"your system is infected" virus and also 'windows cannot access specified..'

[ryguy15]

Hi, I just recently got a virus that turned my wallpaper to solid black and came up with this message in a black box saying in read writing "YOUR SYSTEM IS INFECTED - System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use the computer before all spyware removed." and then it started up a fake antivirus programme that started scanning. With the help of AVG (free trial) I managed to get rid of the box with that message and my wallpaper picture has returned, but now when I try and run programmes like Malwarebyte's Anti-Malware, and Spybot, it comes up with an error message saying "Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item."

And now I also can't scan with AVG because the scan button has gone grey and I can't click on it. I tried reinstalling Malewarebytes Anti-malware and got it to launch, but then seconds after it starts scanning the programme just closes and then if I try and open it that same error message comes up.

So any help would be greatly appreciated. Let me know if I need to give more information that this too.

thanks.

[ryguy15]

Just thought I might add that now my computer has taken to suddenly turning itself off for no apparent reason.
Thanks again in advance to whoever can offer some help.

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.

There are 4 different versions. If one of them won't run then download and try to run the other one.
 
Vista and Win7 users need to right click Rkill and choose Run as Administrator
 

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.exe
* Rkill.com
* Rkill.scr
* Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.
*******************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
****************************************
Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
************************************
Please download: HiJackThis to your Desktop.

• Double Click the HijackThis icon, located on your Desktop.
  
• By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
• Accept the license agreement.
• Click the Open the Misc Tools section button.
  
• Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
  
• Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
  
• Please post the log in your next reply.
  

[ryguy15]

Hey SuperDave, first of all thank you for offering your help!
Well, I've tried to do all those things that you said in your post, but unfortunately the only one that worked was the rkill.exe.
I downloaded SUPERAntiSpyware and installed it and checked and unchecked all the boxes you said to, but then about 2mins into the scan it just closed itself and then when I tried to open it again I got the "Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item." again. The same thing happened with Malwarebytes and also HiJackThis. So unfortunately I can't post any logs here yet

I only downloaded the first rkill programme, should I try using the other ones as well? Or I could post the logs from the rkill.exe saying which programmes it terminated?

Thanks again for you help.

[SuperDave]

Boot in Safe Mode and try to run MBAM. If that works well, reboot in Normal mode and run SAS. Post the logs, if you can.

[ryguy15]

Even in safe mode the same thing happens. Malwarebytes just closes after I run the scan and  then I get that error message when I try to open it again. Each time I try to run malwarebytes or any of those other programmes I have to reinstall them.
I don't know if this will be any help but this is the process that gets terminated by rkill:


\\.\globalroot\Device\svchost.exe\svchost.exe

[SuperDave]

We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.

Download the OTLPE Standard REATOGO Windows Recovery Environment.

Place a blank CD-R disc in to your CD burning drive.Download

OTLPEStd.exe and double-click on it to burn to a CD using the ISO Burner.Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here
Your system should now display a REATOGO-X-PE desktop.
Double-click on the OTLPE icon.
When asked "Do you wish to load the remote registry", select Yes
When asked "Do you wish to load remote user profile(s) for scanning", select Yes
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
OTL should now start. Change the following settings

• Change Drivers to Non-Microsoft
  Press Run Scan to start the scan.
  When finished, the file will be saved  in drive C:\_OTL\MovedFiles
  Copy this file to your USB drive if you do not have internet connection on this system
  Please post the contents of the OTL.txt file in your reply.

[/list]

[MelyBoon]

Your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help.

[ryguy15]

Ok when I reboot the computer with the cd and get to the REATOGO-X-PE desktop, I double click on the OTLPE icon and it brings up some folder selection thing. The folders to choose from are:
My Computer
-RAMDisk(B:)
-Local Disk (C:)
-PRESARIO_RP(D:)
-ReatogoPE (X:)
-Shared Documents

If i click on 'my computer' and click ok, it brings up a message saying "  No windows installations found"
If I click on any of the others and click ok it says "Target is not windows 2000 or later"
:\

I also now have this stupid 'anitvirus 2010' programme reappearing, which I thought I had managed to originally get rid of.


What should I do now?
and again, thank you for helping me with this.

[ryguy15]

I also can't get Task Manager to run.

[SuperDave]

Ok. Let's try this. Click Start, My Computer, double-click on your C: drive and double-click on MalWareBytes-Antimalware. Right-click on mbam.exe and change the name to something gidget.exe. Now see if it will run. Please post the log if you can get it to run.

[ryguy15]

Ok I tried renaming mbam.exe but still no luck. About 2 seconds into the scan and the program just closes. And then it says I no longer have access to it when I try to open it again. Interestingly though, AVG appears to be working again (its still scanning and its been going for about 12 minutes now), although it hasn't found anything yet.

