Re-Infected

[srose]

About a month ago you all helped me get everything running smooth on my computer. I believe that I have been reinfected.

I ran a scan with a web root software program and it showed the following:

Virus:
Mal/FakeAvJs-A

Adware:
FakeAlert.gen

Information Item:
Killapp

I ran the web root software after the Microsoft Security Essentials picked up the following:

File:C:\Documents and Settings\Taylor\Local Settings\Temporary Internet
Files\Content.IE5\ABZ3QH87\oHff9d8f51V0100f080006R2aaf6aab102Tb40e751120110409Kaaa6885d317[1].pdf

File:C:\Documents and Settings\Taylor\Local Settings\Temporary Internet
Files\Content.IE5\ABZ3QH87\oHff9d8f51V0100f080006R2aaf6aab102Tb40e751120110409Kaaa6885d317[1].pdf->(pdf0000:)

Containerfile:C:\Documents and Settings\Taylor\Local Settings\Temporary Internet
Files\Content.IE5\MAJGTM39\KAV6[1].htm
File:C:\Documents and Settings\Taylor\Local Settings\Temporary Internet
Files\Content.IE5\MAJGTM39\KAV6[1].htm->(SCRIPT0000)

I have two high school age children that work on this computer and I am not sure if they are doing something to infect this, and one I would like it cleaned, but the other how can I help put a stop to it?

Also is there a way to clean out some of the files on the computer so the scans don't take so long?

I am attaching the logs.

Thank You in advance for any help you can provide.
Sean

[Saving space, attachment deleted by admin]

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Your logs look squeaky clean. We'll have to run some more scans.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Media Center Monitor Service (ehMonitor) - Unknown owner - C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe (file missing)


Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

=====================================

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts. (you will receive a UAC prompt, please allow it)

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

===================================

Please download RootRepeal from GooglePages.com.

• Extract the program file to your Desktop.
• Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
• When done, click on Save Report
  
• Save it to the Desktop.
• Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).

[rshultes]

yeah super Dave that root repeal and combo fix are gold more mal ware is getting wise about malwarebytes
another good trick is to go to safe mode and disable system restore whilst doing removals and once clean
creating restore point what ya think dave ( not tell infected to do it just suggesting!)

[srose]

Here is the Hi-Jack Log.

I tried to remove what you told me to, but they keep comming back.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 6:56:46 PM, on 3/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://cgmls.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - file://F:\win\setup\iaieplay.dll
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126482186562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204817669703
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Media Center Monitor Service (ehMonitor) - Unknown owner - C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe (file missing)
O23 - Service: Google Update Service (gupdate1c9871162dbbbf2) (gupdate1c9871162dbbbf2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 8641 bytes

Here is the combo fix log:

ComboFix 10-03-10.02 - Sean and Wylene 03/10/2010  18:11:03.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1454 [GMT -5:00]
Running from: c:\documents and settings\Sean and Wylene\My Documents\Antivirus\REMOVAL\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache

.
(((((((((((((((((((((((((   Files Created from 2010-02-10 to 2010-03-10  )))))))))))))))))))))))))))))))
.

2010-03-10 22:49 . 2010-03-10 22:49   0   ----a-w-   c:\documents and settings\Sean and Wylene\settings.dat
2010-03-10 18:13 . 2010-03-10 18:13   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2010-03-10 17:04 . 2010-03-10 17:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2010-03-10 17:04 . 2010-03-10 17:04   --------   d-----w-   c:\documents and settings\Sean and Wylene\Application Data\OnlineArmor
2010-03-10 17:03 . 2009-12-05 12:28   24656   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-03-10 17:03 . 2009-12-05 12:27   29776   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-03-10 17:03 . 2009-12-05 12:27   223312   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-03-10 17:03 . 2010-03-10 17:03   --------   d-----w-   c:\program files\Tall Emu
2010-03-02 21:38 . 2010-03-02 21:38   39720   ---ha-w-   c:\windows\system32\mlfcache.dat
2010-02-17 17:11 . 2009-06-30 14:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2010-02-17 17:11 . 2010-02-17 17:11   --------   d-----w-   c:\program files\Panda Security
2010-02-16 13:03 . 2003-07-30 19:00   9216   -c--a-w-   c:\windows\system32\dllcache\wamps51.dll
2010-02-16 13:02 . 2010-03-07 21:52   --------   d-----w-   c:\windows\system32\Logfiles
2010-02-16 13:02 . 2010-02-16 13:04   --------   d-----w-   C:\Inetpub
2010-02-15 17:24 . 2010-02-15 17:24   52224   ----a-w-   c:\documents and settings\Taylor\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-15 17:24 . 2010-02-15 17:24   117760   ----a-w-   c:\documents and settings\Taylor\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-15 17:23 . 2010-02-15 17:23   --------   d-----w-   c:\documents and settings\Taylor\Application Data\SUPERAntiSpyware.com
2010-02-15 13:37 . 2010-02-15 13:37   --------   d-----w-   c:\program files\AVG
2010-02-15 13:24 . 2010-02-15 13:24   --------   d-----w-   c:\documents and settings\Sean and Wylene\Application Data\Yahoo!
2010-02-15 01:59 . 2010-02-15 01:59   52224   ----a-w-   c:\documents and settings\Forrest\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-15 01:59 . 2010-02-15 01:59   117760   ----a-w-   c:\documents and settings\Forrest\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-15 01:59 . 2010-02-15 01:59   --------   d-----w-   c:\documents and settings\Forrest\Application Data\SUPERAntiSpyware.com
2010-02-14 18:27 . 2010-02-14 18:27   388096   ----a-r-   c:\documents and settings\Sean and Wylene\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-14 18:27 . 2010-02-14 18:27   --------   d-----w-   c:\program files\TrendMicro
2010-02-12 21:07 . 2008-04-14 01:12   116224   -c--a-w-   c:\windows\system32\dllcache\xrxwiadr.dll
2010-02-12 21:07 . 2001-08-18 03:36   23040   -c--a-w-   c:\windows\system32\dllcache\xrxwbtmp.dll
2010-02-12 21:07 . 2008-04-14 01:12   18944   -c--a-w-   c:\windows\system32\dllcache\xrxscnui.dll
2010-02-12 21:07 . 2001-08-18 03:37   27648   -c--a-w-   c:\windows\system32\dllcache\xrxftplt.exe
2010-02-12 21:07 . 2001-08-18 03:37   4608   -c--a-w-   c:\windows\system32\dllcache\xrxflnch.exe
2010-02-12 21:07 . 2001-08-18 03:37   99865   -c--a-w-   c:\windows\system32\dllcache\xlog.exe
2010-02-12 21:07 . 2001-08-17 17:11   16970   -c--a-w-   c:\windows\system32\dllcache\xem336n5.sys
2010-02-12 21:07 . 2004-08-04 06:29   19455   -c--a-w-   c:\windows\system32\dllcache\wvchntxx.sys
2010-02-12 21:07 . 2004-08-04 06:29   12063   -c--a-w-   c:\windows\system32\dllcache\wsiintxx.sys
2010-02-12 21:07 . 2008-04-14 01:12   8192   -c--a-w-   c:\windows\system32\dllcache\wshirda.dll
2010-02-12 21:05 . 2001-08-17 18:28   687999   -c--a-w-   c:\windows\system32\dllcache\usrwdxjs.sys
2010-02-12 21:04 . 2001-08-17 18:49   30464   -c--a-w-   c:\windows\system32\dllcache\tbatm155.sys
2010-02-12 21:03 . 2001-08-17 17:51   58368   -c--a-w-   c:\windows\system32\dllcache\smiminib.sys
2010-02-12 21:02 . 2001-08-17 19:56   182272   -c--a-w-   c:\windows\system32\dllcache\s3mt3d.dll
2010-02-12 21:01 . 2001-08-18 03:36   121344   -c--a-w-   c:\windows\system32\dllcache\phvfwext.dll
2010-02-12 21:00 . 2001-08-17 19:56   91488   -c--a-w-   c:\windows\system32\dllcache\n9i3disp.dll
2010-02-12 20:59 . 2001-08-17 18:57   16128   -c--a-w-   c:\windows\system32\dllcache\modemcsa.sys
2010-02-12 20:58 . 2001-08-17 18:51   18688   -c--a-w-   c:\windows\system32\dllcache\irsir.sys
2010-02-12 20:57 . 2001-08-17 18:28   488383   -c--a-w-   c:\windows\system32\dllcache\hsf_v124.sys
2010-02-12 20:56 . 2001-08-17 17:10   22090   -c--a-w-   c:\windows\system32\dllcache\fem556n5.sys
2010-02-12 20:55 . 2001-08-18 03:36   236060   -c--a-w-   c:\windows\system32\dllcache\ditrace.exe
2010-02-12 20:54 . 2001-08-17 19:02   272640   -c--a-w-   c:\windows\system32\dllcache\cinemclc.sys
2010-02-12 20:53 . 2001-08-17 18:12   3168   -c--a-w-   c:\windows\system32\dllcache\brparimg.sys
2010-02-12 20:52 . 2001-08-17 19:07   101888   -c--a-w-   c:\windows\system32\dllcache\adpu160m.sys
2010-02-12 20:46 . 2010-02-12 20:46   --------   d-----w-   c:\documents and settings\Sean and Wylene\Application Data\Auslogics
2010-02-12 20:36 . 2010-02-12 20:36   --------   d-----w-   c:\program files\Auslogics
2010-02-12 20:17 . 2010-03-08 18:13   --------   d-----w-   c:\program files\SpywareBlaster
2010-02-12 20:13 . 2010-02-12 20:13   --------   d-----w-   c:\program files\WOT
2010-02-12 20:01 . 2010-02-12 20:02   --------   d-----w-   c:\program files\Secunia
2010-02-12 08:27 . 2010-02-19 00:26   8139800   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{728D2B6C-EF40-5718-E9F9-D749100268B3}-acssetup.exe
2010-02-12 08:27 . 2010-02-19 00:26   8139800   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{6B6DD3C2-8578-DB28-2FF5-D6FA577E5B20}-acssetup.exe
2010-02-11 22:41 . 2010-02-11 22:41   503808   ----a-w-   c:\documents and settings\Forrest\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-53b6d6b5-n\msvcp71.dll
2010-02-11 22:41 . 2010-02-11 22:41   499712   ----a-w-   c:\documents and settings\Forrest\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-53b6d6b5-n\jmc.dll
2010-02-11 22:41 . 2010-02-11 22:41   348160   ----a-w-   c:\documents and settings\Forrest\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-53b6d6b5-n\msvcr71.dll
2010-02-11 22:41 . 2010-02-11 22:41   61440   ----a-w-   c:\documents and settings\Forrest\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b7cb5f2-n\decora-sse.dll
2010-02-11 22:41 . 2010-02-11 22:41   12800   ----a-w-   c:\documents and settings\Forrest\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b7cb5f2-n\decora-d3d.dll
2010-02-11 18:48 . 2010-02-11 18:48   --------   d-----w-   c:\program files\ESET
2010-02-11 18:40 . 2010-02-24 14:16   181632   ------w-   c:\windows\system32\MpSigStub.exe
2010-02-11 18:35 . 2010-03-10 13:32   --------   d-----w-   c:\program files\Microsoft Security Essentials
2010-02-10 23:42 . 2010-02-10 23:42   503808   ----a-w-   c:\documents and settings\Taylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2679089b-n\msvcp71.dll
2010-02-10 23:42 . 2010-02-10 23:42   499712   ----a-w-   c:\documents and settings\Taylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2679089b-n\jmc.dll
2010-02-10 23:42 . 2010-02-10 23:42   348160   ----a-w-   c:\documents and settings\Taylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2679089b-n\msvcr71.dll
2010-02-10 23:42 . 2010-02-10 23:42   61440   ----a-w-   c:\documents and settings\Taylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b9a8257-n\decora-sse.dll
2010-02-10 23:42 . 2010-02-10 23:42   12800   ----a-w-   c:\documents and settings\Taylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b9a8257-n\decora-d3d.dll
2010-02-10 23:42 . 2010-03-08 01:59   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-02-09 22:36 . 2010-02-09 22:36   503808   ----a-w-   c:\documents and settings\Sean and Wylene\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43f0a589-n\msvcp71.dll
2010-02-09 22:36 . 2010-02-09 22:36   499712   ----a-w-   c:\documents and settings\Sean and Wylene\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43f0a589-n\jmc.dll
2010-02-09 22:36 . 2010-02-09 22:36   348160   ----a-w-   c:\documents and settings\Sean and Wylene\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43f0a589-n\msvcr71.dll
2010-02-09 22:35 . 2010-02-09 22:35   61440   ----a-w-   c:\documents and settings\Sean and Wylene\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1ff5c2e1-n\decora-sse.dll
2010-02-09 22:35 . 2010-02-09 22:35   12800   ----a-w-   c:\documents and settings\Sean and Wylene\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1ff5c2e1-n\decora-d3d.dll
2010-02-09 22:01 . 2010-02-09 22:01   --------   d-----w-   c:\documents and settings\Sean and Wylene\Application Data\Malwarebytes
2010-02-09 22:01 . 2010-01-07 21:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-09 22:01 . 2010-02-09 22:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-09 22:01 . 2010-02-09 22:01   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-09 22:01 . 2010-01-07 21:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-02-09 01:47 . 2010-02-09 01:47   52224   ----a-w-   c:\documents and settings\Sean and Wylene\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-09 01:47 . 2010-03-08 18:07   117760   ----a-w-   c:\documents and settings\Sean and Wylene\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-09 01:46 . 2010-02-09 01:46   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-09 01:46 . 2010-03-06 23:25   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-02-09 01:46 . 2010-02-09 01:46   --------   d-----w-   c:\documents and settings\Sean and Wylene\Application Data\SUPERAntiSpyware.com
2010-02-09 01:45 . 2010-02-09 01:45   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-08 18:13 . 2008-02-29 20:42   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-02-15 17:14 . 2007-08-21 18:48   --------   d-----w-   c:\program files\Yahoo!
2010-02-15 01:32 . 2008-02-24 16:57   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-02-15 01:32 . 2008-02-24 16:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-13 15:03 . 2003-12-17 08:10   --------   d-----w-   c:\program files\Common Files\Real
2010-02-13 15:01 . 2006-07-10 22:13   --------   d-----w-   c:\program files\InterActual
2010-02-11 18:25 . 2005-09-11 23:31   --------   d--h--w-   c:\documents and settings\All Users\Application Data\GTek
2010-02-11 17:15 . 2005-08-10 17:05   --------   d-----w-   c:\program files\ShowCase
2010-02-09 22:36 . 2003-12-17 06:32   --------   d-----w-   c:\program files\Common Files\Java
2010-02-09 22:35 . 2003-12-17 06:32   --------   d-----w-   c:\program files\Java
2010-02-09 18:47 . 2009-09-28 13:28   --------   d-----w-   c:\program files\Coupons
2010-02-09 18:39 . 2010-02-09 18:39   824   ----a-w-   c:\windows\system32\drivers\kgpcpy.cfg
2010-02-09 18:39 . 2009-07-16 13:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\STOPzilla!
2010-02-08 19:04 . 2008-03-26 23:05   --------   d-----w-   c:\program files\Enigma Software Group
2010-02-08 10:12 . 2008-12-14 23:38   --------   d-----w-   c:\program files\Google
2010-02-01 14:11 . 2004-07-13 17:16   --------   d-----w-   c:\program files\Common Files\Adobe
2010-01-22 13:43 . 2008-03-07 13:23   --------   d-----w-   c:\program files\Microsoft Silverlight
2009-12-31 16:50 . 2003-12-17 04:29   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
2009-12-22 15:14 . 2009-12-22 15:14   86016   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-12-21 19:14 . 2005-06-18 03:49   916480   ------w-   c:\windows\system32\wininet.dll
2009-12-17 22:14 . 2009-01-06 15:09   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2004-01-20 18:08   343040   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-01-20 18:04   33280   ----a-w-   c:\windows\system32\csrsrv.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2010-01-26 1724728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-12-05 6622920]

c:\documents and settings\Sean and Wylene\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-12-05 923336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      SDEarlyDelete \??\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean and Wylene^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
path=c:\documents and settings\Sean and Wylene\Start Menu\Programs\Startup\reminder-ScanSoft Product Registration.lnk
backup=c:\windows\pss\reminder-ScanSoft Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57   948672   ----a-r-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57   35760   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2009-04-10 13:53   50520   ----a-w-   c:\documents and settings\Sean and Wylene\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ------w-   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33   141600   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30   413696   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanSoft OmniPage 16-reminder]
2007-07-20 13:50   328992   ----a-w-   c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Corel\\DVD9\\WinDVD.exe"=
"c:\\Documents and Settings\\Sean and Wylene\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/17/2010 12:11 PM 28552]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [3/10/2010 12:03 PM 223312]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [3/10/2010 12:03 PM 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [3/10/2010 12:03 PM 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 7:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 66632]
R2 CX88XBAR;Conexant 2388x Crossbar Dual Input;c:\windows\system32\drivers\cx88xbardual.sys [2/17/2004 3:37 PM 7040]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/31/2009 7:24 PM 55152]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [3/10/2010 12:03 PM 1282248]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 7:09 PM 11032]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [3/10/2010 12:03 PM 3291336]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 7:20 AM 12648]
S0 omoecx;omoecx;c:\windows\system32\drivers\lncww.sys --> c:\windows\system32\drivers\lncww.sys [?]
S2 ehMonitor;Media Center Monitor Service;c:\program files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe --> c:\program files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe [?]
S2 gupdate1c9871162dbbbf2;Google Update Service (gupdate1c9871162dbbbf2);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2009 4:41 PM 133104]
S3 azt2320;Aztech 2320 Audio Driver (WDM);c:\windows\system32\drivers\aztw2320.sys [8/20/2009 8:44 AM 36992]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 5:08 PM 533360]
S3 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\BdHidCom.sys [7/23/2006 6:17 PM 17408]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 21:41]

2010-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 21:41]

2010-03-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02]

2010-03-10 c:\windows\Tasks\User_Feed_Synchronization-{A4B2D6E0-A34D-4D32-B546-B1A3ACC18990}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Sean and Wylene\Application Data\Mozilla\Firefox\Profiles\614r5ppc.default\
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?&o=13048&l=dis&q=
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut. enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugi n", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-OneCareUI - c:\program files\Microsoft Windows OneCare Live\winssnotify.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-10 18:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(508)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1472)
c:\windows\system32\WININET.dll
c:\program files\Tall Emu\Online Armor\OAwatch.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-03-10  18:26:30
ComboFix-quarantined-files.txt  2010-03-10 23:26
ComboFix2.txt  2010-02-11 18:02

Pre-Run: 154,075,000,832 bytes free
Post-Run: 154,165,317,632 bytes free

- - End Of File - - E4F97104DE10A6DEF587F62765311078

Here is the rootrepeal log

for ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/03/10 17:51
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAD5D4000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79BB000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAAD28000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\sean and wylene\cookies\[email protected][2].txt
Status: Size mismatch (API: 275, Raw: 269)

SSDT
-------------------
#: 017   Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73f420

#: 019   Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73fc60

#: 031   Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73da90

#: 037   Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad74ccb0

#: 046   Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73d740

#: 047   Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73a320

#: 048   Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73a710

#: 050   Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad739de0

#: 053   Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73bca0

#: 057   Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73c900

#: 068   Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73d410

#: 097   Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73eb40

#: 116   Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad74d420

#: 122   Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73b630

#: 125   Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73a080

#: 128   Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73c1c0

#: 137   Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73f8a0

#: 145   Function Name: NtQueryDirectoryFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73efb0

#: 180   Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73fe00

#: 200   Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73e690

#: 204   Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad74c940

#: 206   Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73d060

#: 210   Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73de80

#: 213   Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73c6e0

#: 240   Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73caa0

#: 249   Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73ea10

#: 253   Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73d240

#: 254   Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73ce60

#: 255   Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73cc90

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73ba30

#: 258   Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73c4b0

#: 262   Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73ed70

#: 277   Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73fa70

Shadow SSDT
-------------------
#: 013   Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad7385c0

#: 233   Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad738940

#: 307   Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad735470

#: 310   Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad7372b0

#: 319   Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad736df0

#: 324   Function Name: NtUserCallTwoParam
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad737e30

#: 383   Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad735f00

#: 389   Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad7375b0

#: 401   Function Name: NtUserGetDC
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad738270

#: 414   Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad735dd0

#: 416   Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad735ca0

#: 439   Function Name: NtUserGetWindowDC
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad738410

#: 460   Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad736030

#: 465   Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad737950

#: 475   Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad7365b0

#: 476   Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad736a10

#: 491   Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad7352f0

#: 502   Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad737050

#: 509   Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad737450

#: 529   Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad737720

#: 546   Function Name: NtUserSetWindowPos
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad737ce0

#: 548   Function Name: NtUserSetWindowsHookAW
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad734e10

#: 549   Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad734a20

#: 552   Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad735080

#: 555   Function Name: NtUserShowWindow
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad737bf0

==EOF==

[SuperDave]

Sorry for the delay. I'm still analyzing your logs and I'll be back when I have a fix for you.

[SuperDave]

You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

* ViewMgr.exe - Useless
* Viewpoint to Plunge Into Adware

It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
* Viewpoint Experience Technology

==============================
Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\mlfcache.dat
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

=====================================

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
c:\program files\Coupons


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[srose]

I got rid of the Viewpoint software.

The Jotti's scan would not work. I copied it, and tried to ctrl V it into the box but nothing happens. It will not allow me to type anything, and I couldn't find the file when I browsed for it either.

I did the combo fix as instucted and here is the log:

ComboFix 10-03-10.02 - Sean and Wylene 03/13/2010  16:02:23.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1492 [GMT -5:00]
Running from: c:\documents and settings\Sean and Wylene\My Documents\Antivirus\REMOVAL\ComboFix.exe
Command switches used :: c:\documents and settings\Sean and Wylene\My Documents\Antivirus\REMOVAL\cfscript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Coupons
c:\program files\Coupons\uninstall.exe

.
(((((((((((((((((((((((((   Files Created from 2010-02-13 to 2010-03-13  )))))))))))))))))))))))))))))))
.

2010-03-12 04:39 . 2010-03-12 04:39   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-03-11 21:22 . 2010-03-11 21:23   --------   d-----w-   c:\documents and settings\Taylor\Application Data\OnlineArmor
2010-03-11 20:16 . 2010-03-11 20:21   --------   d-----w-   c:\documents and settings\Forrest\Application Data\OnlineArmor
2010-03-10 22:49 . 2010-03-10 22:49   0   ----a-w-   c:\documents and settings\Sean and Wylene\settings.dat
2010-03-10 18:13 . 2010-03-10 18:13   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2010-03-10 17:04 . 2010-03-11 20:16   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2010-03-10 17:04 . 2010-03-10 17:04   --------   d-----w-   c:\documents and settings\Sean and Wylene\Application Data\OnlineArmor
2010-03-10 17:03 . 2009-12-05 12:28   24656   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-03-10 17:03 . 2009-12-05 12:27   29776   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-03-10 17:03 . 2009-12-05 12:27   223312   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-03-10 17:03 . 2010-03-10 17:03   --------   d-----w-   c:\program files\Tall Emu
2010-03-02 21:38 . 2010-03-02 21:38   39720   ---ha-w-   c:\windows\system32\mlfcache.dat
2010-02-17 17:11 . 2009-06-30 14:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2010-02-17 17:11 . 2010-02-17 17:11   --------   d-----w-   c:\program files\Panda Security
2010-02-16 13:03 . 2003-07-30 19:00   9216   -c--a-w-   c:\windows\system32\dllcache\wamps51.dll
2010-02-16 13:02 . 2010-03-13 20:28   --------   d-----w-   c:\windows\system32\Logfiles
2010-02-16 13:02 . 2010-02-16 13:04   --------   d-----w-   C:\Inetpub
2010-02-15 17:24 . 2010-02-15 17:24   52224   ----a-w-   c:\documents and settings\Taylor\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-15 17:24 . 2010-02-15 17:24   117760   ----a-w-   c:\documents and settings\Taylor\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-15 17:23 . 2010-02-15 17:23   --------   d-----w-   c:\documents and settings\Taylor\Application Data\SUPERAntiSpyware.com
2010-02-15 13:37 . 2010-02-15 13:37   --------   d-----w-   c:\program files\AVG
2010-02-15 13:24 . 2010-02-15 13:24   --------   d-----w-   c:\documents and settings\Sean and Wylene\Application Data\Yahoo!
2010-02-15 01:59 . 2010-02-15 01:59   52224   ----a-w-   c:\documents and settings\Forrest\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-15 01:59 . 2010-02-15 01:59   117760   ----a-w-   c:\documents and settings\Forrest\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-15 01:59 . 2010-02-15 01:59   --------   d-----w-   c:\documents and settings\Forrest\Application Data\SUPERAntiSpyware.com
2010-02-14 18:27 . 2010-02-14 18:27   388096   ----a-r-   c:\documents and settings\Sean and Wylene\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-14 18:27 . 2010-02-14 18:27   --------   d-----w-   c:\program files\TrendMicro
2010-02-12 21:07 . 2008-04-14 01:12   116224   -c--a-w-   c:\windows\system32\dllcache\xrxwiadr.dll
2010-02-12 21:07 . 2001-08-18 03:36   23040   -c--a-w-   c:\windows\system32\dllcache\xrxwbtmp.dll
2010-02-12 21:07 . 2008-04-14 01:12   18944   -c--a-w-   c:\windows\system32\dllcache\xrxscnui.dll
2010-02-12 21:07 . 2001-08-18 03:37   27648   -c--a-w-   c:\windows\system32\dllcache\xrxftplt.exe
2010-02-12 21:07 . 2001-08-18 03:37   4608   -c--a-w-   c:\windows\system32\dllcache\xrxflnch.exe
2010-02-12 21:07 . 2001-08-18 03:37   99865   -c--a-w-   c:\windows\system32\dllcache\xlog.exe
2010-02-12 21:07 . 2001-08-17 17:11   16970   -c--a-w-   c:\windows\system32\dllcache\xem336n5.sys
2010-02-12 21:07 . 2004-08-04 06:29   19455   -c--a-w-   c:\windows\system32\dllcache\wvchntxx.sys
2010-02-12 21:07 . 2004-08-04 06:29   12063   -c--a-w-   c:\windows\system32\dllcache\wsiintxx.sys
2010-02-12 21:07 . 2008-04-14 01:12   8192   -c--a-w-   c:\windows\system32\dllcache\wshirda.dll
2010-02-12 21:05 . 2001-08-17 18:28   687999   -c--a-w-   c:\windows\system32\dllcache\usrwdxjs.sys
2010-02-12 21:04 . 2001-08-17 18:49   30464   -c--a-w-   c:\windows\system32\dllcache\tbatm155.sys
2010-02-12 21:03 . 2001-08-17 17:51   58368   -c--a-w-   c:\windows\system32\dllcache\smiminib.sys
2010-02-12 21:02 . 2001-08-17 19:56   182272   -c--a-w-   c:\windows\system32\dllcache\s3mt3d.dll
2010-02-12 21:01 . 2001-08-18 03:36   121344   -c--a-w-   c:\windows\system32\dllcache\phvfwext.dll
2010-02-12 21:00 . 2001-08-17 19:56   91488   -c--a-w-   c:\windows\system32\dllcache\n9i3disp.dll
2010-02-12 20:59 . 2001-08-17 18:57   16128   -c--a-w-   c:\windows\system32\dllcache\modemcsa.sys
2010-02-12 20:58 . 2001-08-17 18:51   18688   -c--a-w-   c:\windows\system32\dllcache\irsir.sys
2010-02-12 20:57 . 2001-08-17 18:28   488383   -c--a-w-   c:\windows\system32\dllcache\hsf_v124.sys
2010-02-12 20:56 . 2001-08-17 17:10   22090   -c--a-w-   c:\windows\system32\dllcache\fem556n5.sys
2010-02-12 20:55 . 2001-08-18 03:36   236060   -c--a-w-   c:\windows\system32\dllcache\ditrace.exe
2010-02-12 20:54 . 2001-08-17 19:02   272640   -c--a-w-   c:\windows\system32\dllcache\cinemclc.sys
2010-02-12 20:53 . 2001-08-17 18:12   3168   -c--a-w-   c:\windows\system32\dllcache\brparimg.sys
2010-02-12 20:52 . 2001-08-17 19:07   101888   -c--a-w-   c:\windows\system32\dllcache\adpu160m.sys
2010-02-12 20:46 . 2010-02-12 20:46   --------   d-----w-   c:\documents and settings\Sean and Wylene\Application Data\Auslogics
2010-02-12 20:36 . 2010-02-12 20:36   --------   d-----w-   c:\program files\Auslogics
2010-02-12 20:17 . 2010-03-08 18:13   --------   d-----w-   c:\program files\SpywareBlaster
2010-02-12 20:13 . 2010-02-12 20:13   --------   d-----w-   c:\program files\WOT
2010-02-12 20:01 . 2010-02-12 20:02   --------   d-----w-   c:\program files\Secunia
2010-02-12 08:27 . 2010-02-19 00:26   8139800   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{728D2B6C-EF40-5718-E9F9-D749100268B3}-acssetup.exe
2010-02-12 08:27 . 2010-02-19 00:26   8139800   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{6B6DD3C2-8578-DB28-2FF5-D6FA577E5B20}-acssetup.exe
2010-02-11 22:41 . 2010-02-11 22:41   503808   ----a-w-   c:\documents and settings\Forrest\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-53b6d6b5-n\msvcp71.dll
2010-02-11 22:41 . 2010-02-11 22:41   499712   ----a-w-   c:\documents and settings\Forrest\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-53b6d6b5-n\jmc.dll
2010-02-11 22:41 . 2010-02-11 22:41   348160   ----a-w-   c:\documents and settings\Forrest\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-53b6d6b5-n\msvcr71.dll
2010-02-11 22:41 . 2010-02-11 22:41   61440   ----a-w-   c:\documents and settings\Forrest\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b7cb5f2-n\decora-sse.dll
2010-02-11 22:41 . 2010-02-11 22:41   12800   ----a-w-   c:\documents and settings\Forrest\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b7cb5f2-n\decora-d3d.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-10 13:32 . 2010-02-11 18:35   --------   d-----w-   c:\program files\Microsoft Security Essentials
2010-03-08 18:13 . 2008-02-29 20:42   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-03-08 18:07 . 2010-02-09 01:47   117760   ----a-w-   c:\documents and settings\Sean and Wylene\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-08 01:59 . 2010-02-10 23:42   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-03-06 23:25 . 2010-02-09 01:46   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-02-24 14:16 . 2010-02-11 18:40   181632   ------w-   c:\windows\system32\MpSigStub.exe
2010-02-15 17:14 . 2007-08-21 18:48   --------   d-----w-   c:\program files\Yahoo!
2010-02-15 01:32 . 2008-02-24 16:57   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-02-15 01:32 . 2008-02-24 16:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-13 15:03 . 2003-12-17 08:10   --------   d-----w-   c:\program files\Common Files\Real
2010-02-13 15:01 . 2006-07-10 22:13   --------   d-----w-   c:\program files\InterActual
2010-02-11 18:48 . 2010-02-11 18:48   --------   d-----w-   c:\program files\ESET
2010-02-11 18:25 . 2005-09-11 23:31   --------   d--h--w-   c:\documents and settings\All Users\Application Data\GTek
2010-02-11 17:15 . 2005-08-10 17:05   --------   d-----w-   c:\program files\ShowCase
2010-02-10 23:42 . 2010-02-10 23:42   503808   ----a-w-   c:\documents and settings\Taylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2679089b-n\msvcp71.dll
2010-02-10 23:42 . 2010-02-10 23:42   499712   ----a-w-   c:\documents and settings\Taylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2679089b-n\jmc.dll
2010-02-10 23:42 . 2010-02-10 23:42   348160   ----a-w-   c:\documents and settings\Taylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2679089b-n\msvcr71.dll
2010-02-10 23:42 . 2010-02-10 23:42   61440   ----a-w-   c:\documents and settings\Taylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b9a8257-n\decora-sse.dll
2010-02-10 23:42 . 2010-02-10 23:42   12800   ----a-w-   c:\documents and settings\Taylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b9a8257-n\decora-d3d.dll
2010-02-09 22:36 . 2003-12-17 06:32   --------   d-----w-   c:\program files\Common Files\Java
2010-02-09 22:36 . 2010-02-09 22:36   503808   ----a-w-   c:\documents and settings\Sean and Wylene\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43f0a589-n\msvcp71.dll
2010-02-09 22:36 . 2010-02-09 22:36   499712   ----a-w-   c:\documents and settings\Sean and Wylene\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43f0a589-n\jmc.dll
2010-02-09 22:36 . 2010-02-09 22:36   348160   ----a-w-   c:\documents and settings\Sean and Wylene\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43f0a589-n\msvcr71.dll
2010-02-09 22:35 . 2010-02-09 22:35   61440   ----a-w-   c:\documents and settings\Sean and Wylene\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1ff5c2e1-n\decora-sse.dll
2010-02-09 22:35 . 2010-02-09 22:35   12800   ----a-w-   c:\documents and settings\Sean and Wylene\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1ff5c2e1-n\decora-d3d.dll
2010-02-09 22:35 . 2003-12-17 06:32   --------   d-----w-   c:\program files\Java
2010-02-09 22:01 . 2010-02-09 22:01   --------   d-----w-   c:\documents and settings\Sean and Wylene\Application Data\Malwarebytes
2009-12-31 16:50 . 2003-12-17 04:29   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
2009-12-22 15:14 . 2009-12-22 15:14   86016   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-12-21 19:14 . 2005-06-18 03:49   916480   ------w-   c:\windows\system32\wininet.dll
2009-12-17 22:14 . 2009-01-06 15:09   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2004-01-20 18:08   343040   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-01-20 18:04   33280   ----a-w-   c:\windows\system32\csrsrv.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2010-01-26 1724728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-12-05 6622920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Sean and Wylene\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-12-05 923336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      SDEarlyDelete \??\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean and Wylene^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
path=c:\documents and settings\Sean and Wylene\Start Menu\Programs\Startup\reminder-ScanSoft Product Registration.lnk
backup=c:\windows\pss\reminder-ScanSoft Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57   948672   ----a-r-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57   35760   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2009-04-10 13:53   50520   ----a-w-   c:\documents and settings\Sean and Wylene\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ------w-   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33   141600   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30   413696   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanSoft OmniPage 16-reminder]
2007-07-20 13:50   328992   ----a-w-   c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Corel\\DVD9\\WinDVD.exe"=
"c:\\Documents and Settings\\Sean and Wylene\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/17/2010 12:11 PM 28552]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [3/10/2010 12:03 PM 223312]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [3/10/2010 12:03 PM 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [3/10/2010 12:03 PM 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 7:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 66632]
R2 CX88XBAR;Conexant 2388x Crossbar Dual Input;c:\windows\system32\drivers\cx88xbardual.sys [2/17/2004 3:37 PM 7040]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/31/2009 7:24 PM 55152]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [3/10/2010 12:03 PM 1282248]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 7:09 PM 11032]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [3/10/2010 12:03 PM 3291336]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 7:20 AM 12648]
S0 omoecx;omoecx;c:\windows\system32\drivers\lncww.sys --> c:\windows\system32\drivers\lncww.sys [?]
S2 ehMonitor;Media Center Monitor Service;c:\program files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe --> c:\program files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe [?]
S2 gupdate1c9871162dbbbf2;Google Update Service (gupdate1c9871162dbbbf2);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2009 4:41 PM 133104]
S3 azt2320;Aztech 2320 Audio Driver (WDM);c:\windows\system32\drivers\aztw2320.sys [8/20/2009 8:44 AM 36992]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 5:08 PM 533360]
S3 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\BdHidCom.sys [7/23/2006 6:17 PM 17408]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 21:41]

2010-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 21:41]

2010-03-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02]

2010-03-10 c:\windows\Tasks\User_Feed_Synchronization-{A4B2D6E0-A34D-4D32-B546-B1A3ACC18990}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Sean and Wylene\Application Data\Mozilla\Firefox\Profiles\614r5ppc.default\
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?&o=13048&l=dis&q=
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut. enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugi n", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-13 16:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(508)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3440)
c:\windows\system32\WININET.dll
c:\program files\Tall Emu\Online Armor\OAwatch.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\System32\snmp.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Tall Emu\Online Armor\OAhlp.exe
.
**************************************************************************
.
Completion time: 2010-03-13  16:26:03 - machine was rebooted
ComboFix-quarantined-files.txt  2010-03-13 21:25
ComboFix2.txt  2010-03-10 23:26
ComboFix3.txt  2010-02-11 18:02

Pre-Run: 154,049,183,744 bytes free
Post-Run: 154,024,529,920 bytes free

- - End Of File - - C574D0BB0476DCCB7D4ECA765887D993

[SuperDave]

Ok. Please try this one.

Please go to VirSCAN.org FREE on-line scan service
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

Code: [Select]

c:\windows\system32\mlfcache.dat
2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Click on the Upload button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
Important: Wait for all of the scanning engines to complete.
5. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
6. Paste the contents of the Clipboard in your next reply.

=============================================
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[srose]

It still will not let me paste the file into the box. When I copy it it says done but with errors if that helps. When I go to the link it allows me to click in the box and the cursor will blink. There is no option in the edit menu to paste, and when I try and do ctrl and V it doesn't do anything. When I browse for the file I don't find it in the location.

Here is the security check log:

Results of screen317's Security Check version 0.99.1    
 Windows XP Service Pack 3 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 ESET Online Scanner v3   
 Online Armor 4.0   
 Antivirus up to date! (On Access scanning disabled!)
``````````````````````````````
Anti-malware/Other Utilities Check:
 Out of date HijackThis installed!
 SpywareBlaster 4.2   
 SUPERAntiSpyware Free Edition   
 Secunia CSI   
 Secunia PSI   
 HijackThis 1.99.1   
 CCleaner     
 Java(TM) 6 Update 18 
 Java Auto Updater   
 Java 2 Runtime Environment, SE v1.4.2
 Out of date Java installed!
 Adobe Flash Player 10 
Adobe Reader 9.3.1
``````````````````````````````
Process Check: 
objlist.exe by Laurent

Thank You,
Sean

[SuperDave]

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

===============================

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[srose]

I already had the latest Java, but I did remove the old versions.

I ran the ESET scan and it did not show any infections.

[SuperDave]

The Security Check shows your Anti-Virus disabled. Please enable it now.
If there are no other issues, it's time for some clean-up You can uninstall HJT and delete ESET, RootRepeal and Security Check. You may keep SAS and MBAM. Update them and run them about once/week.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

================================

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

===================================

Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[srose]

Thank You Super Dave, you have shown just how great the Computer Hope web site and forum really are for us average computer users.

Sean

[SuperDave]

You're welcome, Sean. Have a great day.