010-01-10 03:33   --------   d-----w-   c:\users\Mary Kate\AppData\Roaming\SUPERAntiSpyware.com
2010-01-10 03:31 . 2010-01-10 03:31   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-01-09 23:53 . 2010-01-09 23:53   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{478113E6-71FE-4C2A-AEC3-0AD2E4930CD7}
2010-01-09 21:09 . 2010-01-09 21:09   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{9B2F4782-907F-4245-B4EA-2B37CE798041}
2010-01-09 17:38 . 2010-01-09 17:38   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{F5FF984D-C90C-488B-B3E8-5FB4C604CA40}
2010-01-09 17:13 . 2010-01-09 17:13   --------   d-----w-   c:\users\Mary Kate\AppData\Roaming\Malwarebytes
2010-01-09 17:13 . 2010-01-07 21:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 17:12 . 2010-01-09 17:12   --------   d-----w-   c:\programdata\Malwarebytes
2010-01-09 17:12 . 2010-01-09 17:13   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-09 17:12 . 2010-01-07 21:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-09 16:20 . 2010-01-09 16:20   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{11C626D8-64DD-4B50-BE50-F6A91DD40781}
2010-01-09 16:08 . 2010-01-09 16:07   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-01-09 14:39 . 2010-01-09 14:39   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{223AC774-2053-4D95-A2BA-19D17C2633F8}
2010-01-08 15:30 . 2010-01-08 15:30   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{63F192F2-6498-43DF-B8A6-A4F8D2DE063C}
2010-01-07 22:29 . 2010-01-07 22:29   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{2188F2C8-523D-42AB-BA98-DA8275A137E1}
2010-01-07 16:30 . 2010-01-07 22:21   --------   d-----w-   c:\program files\Windows Live Safety Center
2010-01-07 01:39 . 2010-01-07 01:39   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{8B0F77DB-0DB8-4628-9DF8-C434ACC6443F}
2010-01-06 17:43 . 2010-01-06 18:09   --------   d-----w-   c:\users\Mary Kate\AppData\Local\ElevatedDiagnostics
2010-01-06 17:38 . 2010-01-06 17:38   --------   d-----w-   c:\program files\Microsoft ATS
2010-01-04 04:49 . 2010-01-04 04:49   --------   d-----w-   c:\users\Mary Kate\AppData\Local\{17F531F5-BD41-438B-805F-EAD27BE2352D}
2010-01-03 04:16 . 2010-01-12 22:59   0   ----a-w-   c:\users\Mary Kate\AppData\Local\Tkuki.bin
2010-01-03 04:16 . 2010-01-11 23:01   120   ----a-w-   c:\users\Mary Kate\AppData\Local\Amupova.dat
2010-01-03 01:33 . 2010-01-03 01:33   --------   d-----w-   c:\program files\Belkin
2010-01-03 01:32 . 2010-01-09 17:37   --------   d-----w-   c:\windows\{D9FAE986-A4C1-4A2D-8B20-60F92F4222AD}
2009-12-20 00:20 . 2009-12-20 00:21   --------   d-----w-   c:\users\Mary Kate\AppData\Roaming\GTek