[SuperDave]

Please download

ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[autotech]

Super Dave, I have been following this thread as a friend of mine got his Dell laptop with XP home hit also. Everything he stated has happen to me also, ie shutdown after 2 min, path not found, etc. When I went to rename mbam.exe I found it had been renamed
mbam. exe the space being the difference. when I went to rename it it was denied as the infection  has blocked anyone from renaming files other than it. Hope this helps. I am just waiting to see where this goes next to see if I can help my friend. Big Dave

[ryguy15]

Here is the log that Combofix produced:

ComboFix 10-10-21.05 - Ryan 22/10/2010  23:58:51.3.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.64.1033.18.1982.1121 [GMT 13:00]
Running from: c:\users\Ryan\Desktop\commy.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata.\documents\settings
c:\programdata\.wtav
c:\users\Ryan\AppData\Roaming\avdrn.dat
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnVi
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnVi\About.lnk
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnVi\Activate.lnk
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnVi\Antivirus Support.lnk
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnVi\Antivirus.lnk
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnVi\Buy.lnk
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnVi\Scan.lnk
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnVi\Settings.lnk
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnVi\Update.lnk
c:\users\Ryan\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\windows\PRAGMAyrtxnwrcjt
c:\windows\PRAGMAyrtxnwrcjt\PRAGMAc.dll
c:\windows\PRAGMAyrtxnwrcjt\PRAGMAcfg.ini
c:\windows\PRAGMAyrtxnwrcjt\PRAGMAsrcr.dat

Infected copy of c:\windows\system32\drivers\AGP440.sys was found and disinfected
Restored copy from - c:\windows\system32\drivers\agp440.sys.bak

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_userinit


(((((((((((((((((((((((((   Files Created from 2010-09-22 to 2010-10-22  )))))))))))))))))))))))))))))))
.

2010-10-22 11:20 . 2010-10-22 11:27   --------   d-----w-   c:\users\Ryan\AppData\Local\temp
2010-10-22 11:20 . 2010-10-22 11:20   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-10-22 11:20 . 2010-10-22 11:20   --------   d-----w-   c:\users\Guest\AppData\Local\temp
2010-10-22 11:20 . 2010-10-22 11:20   --------   d-----w-   c:\users\Guest(56)\AppData\Local\temp
2010-10-22 11:20 . 2010-10-22 11:20   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-10-22 08:08 . 2010-10-07 23:21   6146896   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{A15205D0-8851-4AAD-B675-A6BFC9825264}\mpengine.dll
2010-10-18 02:01 . 2010-04-29 02:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-18 02:01 . 2010-04-29 02:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-10-17 08:31 . 2010-10-17 08:41   11952   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-10-17 08:31 . 2010-10-17 08:41   335240   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-10-17 08:30 . 2010-10-17 08:41   27784   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-10-17 08:30 . 2010-10-17 08:43   --------   d-----w-   c:\windows\system32\drivers\Avg
2010-10-15 09:47 . 2010-09-13 13:56   168960   ----a-w-   c:\program files\Windows Media Player\wmplayer.exe
2010-10-15 09:47 . 2010-09-13 13:56   8147456   ----a-w-   c:\windows\system32\wmploc.DLL
2010-10-15 09:47 . 2010-09-06 16:20   125952   ----a-w-   c:\windows\system32\srvsvc.dll
2010-10-15 09:47 . 2010-09-06 13:45   304128   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-10-15 09:47 . 2010-09-06 13:45   145408   ----a-w-   c:\windows\system32\drivers\srv2.sys
2010-10-15 09:47 . 2010-09-06 13:45   102400   ----a-w-   c:\windows\system32\drivers\srvnet.sys
2010-10-15 09:47 . 2010-09-06 16:19   17920   ----a-w-   c:\windows\system32\netevent.dll
2010-10-14 10:29 . 2010-10-14 10:29   --------   d-----w-   c:\program files\Trend Micro
2010-10-10 02:38 . 2010-10-10 02:38   --------   d-----w-   c:\program files\Giant Crocodile
2010-10-08 08:58 . 2010-10-08 08:58   --------   dc----w-   C:\$AVG
2010-10-08 06:08 . 2010-10-08 06:08   --------   dc----w-   C:\AVG10
2010-10-08 06:06 . 2010-10-08 06:06   --------   d--h--w-   c:\programdata\Common Files
2010-10-08 06:03 . 2010-10-14 08:43   --------   d-----w-   c:\programdata\AVG10
2010-10-08 05:51 . 2010-10-08 06:01   --------   d-----w-   c:\programdata\MFAData
2010-10-08 05:39 . 2010-10-18 19:05   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-09-30 08:28 . 2010-09-30 08:28   --------   d-----w-   c:\windows\Profiles
2010-09-29 07:54 . 2010-06-22 13:30   2048   ----a-w-   c:\windows\system32\tzres.dll
2010-09-28 11:31 . 2010-09-28 11:31   --------   d-----w-   c:\program files\iPod
2010-09-28 11:24 . 2010-09-28 11:24   --------   d-----w-   c:\program files\Bonjour

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-18 22:41 . 2010-02-11 13:33   222080   ------w-   c:\windows\system32\MpSigStub.exe
2010-09-13 03:27 . 2010-09-13 03:27   25680   ----a-w-   c:\windows\system32\drivers\AVGIDSEH.sys
2010-09-07 22:17 . 2010-09-07 22:17   94208   ----a-w-   c:\windows\system32\QuickTimeVR.qtx
2010-09-07 22:17 . 2010-09-07 22:17   69632   ----a-w-   c:\windows\system32\QuickTime.qts
2010-08-17 14:11 . 2010-09-16 08:10   128000   ----a-w-   c:\windows\system32\spoolsv.exe
2010-07-27 05:44 . 2010-07-27 05:44   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-07-27 05:44 . 2010-07-27 05:44   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2009-01-27 01:34 . 2009-01-27 01:34   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-08-25 01:52 . 2008-06-05 11:59   300400   ----a-w-   c:\program files\mozilla firefox\components\coFFPlgn.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-09 159744]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-01-29 52392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-23 13601312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-23 92704]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-24 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-17 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-07 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-23 421160]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys

R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 133104]
R2 Nakido;Nakido;c:\program files\Nakido\nakido.exe

R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
R3 cxru92a1;Virtual Bus for Microsoft ACPI-Compliant System;

R3 DFBCFDBA;DFBCFDBA;

R3 iscFlash;iscFlash;c:\swsetup\sp42533\iscflash.sys [2008-08-05 11520]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-04-29 717296]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2010-09-13 25680]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-10-17 335240]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2009-12-16 375296]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
HPService   REG_MULTI_SZ      HPSLPSVC
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 23:39]

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 23:39]

2010-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-753018427-1233051673-1299658189-1003Core.job
- c:\users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-10 04:59]

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-753018427-1233051673-1299658189-1003UA.job
- c:\users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-10 04:59]

2010-10-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-753018427-1233051673-1299658189-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 09:09]

2010-10-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-753018427-1233051673-1299658189-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 09:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=81&bd=Presario&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=81&bd=Presario&pf=laptop
uInternet Settings,ProxyServer = proxy.student.otago.ac.nz:3128
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{9DFE2FE9-CF99-4ADF-A28E-9B5ADB8DC74F} - (no file)
HKLM-Run-hpqSRMon - (no file)
HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
AddRemove-Antivirus - c:\program files\AnVi\Pklkvqdii+`}`
AddRemove-AVG8Uninstall - c:\program files\AVG\AVG8\setup.exe


.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4816)
c:\program files\Nokia\Nokia PC Suite 6\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng-us.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
.
**************************************************************************
.
Completion time: 2010-10-23  00:35:43 - machine was rebooted
ComboFix-quarantined-files.txt  2010-10-22 11:35

Pre-Run: 6,880,415,744 bytes free
Post-Run: 7,537,274,880 bytes free

- - End Of File - - DA41FB2AD76064205DDCCAAABE2D398C

[ryguy15]

I don't know if it would've actually affected Combofix or not, but I wasn't able to really disable AVG. I tried following the appropriate steps but it wouldn't let me disable anything. So I tried uninstalling it but that just failed multiple times. So I tried just deleting it which didn't quite work either (1 file wasn't able to be deleted). Just thought I'd add that incase it was important.

[SuperDave]

You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

* ViewMgr.exe - Useless
* Viewpoint to Plunge Into Adware

It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
* Viewpoint Experience Technology
************************************

Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  KillAll::
  
  Driver::
  DFBCFDBA
  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

***********************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
**********************************
Please try running SuperAntiSpyware and MalwareBytes-Antimalware and post the logs if you're successful.

[ryguy15]

Combo fix log:
ComboFix 10-10-21.05 - Ryan 23/10/2010  12:33:02.4.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.64.1033.18.1982.1082 [GMT 13:00]
Running from: c:\users\Ryan\Desktop\commy.exe
Command switches used :: c:\users\Ryan\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_DFBCFDBA


(((((((((((((((((((((((((   Files Created from 2010-09-22 to 2010-10-22  )))))))))))))))))))))))))))))))
.

2010-10-22 23:47 . 2010-10-22 23:54   --------   d-----w-   c:\users\Ryan\AppData\Local\temp
2010-10-22 23:47 . 2010-10-22 23:47   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-10-22 23:47 . 2010-10-22 23:47   --------   d-----w-   c:\users\Guest\AppData\Local\temp
2010-10-22 23:47 . 2010-10-22 23:47   --------   d-----w-   c:\users\Guest(56)\AppData\Local\temp
2010-10-22 23:47 . 2010-10-22 23:47   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-10-22 23:26 . 2010-10-22 23:29   --------   dc----r-   C:\32788R22FWJFW
2010-10-22 08:08 . 2010-10-07 23:21   6146896   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{A15205D0-8851-4AAD-B675-A6BFC9825264}\mpengine.dll
2010-10-18 02:01 . 2010-04-29 02:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-18 02:01 . 2010-04-29 02:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-10-17 08:31 . 2010-10-17 08:41   11952   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-10-17 08:31 . 2010-10-17 08:41   335240   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-10-17 08:30 . 2010-10-17 08:41   27784   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-10-17 08:30 . 2010-10-17 08:43   --------   d-----w-   c:\windows\system32\drivers\Avg
2010-10-15 09:47 . 2010-09-13 13:56   168960   ----a-w-   c:\program files\Windows Media Player\wmplayer.exe
2010-10-15 09:47 . 2010-09-13 13:56   8147456   ----a-w-   c:\windows\system32\wmploc.DLL
2010-10-15 09:47 . 2010-09-06 16:20   125952   ----a-w-   c:\windows\system32\srvsvc.dll
2010-10-15 09:47 . 2010-09-06 13:45   304128   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-10-15 09:47 . 2010-09-06 13:45   145408   ----a-w-   c:\windows\system32\drivers\srv2.sys
2010-10-15 09:47 . 2010-09-06 13:45   102400   ----a-w-   c:\windows\system32\drivers\srvnet.sys
2010-10-15 09:47 . 2010-09-06 16:19   17920   ----a-w-   c:\windows\system32\netevent.dll
2010-10-14 10:29 . 2010-10-14 10:29   --------   d-----w-   c:\program files\Trend Micro
2010-10-10 02:38 . 2010-10-10 02:38   --------   d-----w-   c:\program files\Giant Crocodile
2010-10-08 08:58 . 2010-10-08 08:58   --------   dc----w-   C:\$AVG
2010-10-08 06:08 . 2010-10-08 06:08   --------   dc----w-   C:\AVG10
2010-10-08 06:06 . 2010-10-08 06:06   --------   d--h--w-   c:\programdata\Common Files
2010-10-08 06:03 . 2010-10-14 08:43   --------   d-----w-   c:\programdata\AVG10
2010-10-08 05:51 . 2010-10-08 06:01   --------   d-----w-   c:\programdata\MFAData
2010-10-08 05:39 . 2010-10-18 19:05   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-09-30 08:28 . 2010-09-30 08:28   --------   d-----w-   c:\windows\Profiles
2010-09-29 07:54 . 2010-06-22 13:30   2048   ----a-w-   c:\windows\system32\tzres.dll
2010-09-28 11:31 . 2010-09-28 11:31   --------   d-----w-   c:\program files\iPod
2010-09-28 11:24 . 2010-09-28 11:24   --------   d-----w-   c:\program files\Bonjour

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-18 22:41 . 2010-02-11 13:33   222080   ------w-   c:\windows\system32\MpSigStub.exe
2010-09-13 03:27 . 2010-09-13 03:27   25680   ----a-w-   c:\windows\system32\drivers\AVGIDSEH.sys
2010-09-07 22:17 . 2010-09-07 22:17   94208   ----a-w-   c:\windows\system32\QuickTimeVR.qtx
2010-09-07 22:17 . 2010-09-07 22:17   69632   ----a-w-   c:\windows\system32\QuickTime.qts
2010-08-17 14:11 . 2010-09-16 08:10   128000   ----a-w-   c:\windows\system32\spoolsv.exe
2010-07-27 05:44 . 2010-07-27 05:44   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-07-27 05:44 . 2010-07-27 05:44   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2009-01-27 01:34 . 2009-01-27 01:34   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-08-25 01:52 . 2008-06-05 11:59   300400   ----a-w-   c:\program files\mozilla firefox\components\coFFPlgn.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-09 159744]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-01-29 52392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-23 13601312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-23 92704]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-24 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-17 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-07 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-23 421160]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys

R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 133104]
R2 Nakido;Nakido;c:\program files\Nakido\nakido.exe

R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
R3 cxru92a1;Virtual Bus for Microsoft ACPI-Compliant System;

R3 iscFlash;iscFlash;c:\swsetup\sp42533\iscflash.sys [2008-08-05 11520]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-04-29 717296]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2010-09-13 25680]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-10-17 335240]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2009-12-16 375296]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
HPService   REG_MULTI_SZ      HPSLPSVC
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 23:39]

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 23:39]

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-753018427-1233051673-1299658189-1003Core.job
- c:\users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-10 04:59]

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-753018427-1233051673-1299658189-1003UA.job
- c:\users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-10 04:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=81&bd=Presario&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=81&bd=Presario&pf=laptop
uInternet Settings,ProxyServer = proxy.student.otago.ac.nz:3128
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(6024)
c:\program files\Nokia\Nokia PC Suite 6\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng-us.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-10-23  13:02:20 - machine was rebooted
ComboFix-quarantined-files.txt  2010-10-23 00:02
ComboFix2.txt  2010-10-22 11:35

Pre-Run: 2,451,070,976 bytes free
Post-Run: 2,405,908,480 bytes free

- - End Of File - - 07875887ABC7EAB551A8CE336F04D7D3

security check log:

 Results of screen317's Security Check version 0.99.5 
 Windows Vista Service Pack 2 (UAC is disabled!)
 Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Disabled! 
 Antivirus 2010     
 Antivirus up to date! 
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 HijackThis 2.0.2   
 CCleaner     
 Java(TM) 6 Update 19 
 Out of date Java installed!
 Adobe Flash Player 10.0.45.2 
Adobe Reader 9.3.4
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Windows Defender MSASCui.exe
 Spybot Teatimer.exe is disabled!
 Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe 
````````````````````````````````
DNS Vulnerability Check:

``````````End of Log````````````

[SuperDave]

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

Were you able to run SAS and MBAM?

[ryguy15]

Ok so I updated Java, and I was indeed able to run SAS and MBAM. Here are the logs:

MBAM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

24/10/2010 5:37:04 p.m.
mbam-log-2010-10-24 (17-37-04).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 388506
Time elapsed: 2 hour(s), 3 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Ryan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully.





SAS:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/25/2010 at 03:32 AM

Application Version : 4.44.1000

Core Rules Database Version : 5610
Trace Rules Database Version: 3422

Scan type       : Complete Scan
Total Scan Time : 04:20:54

Memory items scanned      : 694
Memory threats detected   : 0
Registry items scanned    : 10461
Registry threats detected : 0
File items scanned        : 246934
File threats detected     : 165

Adware.Tracking Cookie
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@gostats[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@zedo[2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@questionmarket[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@clicksor[2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@fastclick[2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@statcounter[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@invitemedia[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@tacoda[2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@rambler[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@lfstmedia[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@doubleclick[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@webpower[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@advertising[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@mediadakine[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@mediaonenetwork[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@serving-sys[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@partypoker[2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@openstat[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@collective-media[2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@interclick[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@imrworldwide[2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@adbrite[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@ero-advertising[2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@adultfriendfinder[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@myroitracking[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@atdmt[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@apmebf[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@yadro[2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@spylog[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@ventivmedia[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@adtech[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@countby[2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@easyadservice[1].txt
   acvs.mediaonenetwork.net [ C:\Users\Guest(56)\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4JC7KVSW ]
   C:\Users\Guest(56)\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Guest(56)\AppData\Roaming\Microsoft\Windows\Cookies\guest@doubleclick[2].txt
   C:\Users\Guest(56)\AppData\Roaming\Microsoft\Windows\Cookies\guest@imrworldwide[2].txt
   C:\Users\Guest(56)\AppData\Roaming\Microsoft\Windows\Cookies\guest@mediaonenetwork[1].txt
   .peertracking.com [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .peertracking.com [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .peertracking.com [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .*adult URL* [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .*adult URL* [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .*adult URL* [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .*adult URL* [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .*adult URL* [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .*adult URL* [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .*adult URL* [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .*adult URL* [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .*adult URL* [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .*adult URL* [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .doubleclick.net [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .atdmt.com [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .atdmt.com [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .imrworldwide.com [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .msnportal.112.2o7.net [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .imrworldwide.com [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .bs.serving-sys.com [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .serving-sys.com [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .serving-sys.com [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .serving-sys.com [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .serving-sys.com [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .serving-sys.com [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .serving-sys.com [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   .serving-sys.com [ C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   acvs.mediaonenetwork.net [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   api.firestormmedia.tv [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   banners.securedataimages.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   cdn2.themis-media.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   cdn4.specificclick.net [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   content.oddcast.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   core.insightexpressai.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   i.*adult URL* [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   ia.media-imdb.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   ictv-ic-ec.indieclicktv.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   indieclick.3janecdn.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   media.kyte.tv [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   media.mtvnservices.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   media.scanscout.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   media.socialvibe.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   media1.break.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   movies.hdteenmovs.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   msnbcmedia.msn.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   naiadsystems.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   objects.tremormedia.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   rmd.atdmt.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   s0.2mdn.net [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   secure-us.imrworldwide.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   www.naiadsystems.com [ C:\Users\Ryan\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZAKAE62E ]
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@adbrite[2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@atdmt[2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@partypoker[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@statcounter[2].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@tribalfusion[1].txt
   C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\ryan@yadro[1].txt
   .warez-bb.org [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .warez-bb.org [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   www.warez-bb.org [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .kontera.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .kontera.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .kontera.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .kontera.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .mediaonenetwork.net [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .collective-media.net [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   d.mediadakine.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .mediadakine.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .clicksor.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .clicksor.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .clicksor.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .clicksor.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .clicksor.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   d.mediadakine.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   imagevenue.advertserve.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   imagevenue.advertserve.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .ero-advertising.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   d.mediadakine.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .microsoftsto.112.2o7.net [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .invitemedia.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .invitemedia.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .interclick.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .interclick.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .interclick.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .invitemedia.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .*adult URL* [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .server.cpmstar.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .server.cpmstar.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .server.cpmstar.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .server.cpmstar.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .content.yieldmanager.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   *Blocked Russian URL* [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   dc.tremormedia.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .adserver.adtechus.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   rts.pgmediaserve.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   rts.pgmediaserve.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   rts.pgmediaserve.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .partypoker.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .partypoker.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .partypoker.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .content.yieldmanager.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]
   .partypoker.com [ C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\cookies.sqlite ]

[SuperDave]

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[ryguy15]

Hi, sorry for taking so long to reply, been a bit busy with exams.
Heres the new combofix log:

ComboFix 10-10-31.04 - Ryan 01/11/2010  23:23:59.5.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.64.1033.18.1982.1020 [GMT 13:00]
Running from: c:\users\Ryan\Desktop\commy.exe
Command switches used :: /stepdel
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\arp.exe

.
(((((((((((((((((((((((((   Files Created from 2010-10-01 to 2010-11-01  )))))))))))))))))))))))))))))))
.

2010-11-01 10:33 . 2010-11-01 10:34   --------   d-----w-   c:\users\Ryan\AppData\Local\temp
2010-11-01 10:33 . 2010-11-01 10:33   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-11-01 10:33 . 2010-11-01 10:33   --------   d-----w-   c:\users\Guest\AppData\Local\temp
2010-11-01 10:33 . 2010-11-01 10:33   --------   d-----w-   c:\users\Guest(56)\AppData\Local\temp
2010-11-01 10:33 . 2010-11-01 10:33   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-10-31 08:11 . 2010-08-26 16:34   1696256   ----a-w-   c:\windows\system32\gameux.dll
2010-10-31 08:11 . 2010-08-26 16:33   28672   ----a-w-   c:\windows\system32\Apphlpdm.dll
2010-10-31 08:11 . 2010-08-26 14:23   4240384   ----a-w-   c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-31 08:11 . 2010-10-07 23:21   6146896   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{A68C4A42-4035-43FD-A738-1CF0B1EDD3D0}\mpengine.dll
2010-10-28 05:38 . 2010-10-28 05:38   --------   d-----w-   c:\windows\en
2010-10-28 05:38 . 2010-09-22 11:21   39272   ----a-w-   c:\windows\system32\drivers\fssfltr.sys
2010-10-28 05:28 . 2009-09-04 04:44   69464   ----a-w-   c:\windows\system32\XAPOFX1_3.dll
2010-10-28 05:28 . 2009-09-04 04:44   515416   ----a-w-   c:\windows\system32\XAudio2_5.dll
2010-10-28 05:28 . 2009-09-04 04:29   453456   ----a-w-   c:\windows\system32\d3dx10_42.dll
2010-10-28 01:18 . 2010-10-28 01:18   469256   ----a-w-   c:\program files\Common Files\Windows Live\.cache\e31dd701cb763e2b\InstallManager_WLE_WLE.exe
2010-10-28 01:17 . 2010-10-28 01:17   15712   ----a-w-   c:\program files\Common Files\Windows Live\.cache\e6008ef01cb763d1f\MeshBetaRemover.exe
2010-10-28 01:16 . 2010-10-28 01:16   525656   ----a-w-   c:\program files\Common Files\Windows Live\.cache\c9252b101cb763d18\DXSETUP.exe
2010-10-28 01:16 . 2010-10-28 01:16   94040   ----a-w-   c:\program files\Common Files\Windows Live\.cache\c9252b101cb763d18\DSETUP.dll
2010-10-28 01:16 . 2010-10-28 01:16   1691480   ----a-w-   c:\program files\Common Files\Windows Live\.cache\c9252b101cb763d18\dsetup32.dll
2010-10-28 01:16 . 2010-10-28 01:16   94040   ----a-w-   c:\program files\Common Files\Windows Live\.cache\c62001601cb763d17\DSETUP.dll
2010-10-28 01:16 . 2010-10-28 01:16   525656   ----a-w-   c:\program files\Common Files\Windows Live\.cache\c62001601cb763d17\DXSETUP.exe
2010-10-28 01:16 . 2010-10-28 01:16   1691480   ----a-w-   c:\program files\Common Files\Windows Live\.cache\c62001601cb763d17\dsetup32.dll
2010-10-28 01:14 . 2010-11-01 09:57   --------   d-----w-   c:\users\Ryan\AppData\Local\Windows Live
2010-10-28 01:12 . 2009-08-04 08:02   754688   ----a-w-   c:\windows\system32\webservices.dll
2010-10-25 05:24 . 2010-10-25 05:24   --------   d-----w-   c:\program files\Common Files\Java
2010-10-25 05:23 . 2010-09-14 15:50   472808   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-25 05:23 . 2010-09-14 15:50   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-10-24 10:09 . 2010-10-24 10:09   --------   d-----w-   c:\users\Ryan\AppData\Roaming\SUPERAntiSpyware.com
2010-10-18 02:01 . 2010-04-29 02:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-18 02:01 . 2010-04-29 02:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-10-17 08:31 . 2010-10-17 08:41   11952   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-10-17 08:31 . 2010-10-17 08:41   335240   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-10-17 08:30 . 2010-10-17 08:41   27784   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-10-17 08:30 . 2010-10-17 08:43   --------   d-----w-   c:\windows\system32\drivers\Avg
2010-10-15 09:47 . 2010-09-13 13:56   168960   ----a-w-   c:\program files\Windows Media Player\wmplayer.exe
2010-10-15 09:47 . 2010-09-13 13:56   8147456   ----a-w-   c:\windows\system32\wmploc.DLL
2010-10-15 09:47 . 2010-09-06 16:20   125952   ----a-w-   c:\windows\system32\srvsvc.dll
2010-10-15 09:47 . 2010-09-06 13:45   304128   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-10-15 09:47 . 2010-09-06 13:45   145408   ----a-w-   c:\windows\system32\drivers\srv2.sys
2010-10-15 09:47 . 2010-09-06 13:45   102400   ----a-w-   c:\windows\system32\drivers\srvnet.sys
2010-10-15 09:47 . 2010-09-06 16:19   17920   ----a-w-   c:\windows\system32\netevent.dll
2010-10-14 10:29 . 2010-10-14 10:29   --------   d-----w-   c:\program files\Trend Micro
2010-10-10 02:38 . 2010-10-10 02:38   --------   d-----w-   c:\program files\Giant Crocodile
2010-10-08 08:58 . 2010-10-08 08:58   --------   dc----w-   C:\$AVG
2010-10-08 06:06 . 2010-10-08 06:06   --------   d--h--w-   c:\programdata\Common Files
2010-10-08 06:03 . 2010-10-14 08:43   --------   d-----w-   c:\programdata\AVG10
2010-10-08 05:51 . 2010-10-08 06:01   --------   d-----w-   c:\programdata\MFAData
2010-10-08 05:39 . 2010-10-18 19:05   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-18 22:41 . 2010-02-11 13:33   222080   ------w-   c:\windows\system32\MpSigStub.exe
2010-09-22 11:47 . 2010-09-22 11:47   49016   ----a-w-   c:\windows\system32\sirenacm.dll
2010-09-22 11:32 . 2010-09-22 11:32   301936   ----a-w-   c:\windows\WLXPGSS.SCR
2010-09-13 03:27 . 2010-09-13 03:27   25680   ----a-w-   c:\windows\system32\drivers\AVGIDSEH.sys
2010-09-07 22:17 . 2010-09-07 22:17   94208   ----a-w-   c:\windows\system32\QuickTimeVR.qtx
2010-09-07 22:17 . 2010-09-07 22:17   69632   ----a-w-   c:\windows\system32\QuickTime.qts
2010-08-26 16:33 . 2010-10-31 08:11   173056   ----a-w-   c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33 . 2010-10-31 08:11   2159616   ----a-w-   c:\windows\apppatch\AcGenral.dll
2010-08-26 16:33 . 2010-10-31 08:11   458752   ----a-w-   c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33 . 2010-10-31 08:11   542720   ----a-w-   c:\windows\apppatch\AcLayers.dll
2010-08-17 14:11 . 2010-09-16 08:10   128000   ----a-w-   c:\windows\system32\spoolsv.exe
2009-01-27 01:34 . 2009-01-27 01:34   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-08-25 01:52 . 2008-06-05 11:59   300400   ----a-w-   c:\program files\mozilla firefox\components\coFFPlgn.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-09-22 4240760]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-28 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-09 159744]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-01-29 52392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-23 13601312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-23 92704]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-24 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-07 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-23 421160]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-13 248552]

c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys

R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 133104]
R2 Nakido;Nakido;c:\program files\Nakido\nakido.exe

R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
R3 cxru92a1;Virtual Bus for Microsoft ACPI-Compliant System;

R3 iscFlash;iscFlash;c:\swsetup\sp42533\iscflash.sys [2008-08-05 11520]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-04-29 717296]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2010-09-13 25680]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-10-17 335240]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2009-12-16 375296]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
HPService   REG_MULTI_SZ      HPSLPSVC
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 23:39]

2010-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 23:39]

2010-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-753018427-1233051673-1299658189-1003Core.job
- c:\users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-10 04:59]

2010-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-753018427-1233051673-1299658189-1003UA.job
- c:\users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-10 04:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=81&bd=Presario&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=81&bd=Presario&pf=laptop
uInternet Settings,ProxyServer = proxy.student.otago.ac.nz:3128
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\
FF - prefs.js: network.proxy.ftp - proxy.student.otago.ac.nz
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - proxy.student.otago.ac.nz
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - proxy.student.otago.ac.nz
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - proxy.student.otago.ac.nz
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - proxy.student.otago.ac.nz
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 1
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\5isep8bi.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-01 23:34
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-11-01  23:36:42
ComboFix-quarantined-files.txt  2010-11-01 10:36
ComboFix2.txt  2010-10-23 00:02
ComboFix3.txt  2010-10-22 11:35

Pre-Run: 1,443,819,520 bytes free
Post-Run: 1,573,527,552 bytes free

- - End Of File - - 7C743AE4BF11B6BBE5462453976BC3C7

[SuperDave]

Is your computer working any better?

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was

extracted to. Open the text file and copy/paste the log here.
[/list]

[ryguy15]

My computer is definitely working a lot better than it was before, although there a still a few things happening that never really happened before. Sometimes programs like Internet Explorer or iTunes randomly decide to crash. Also, if I click the button on my mouse that brings up the magnifying glass tool, everything pauses and the screen goes black for about a second before going back to normal. Those small issues are the only ones I'm noticing though.
Here's the Sysprot Antirootkit log:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 8CFBD000
Module End: 8CFC8000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: 8CFC8000
Module End: 8CFD0000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwTerminateProcess
Address: 8CED9620
Driver Base: 8CECF000
Driver End: 8CEF1000
Driver Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

Object: C:\Users\Ryan\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{DAC71EAD-ED09-F966-DCD5-DFD0F8DB3CC1}\01\10-{DAC71EAD-ED09-F966-DCD5-DFD0F8DB3CC1}-v1-{DB34C54A-12AB-43EE-B476-02BEB35A910F
Status: Hidden

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Access denied

[SuperDave]

Sometimes programs like Internet Explorer or iTunes randomly decide to crash. Also, if I click the button on my mouse that brings up the magnifying glass tool, everything pauses and the screen goes black for about a second before going back to normal. Those small issues are the only ones I'm noticing though.

Those sound like hardware or software problems. Let's continue.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[ryguy15]

Here is the log from the ESET online scan:

C:\Qoobox\Quarantine\C\Windows\PRAGMAyrtxnwrcjt\PRAGMAc.dll.vir   a variant of Win32/Kryptik.EXT trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\drivers\agp440.sys.vir   a variant of Win32/Rootkit.Kryptik.BS trojan   cleaned by deleting - quarantined
C:\SWSetup\AOLIMS\setup.exe   probably a variant of Win32/Agent.HZHBURL trojan   cleaned by deleting - quarantined
C:\Users\Ryan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\30cd253-2667789e   multiple threats   deleted - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3G8ZRRT0\INSTALL[1]   Win32/Adware.Antivirus2010 application   cleaned by deleting - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3G8ZRRT0\script[1]   Win32/Adware.Antivirus2010 application   cleaned by deleting - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P4APQ21N\dialog_alert[1]   Win32/Adware.Antivirus2010 application   cleaned by deleting - quarantined

[SuperDave]

That looks good. If there are no other issues, let's do some cleanup.

* Click START then RUN - Vista users press the Windows Key and the R keys together for the Run box.
* Now type commy /uninstall in the runbox
* Make sure there's a space between commy and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
*********************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
**************************************
Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
**************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!