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-14 22:41 . 2007-05-28 01:12   25515   ----a-w-   c:\users\Mary Kate\AppData\Roaming\nvModes.dat
2010-01-14 21:49 . 2009-12-03 02:50   --------   d-----w-   c:\program files\Trend Micro
2010-01-13 15:44 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-01-11 17:59 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Calendar
2010-01-11 17:58 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Defender
2010-01-10 02:46 . 2007-06-04 21:59   --------   d-----w-   c:\programdata\Viewpoint
2010-01-09 16:07 . 2007-01-19 01:10   --------   d-----w-   c:\program files\Java
2010-01-07 22:31 . 2007-05-27 15:11   92456   ----a-w-   c:\users\Mary Kate\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-03 01:34 . 2007-01-19 00:10   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-12-19 00:49 . 2008-11-04 03:46   1356   ----a-w-   c:\users\Mary Kate\AppData\Local\d3d9caps.dat
2009-12-13 15:18 . 2007-06-04 20:40   20274   ----a-w-   c:\users\Mary Kate\AppData\Roaming\wklnhst.dat
2009-12-12 23:30 . 2009-12-12 22:34   --------   d-----w-   c:\programdata\Lavasoft
2009-12-12 22:35 . 2009-12-12 22:17   --------   dc-h--w-   c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-12 22:34 . 2009-12-12 22:34   --------   d-----w-   c:\program files\Lavasoft
2009-12-11 02:17 . 2009-12-11 02:17   --------   dc----w-   c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-11 01:30 . 2009-12-11 01:30   --------   d-----w-   c:\programdata\AVP 2009
2009-12-03 02:34 . 2008-08-28 17:17   --------   d-----w-   c:\programdata\avg8
2009-12-02 13:19 . 2009-12-12 23:30   64288   ----a-w-   c:\windows\system32\drivers\Lbd.sys
2009-12-02 13:19 . 2009-12-13 07:34   15880   ----a-w-   c:\windows\system32\lsdelete.exe
2009-11-09 13:34 . 2009-12-11 03:12   24064   ----a-w-   c:\windows\system32\nshhttp.dll
2009-11-09 13:30 . 2009-12-11 03:11   31232   ----a-w-   c:\windows\system32\httpapi.dll
2009-11-09 11:17 . 2009-12-11 03:11   396800   ----a-w-   c:\windows\system32\drivers\http.sys
2009-11-03 01:42 . 2009-10-02 20:48   195456   ------w-   c:\windows\system32\MpSigStub.exe
2009-10-29 07:59 . 2009-12-02 04:41   2048   ----a-w-   c:\windows\system32\tzres.dll
2009-10-27 15:05 . 2009-12-11 02:35   832512   ----a-w-   c:\windows\system32\wininet.dll
2009-10-27 15:01 . 2009-12-11 02:35   56320   ----a-w-   c:\windows\system32\iesetup.dll
2009-10-27 15:01 . 2009-12-11 02:35   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-10-27 14:59 . 2009-12-11 02:35   72704   ----a-w-   c:\windows\system32\admparse.dll
2009-10-27 12:27 . 2009-12-11 02:35   26624   ----a-w-   c:\windows\system32\ieUnatt.exe
2009-10-27 10:56 . 2009-12-11 02:35   48128   ----a-w-   c:\windows\system32\mshtmler.dll
2007-06-28 20:43 . 2007-06-28 20:43   774144   ----a-w-   c:\program files\RngInterstitial.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-15 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-01-17 1006264]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-27 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-27 7757824]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-12-03 167936]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
"KMCONFIG"="c:\program files\Mouse Driver\StartAutorun.exe" [2007-03-06 212992]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe [2007-1-18 34520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16   39792   ----a-w-   c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2007-04-03 13:54   753664   ----a-w-   c:\windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-06-02 15:13   267048   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 14:50   413696   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-01-19 01:11   77824   ----a-w-   c:\program files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-06-15 23:11   185896   ----a-w-   c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2009-09-04 17:16   158448   ----a-w-   c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [12/12/2009 6:30 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Mouse Driver\KMWDSrv.exe [4/5/2007 10:29 AM 208896]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [3/22/2007 6:04 PM 9728]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 3:29 AM 29178224]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\System32\drivers\athrusb.sys [1/29/2007 8:56 PM 451072]
S3 rcmirror;rcmirror;c:\windows\System32\drivers\rcmirror.sys [12/14/2007 12:48 PM 5120]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\System32\drivers\TM_CFW.sys [4/20/2007 5:44 PM 307984]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Mary Kate\AppData\Roaming\Mozilla\Firefox\Profiles\8eegdjyd.default\
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\Chem3D\npChem3DPlugin.dll
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\ChemDraw\NPCDP32.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\users\Mary Kate\AppData\Local\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\users\Mary Kate\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-14 18:12
Windows 6.0.6000  NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\System32\rundll32.exe
c:\program files\Mouse Driver\KMConfig.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Mouse Driver\KMProcess.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Zune\ZuneNss.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\RacAgent.exe
c:\windows\system32\lpremove.exe
c:\windows\system32\lpksetup.exe
.
**************************************************************************
.
Completion time: 2010-01-14  18:27:30 - machine was rebooted
ComboFix-quarantined-files.txt  2010-01-14 23:27
ComboFix2.txt  2010-01-14 22:25
ComboFix3.txt  2010-01-13 17:42
ComboFix4.txt  2010-01-13 03:05

Pre-Run: 34,121,646,080 bytes free
Post-Run: 34,211,033,088 bytes free

- - End Of File - - 0FA367480371767F96A2B847138A9406

[SuperDave]

By the way, what is wrong with my computer, and how did I get this problem?

Your computer had a few infections which caused the re-directs. Here's an article that explains how one gets infected. I will be posting other helpful hints and links when we do the final clean-up

In the Security check it shows that the Windows Firewall is enabled.

Windows Firewall Enabled!

and in the ComboFix log it shows that Trend Micro Firewall is enabled.

FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

You should not run two Firewalls on your computer at the same time. I would advise you to disable the Windows Firewall because it's not as good as a third-party firewall.

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[maine]

Hello, I will be sure to run only the one firewall from now on, thank you.  here is my eset scan result:

C:\Qoobox\Quarantine\C\Users\Mary Kate\AppData\Local\ixuzazowemulule.dll.vir   a variant of Win32/Cimag.BG trojan   cleaned by deleting - quarantined

[SuperDave]

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

RegLockDel::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze