Issues....

Malwarebytes will not update and it seems clear that this step was important. I asked them for help and got some instructions about going to some hidden files but the tab for "show hidden files is not available. . . .

Are you able to run Malwarebytes' Anti-malware?
If you just recently downloaded it, please go ahead and run it and post the scanlog and we'll have a look.

Cheers :)
PP

I did. Scan log = access denied.

What next?

Thanks for the reply,
JJ

I did. Scan log = access denied.
What next?

Hey JJ,

What problems/symptoms are you having?

-- The viewing of hidden files is not really that necessary unless you are doing manual removal of baddies. Not a good idea if one is inexperienced. Especially if you are poking around the registry.......

-- Are you able to run DDS as per the linky?
http://www.daniweb.com/forums/thread134865.html

Try DDS and post that for me. Let me know if there is a problem.

I am not around much these days due to work, but I generally check in a couple times a day.

Cheers :)
PP

Is this what you wanted? I am in and out too.

DDS (Ver_10-10-21.02) - NTFSx86
Run by larry at 23:11:05.51 on Wed 10/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2188 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\imapi.exe
C:\Documents and Settings\larry\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\speedu~1.lnk - c:\program files\liutilities\speedupmypc\speedupmypc.exe
uPolicies-explorer: NoRealMode = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {E2CD81CE-04C8-441A-933F-2FB2BF51FD65} = 68.87.68.162,68.87.74.162
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\larry\applic~1\mozilla\firefox\profiles\7ku57xn6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\larry\application data\mozilla\firefox\profiles\7ku57xn6.default\extensions\{abb88e4e-75f4-4fdc-8f42-d101484c4b3f}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\larry\application data\mozilla\firefox\profiles\7ku57xn6.default\extensions\{abb88e4e-75f4-4fdc-8f42-d101484c4b3f}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\larry\application data\mozilla\firefox\profiles\7ku57xn6.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: LoudMo Contextual Ad Assistant: No Registry Reference - c:\program files\mozilla firefox\extensions\{226ff505-1709-fee5-4b5e-615582940745}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

S3 CDASPROT;CyberDefender AntiSpyware 2010;\??\c:\program files\cyberdefender\cdantispyware\cdasprot.sys --> c:\program files\cyberdefender\cdantispyware\cdasprot.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2003-3-31 14336]

=============== Created Last 30 ================

2010-10-25 15:48:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-25 15:48:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-24 16:28:53 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-24 16:28:53 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-21 13:50:03 35136 ----a-w- c:\program files\mozilla firefox\plugins\np_gp.dll
2010-10-18 22:31:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trend Micro
2010-10-18 19:12:57 -------- d-----w- C:\ComboFix
2010-10-18 18:59:22 -------- d-----w- c:\docume~1\larry\locals~1\applic~1\Trend Micro
2010-10-18 18:45:26 -------- d-sha-r- C:\cmdcons
2010-10-18 18:42:29 98816 ----a-w- c:\windows\sed.exe
2010-10-18 18:42:29 77312 ----a-w- c:\windows\MBR.exe
2010-10-18 18:42:29 256512 ----a-w- c:\windows\PEV.exe
2010-10-18 18:42:29 161792 ----a-w- c:\windows\SWREG.exe
2010-10-18 18:39:14 -------- d-----w- c:\windows\LMI180.tmp
2010-10-13 00:12:14 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 00:12:14 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 00:11:44 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-10 16:47:45 -------- d--h--w- c:\windows\PIF

==================== Find3M ====================

2010-10-18 18:32:44 0 ----a-w- c:\windows\Slofaniyaweva.bin
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ------w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 23:12:19.50 ===============

Is this what you wanted? I am in and out too.

Yes - That's the one.

Nothing really jumps out at me from the scanlog.
The thing is, it looks as though you have done a lot already. I see combofix has been run around a week ago - that will get a lot of the most recent baddies.

I'd really need to see the combofix log to get a handle on what you have been battling in order to advise you further.

-- Did you run combofix on your own or did you use a service such as LogMeIn Rescue Service?

-- Also, I don't see any Anti-Virus program. Did you remove one?

-- What about CyberDefender AntiSpyware 2010? Did you install that? I seem to recall a Rogue by that name a few years ago.

Let me know what symptoms you are still experiencing (other than issues with MBAM) as well as the above and we can try another tack - Without knowing what has already been removed, it's tough to deal with the collateral damage left behind.

Cheers :)
PP

Well, I am getting the browser redirected often.

Also, at times very slow.

I did combofix on my own through a series of instructions I got from...?..somewhere. it never finished as far as I can remember. It also seemed like I was getting conflict from other programs so I removed all of them. I have malwarebytes loaded and I have been using housecalls...microtrends titanium version but removed that becasue it was blocking stuff I was asked to do on the "before you post" thread.

Like I said I know enough to keep me going at times, but not enough to know what I am really doing. The Cyberdefender was weak IMO and that subscription has expired and I removed it in "add remove programs" in the control panel.

Yea the colateral damage... I tried to remove this thing and when I was asked to go to the hidden files I could not because that feature is not available. So here I am with a fairly minor problem just irritating at times when the browser wants to do its own thing.

Also, on rare occasion I get a popup that says its a spyware company and it acts like it is running a scan. It is rare but it still comes on from time to time.

I do not know if any of that is helpful, but at least I did answer one of your original questions....."what problems are you having"?

OK - Let's go in this direction:

You can print out the bit for AVP Tool if need be.

-- See if you are able to run the GMER scans from the Read Me linky. If so, post those logs for me.

-- Also, I'd like to see the DDS Attach log

-- Please Download Kaspersky's AVP Tool

-- Save AVP Tool to your Desktop.
-- Please boot to Safe Mode (tap F8 at reboot - Do Not use msconfig!)

Once in Safe Mode:
-- DoubleClick the AVP Tool setup file to run it.
Follow the prompts and it should install to your Desktop Folder
-- If you get a prompt for scanning in Safe Mode, click OK.
-- AVP Tool will open.
-- Click the Manual Disinfection Tab
-- Click the Gathering system information Button and let it run
-- When it finishes, click the link “Open folder” to access the folder where the report is saved.

Please save the log and post it for me with the others.

THEN:
Please select the Automatic Scan Tab
Be sure the following boxes are checked:
• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• All other drives

-- Please click the Scan Button.
AVP Tool should Neutralize any objects it finds. If some are left un-neutralized, Click the Neutralize All button.
Note: If an object cannot be neutralized, select DELETE at the prompt.

When finished, please click the Reports Button and save the log where you can find it easily. Please post that for me.
Also, let me know if you ran into any problems with these steps.
Note: AVP Tool should "self-uninstall" or prompt you to remove it upon exit, so be sure to save the log before closing the program.

PP :)

I have been trying to get the info and I do not have much for you. The GMER did not show anything on the first page but after I ran the scan following the instructions it would not finish, so I ran the kapersky AVP tool and it removed a ton of trojans. After that I went ahead and re ran the other things you asked for and now they will run, I have posted them too.

I hope this is what you have asked me for. Sorry it took so long but I have been busier than usual. If I did this wrong I am sorry and if you need more info I will do my best to get what you need. I am grateful to you for this help. LOoks like I have a young man staying here and I suspect he has been going to some less than reputable sites....I will be asking him to leave if that is the case. I do not like that and that is unexceptable.

here is DDS

DDS (Ver_10-10-21.02) - NTFSx86
Run by larry at 17:47:50.98 on Wed 11/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2130 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\larry\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\larry\startm~1\programs\startup\setup_~1.lnk - c:\documents and settings\larry\desktop\virus removal tool1\setup_9.0.0.722_03.11.2010_18-09\startup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\speedu~1.lnk - c:\program files\liutilities\speedupmypc\speedupmypc.exe
uPolicies-explorer: NoRealMode = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {E2CD81CE-04C8-441A-933F-2FB2BF51FD65} = 68.87.68.162,68.87.74.162
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\larry\applic~1\mozilla\firefox\profiles\7ku57xn6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: LoudMo Contextual Ad Assistant: No Registry Reference - c:\program files\mozilla firefox\extensions\{226ff505-1709-fee5-4b5e-615582940745}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 23394592;23394592 Boot Guard Driver;c:\windows\system32\drivers\23394592.sys [2010-11-3 37392]
R1 23394591;23394591;c:\windows\system32\drivers\23394591.sys [2010-11-3 128016]
R1 setup_9.0.0.722_03.11.2010_18-09drv;setup_9.0.0.722_03.11.2010_18-09drv;c:\windows\system32\drivers\2339459.sys [2010-11-3 315408]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-28 136176]
S3 CDASPROT;CyberDefender AntiSpyware 2010;\??\c:\program files\cyberdefender\cdantispyware\cdasprot.sys --> c:\program files\cyberdefender\cdantispyware\cdasprot.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2003-3-31 14336]
S3 uti2nzy4;AVZ Kernel Driver;c:\windows\system32\drivers\uti2nzy4.sys [2010-11-3 7168]

=============== Created Last 30 ================

2010-11-03 17:18:21 7168 ----a-w- c:\windows\system32\drivers\uti2nzy4.sys
2010-11-03 16:40:15 37392 ----a-w- c:\windows\system32\drivers\23394592.sys
2010-11-03 16:40:15 315408 ----a-w- c:\windows\system32\drivers\2339459.sys
2010-11-03 16:40:15 128016 ----a-w- c:\windows\system32\drivers\23394591.sys
2010-10-25 15:48:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-25 15:48:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-24 16:28:53 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-24 16:28:53 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-21 13:50:03 35136 ----a-w- c:\program files\mozilla firefox\plugins\np_gp.dll
2010-10-18 22:31:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trend Micro
2010-10-18 19:12:57 -------- d-----w- C:\ComboFix
2010-10-18 18:59:22 -------- d-----w- c:\docume~1\larry\locals~1\applic~1\Trend Micro
2010-10-18 18:45:26 -------- d-sha-r- C:\cmdcons
2010-10-18 18:42:29 98816 ----a-w- c:\windows\sed.exe
2010-10-18 18:42:29 77312 ----a-w- c:\windows\MBR.exe
2010-10-18 18:42:29 256512 ----a-w- c:\windows\PEV.exe
2010-10-18 18:42:29 161792 ----a-w- c:\windows\SWREG.exe
2010-10-18 18:39:14 -------- d-----w- c:\windows\LMI180.tmp
2010-10-13 00:12:14 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 00:12:14 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 00:11:44 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-10 16:47:45 -------- d--h--w- c:\windows\PIF

==================== Find3M ====================

2010-10-18 18:32:44 0 ----a-w- c:\windows\Slofaniyaweva.bin
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ------w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 17:49:02.73 ===============

here is attach

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-21.02)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/14/2007 11:36:39 AM
System Uptime: 11/3/2010 5:35:56 PM (0 hours ago)

Motherboard: Dell Computer Corp. | | 02Y832
Processor: Intel(R) Pentium(R) 4 CPU 2.66GHz | Microprocessor | 2660/533mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 48.441 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1231: 8/6/2010 3:00:17 AM - Software Distribution Service 3.0
RP1232: 8/7/2010 3:52:44 AM - System Checkpoint
RP1233: 8/8/2010 4:01:44 AM - System Checkpoint
RP1234: 8/9/2010 6:11:22 AM - System Checkpoint
RP1235: 8/10/2010 7:30:04 AM - System Checkpoint
RP1236: 8/11/2010 8:06:11 AM - System Checkpoint
RP1237: 8/11/2010 2:27:14 PM - Software Distribution Service 3.0
RP1238: 8/11/2010 2:57:57 PM - Restore Operation
RP1239: 8/12/2010 3:00:16 AM - Software Distribution Service 3.0
RP1240: 8/12/2010 12:02:42 PM - Software Distribution Service 3.0
RP1241: 8/13/2010 12:58:50 PM - System Checkpoint
RP1242: 8/14/2010 2:21:17 PM - System Checkpoint
RP1243: 8/15/2010 3:07:21 PM - System Checkpoint
RP1244: 8/16/2010 3:12:21 PM - System Checkpoint
RP1245: 8/17/2010 4:12:21 PM - System Checkpoint
RP1246: 8/18/2010 5:12:01 PM - System Checkpoint
RP1247: 8/19/2010 6:12:01 PM - System Checkpoint
RP1248: 8/20/2010 6:22:43 PM - System Checkpoint
RP1249: 8/21/2010 7:22:43 PM - System Checkpoint
RP1250: 8/22/2010 8:38:24 PM - System Checkpoint
RP1251: 8/24/2010 12:15:51 AM - System Checkpoint
RP1252: 8/25/2010 12:21:40 AM - System Checkpoint
RP1253: 8/26/2010 3:08:11 AM - System Checkpoint
RP1254: 8/27/2010 3:21:11 AM - System Checkpoint
RP1255: 8/28/2010 3:47:11 AM - System Checkpoint
RP1256: 8/29/2010 4:21:11 AM - System Checkpoint
RP1257: 8/30/2010 5:21:11 AM - System Checkpoint
RP1258: 8/31/2010 6:21:12 AM - System Checkpoint
RP1259: 9/1/2010 7:54:50 AM - System Checkpoint
RP1260: 9/2/2010 8:27:54 AM - System Checkpoint
RP1261: 9/3/2010 9:27:54 AM - System Checkpoint
RP1262: 9/4/2010 10:27:54 AM - System Checkpoint
RP1263: 9/5/2010 12:02:51 PM - System Checkpoint
RP1264: 9/6/2010 1:51:46 PM - System Checkpoint
RP1265: 9/7/2010 3:00:16 AM - Software Distribution Service 3.0
RP1266: 9/8/2010 3:38:23 AM - System Checkpoint
RP1267: 9/9/2010 6:41:00 AM - System Checkpoint
RP1268: 9/10/2010 7:38:22 AM - System Checkpoint
RP1269: 9/11/2010 7:51:23 AM - System Checkpoint
RP1270: 9/12/2010 8:01:37 AM - System Checkpoint
RP1271: 9/13/2010 8:39:27 AM - System Checkpoint
RP1272: 9/14/2010 8:39:36 AM - System Checkpoint
RP1273: 9/15/2010 3:00:17 AM - Software Distribution Service 3.0
RP1274: 9/16/2010 3:23:58 AM - System Checkpoint
RP1275: 9/17/2010 4:23:58 AM - System Checkpoint
RP1276: 9/18/2010 4:31:53 AM - System Checkpoint
RP1277: 9/19/2010 5:23:58 AM - System Checkpoint
RP1278: 9/20/2010 7:04:55 AM - System Checkpoint
RP1279: 9/21/2010 8:51:42 AM - System Checkpoint
RP1280: 9/22/2010 9:52:13 AM - System Checkpoint
RP1281: 9/23/2010 10:23:54 AM - System Checkpoint
RP1282: 9/23/2010 9:20:27 AM - System Checkpoint
RP1283: 9/24/2010 2:31:20 PM - System Checkpoint
RP1284: 9/25/2010 11:50:34 PM - System Checkpoint
RP1285: 9/27/2010 12:25:16 AM - System Checkpoint
RP1286: 9/28/2010 1:22:48 AM - System Checkpoint
RP1287: 9/29/2010 1:23:58 AM - System Checkpoint
RP1288: 9/30/2010 2:23:46 AM - System Checkpoint
RP1289: 9/30/2010 3:00:16 AM - Software Distribution Service 3.0
RP1290: 10/1/2010 3:28:10 AM - System Checkpoint
RP1291: 10/2/2010 4:28:10 AM - System Checkpoint
RP1292: 10/3/2010 5:28:10 AM - System Checkpoint
RP1293: 10/4/2010 6:28:10 AM - System Checkpoint
RP1294: 10/5/2010 7:28:10 AM - System Checkpoint
RP1295: 10/6/2010 8:37:58 AM - System Checkpoint
RP1296: 10/7/2010 9:28:10 AM - System Checkpoint
RP1297: 10/8/2010 3:00:17 AM - Software Distribution Service 3.0
RP1298: 10/9/2010 3:10:20 AM - System Checkpoint
RP1299: 10/10/2010 4:10:21 AM - System Checkpoint
RP1300: 10/11/2010 4:42:15 AM - System Checkpoint
RP1301: 10/12/2010 6:14:18 AM - System Checkpoint
RP1302: 10/13/2010 3:00:17 AM - Software Distribution Service 3.0
RP1303: 10/14/2010 3:27:27 AM - System Checkpoint
RP1304: 10/15/2010 3:47:37 AM - System Checkpoint
RP1305: 10/16/2010 4:47:37 AM - System Checkpoint
RP1306: 10/17/2010 5:47:37 AM - System Checkpoint
RP1307: 10/18/2010 1:59:04 PM - Removed Trend Micro Internet Security
RP1308: 10/18/2010 2:53:32 PM - Installed SpeedUpMyPC
RP1309: 10/19/2010 12:14:20 AM - Installed Trend Micro Internet Security
RP1310: 10/20/2010 10:01:04 AM - System Checkpoint
RP1311: 10/21/2010 12:06:28 PM - System Checkpoint
RP1312: 10/22/2010 12:58:30 PM - System Checkpoint
RP1313: 10/23/2010 2:48:53 PM - System Checkpoint
RP1314: 10/23/2010 10:08:22 PM - Restore Operation
RP1315: 10/24/2010 11:24:46 AM - Restore Operation
RP1316: 10/24/2010 11:53:34 AM - Removed Google Earth.
RP1317: 10/25/2010 10:06:41 AM - Removed Trend Micro Internet Security
RP1318: 10/26/2010 10:42:16 AM - System Checkpoint
RP1319: 10/27/2010 7:17:54 PM - System Checkpoint
RP1320: 10/28/2010 8:02:53 PM - System Checkpoint
RP1321: 10/29/2010 8:40:43 PM - System Checkpoint
RP1322: 10/30/2010 9:40:42 PM - System Checkpoint
RP1323: 10/31/2010 10:41:41 PM - System Checkpoint
RP1324: 11/1/2010 11:40:36 PM - System Checkpoint
RP1325: 11/2/2010 11:41:42 PM - System Checkpoint

==== Installed Programs ======================

Adobe Acrobat 5.0
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 2.0
Adobe Reader 9.4.0
Critical Update for Windows Media Player 11 (KB959772)
Dell Driver Reset Tool
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet 5700
Intel(R) PRO Network Adapters and Drivers
Java(TM) 6 Update 15
k
Malwarebytes' Anti-Malware
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer 2003
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Plus! for Windows XP
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works 7.0
Mozilla Firefox (3.6.12)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Drivers
Primo
QuickTime
Runtime
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sony Picture Utility
SoundMAX
SpeedUpMyPC
Spelling Dictionaries Support For Adobe Reader 9
TMS Explorer
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Watchtower Library 2006 - English Edition
Watchtower Library 2007 - English
Watchtower Library 2008 - English
Watchtower Library 2009 - English
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinTasks

==== Event Viewer Messages From Past Week ========

11/3/2010 11:39:40 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
11/3/2010 11:39:40 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
11/3/2010 11:39:40 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/3/2010 11:39:40 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/3/2010 11:39:40 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/3/2010 11:39:09 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/3/2010 11:39:08 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/29/2010 8:38:23 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.

==== End Of File ===========================

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit quick scan 2010-11-03 17:51:07
Windows 5.1.2600 Service Pack 3
Running: h25mzcgq.exe; Driver: C:\DOCUME~1\larry\LOCALS~1\Temp\kwpirpoc.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Then GMER showed nothing after it ran the manual scan.

here is the kapersky

<?xml version="1.0" encoding="windows-1251" ?>
- <!-- AVZ XML Report
-->
- <AVZ Version="4.32" LogDate="11/3/2010 12:18:48 PM" WinDir="C:\WINDOWS\" ProfileDir="C:\Documents and Settings\larry" IsWow64="False" CompHash="B8C1EF75F51A49B032628770ED0E0308">
<PROCESS />
<DLL />
- <KERNELOBJ>
<ITEM File="C:\WINDOWS\System32\Drivers\dump_atapi.sys" CheckResult="-1" Base="BA596000" MemSize="018000" Descr="" LegalCopyright="" />
<ITEM File="C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS" CheckResult="-1" Base="F79A9000" MemSize="002000" Descr="" LegalCopyright="" />
</KERNELOBJ>
<Service />
- <Drivers>
<ITEM File="Abiosdsk.sys" Name="Abiosdsk" CheckResult="-1" Type="1" State="1" />
<ITEM File="abp480n5.sys" Name="abp480n5" CheckResult="-1" Type="1" State="1" />
<ITEM File="adpu160m.sys" Name="adpu160m" CheckResult="-1" Type="1" State="1" />
<ITEM File="Aha154x.sys" Name="Aha154x" CheckResult="-1" Type="1" State="1" />
<ITEM File="aic78u2.sys" Name="aic78u2" CheckResult="-1" Type="1" State="1" />
<ITEM File="aic78xx.sys" Name="aic78xx" CheckResult="-1" Type="1" State="1" />
<ITEM File="AliIde.sys" Name="AliIde" CheckResult="-1" Type="1" State="1" />
<ITEM File="amsint.sys" Name="amsint" CheckResult="-1" Type="1" State="1" />
<ITEM File="asc.sys" Name="asc" CheckResult="-1" Type="1" State="1" />
<ITEM File="asc3350p.sys" Name="asc3350p" CheckResult="-1" Type="1" State="1" />
<ITEM File="asc3550.sys" Name="asc3550" CheckResult="-1" Type="1" State="1" />
<ITEM File="Atdisk.sys" Name="Atdisk" CheckResult="-1" Type="1" State="1" />
<ITEM File="C:\DOCUME~1\larry\LOCALS~1\Temp\catchme.sys" Name="catchme" CheckResult="-1" Type="1" State="1" />
<ITEM File="cd20xrnt.sys" Name="cd20xrnt" CheckResult="-1" Type="1" State="1" />
<ITEM File="C:\Program Files\CyberDefender\CDAntiSpyware\cdasprot.sys" Name="CDASPROT" CheckResult="-1" Type="1" State="1" />
<ITEM File="Changer.sys" Name="Changer" CheckResult="-1" Type="1" State="1" />
<ITEM File="CmdIde.sys" Name="CmdIde" CheckResult="-1" Type="1" State="1" />
<ITEM File="Cpqarray.sys" Name="Cpqarray" CheckResult="-1" Type="1" State="1" />
<ITEM File="dac960nt.sys" Name="dac960nt" CheckResult="-1" Type="1" State="1" />
<ITEM File="dpti2o.sys" Name="dpti2o" CheckResult="-1" Type="1" State="1" />
<ITEM File="hpn.sys" Name="hpn" CheckResult="-1" Type="1" State="1" />
<ITEM File="i2omgmt.sys" Name="i2omgmt" CheckResult="-1" Type="1" State="1" />
<ITEM File="i2omp.sys" Name="i2omp" CheckResult="-1" Type="1" State="1" />
<ITEM File="ini910u.sys" Name="ini910u" CheckResult="-1" Type="1" State="1" />
<ITEM File="IntelIde.sys" Name="IntelIde" CheckResult="-1" Type="1" State="1" />
<ITEM File="lbrtfdc.sys" Name="lbrtfdc" CheckResult="-1" Type="1" State="1" />
<ITEM File="mraid35x.sys" Name="mraid35x" CheckResult="-1" Type="1" State="1" />
<ITEM File="PCIDump.sys" Name="PCIDump" CheckResult="-1" Type="1" State="1" />
<ITEM File="PDCOMP.sys" Name="PDCOMP" CheckResult="-1" Type="1" State="1" />
<ITEM File="PDFRAME.sys" Name="PDFRAME" CheckResult="-1" Type="1" State="1" />
<ITEM File="PDRELI.sys" Name="PDRELI" CheckResult="-1" Type="1" State="1" />
<ITEM File="PDRFRAME.sys" Name="PDRFRAME" CheckResult="-1" Type="1" State="1" />
<ITEM File="perc2.sys" Name="perc2" CheckResult="-1" Type="1" State="1" />
<ITEM File="perc2hib.sys" Name="perc2hib" CheckResult="-1" Type="1" State="1" />
<ITEM File="ql1080.sys" Name="ql1080" CheckResult="-1" Type="1" State="1" />
<ITEM File="Ql10wnt.sys" Name="Ql10wnt" CheckResult="-1" Type="1" State="1" />
<ITEM File="ql12160.sys" Name="ql12160" CheckResult="-1" Type="1" State="1" />
<ITEM File="ql1240.sys" Name="ql1240" CheckResult="-1" Type="1" State="1" />
<ITEM File="ql1280.sys" Name="ql1280" CheckResult="-1" Type="1" State="1" />
<ITEM File="Simbad.sys" Name="Simbad" CheckResult="-1" Type="1" State="1" />
<ITEM File="Sparrow.sys" Name="Sparrow" CheckResult="-1" Type="1" State="1" />
<ITEM File="sym_hi.sys" Name="sym_hi" CheckResult="-1" Type="1" State="1" />
<ITEM File="sym_u3.sys" Name="sym_u3" CheckResult="-1" Type="1" State="1" />
<ITEM File="symc810.sys" Name="symc810" CheckResult="-1" Type="1" State="1" />
<ITEM File="symc8xx.sys" Name="symc8xx" CheckResult="-1" Type="1" State="1" />
<ITEM File="TosIde.sys" Name="TosIde" CheckResult="-1" Type="1" State="1" />
<ITEM File="ultra.sys" Name="ultra" CheckResult="-1" Type="1" State="1" />
<ITEM File="ViaIde.sys" Name="ViaIde" CheckResult="-1" Type="1" State="1" />
<ITEM File="WDICA.sys" Name="WDICA" CheckResult="-1" Type="1" State="1" />
</Drivers>
- <AUTORUN>
<ITEM File="C:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe" CheckResult="-1" Enabled="1" Type="LNK" Size="3508736" Attr="rsAh" CreateDate="10/5/2004 3:12:52 PM" ChageDate="10/5/2004 3:12:52 PM" MD5="63EF2DA73F798C231074D9DB1FEB045F" X1="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\" X2="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpeedUpMyPC.lnk" X3="" />
<ITEM File="C:\Program Files\TMSExplorer\TMSLaunch.exe" CheckResult="-1" Enabled="1" Type="LNK" Size="708608" Attr="rsAh" CreateDate="3/21/2010 6:07:24 PM" ChageDate="3/21/2010 6:07:24 PM" MD5="3CE4452FAEB682E5D29B97A838146DD8" X1="C:\Documents and Settings\larry\Application Data\Microsoft\Internet Explorer\Quick Launch\" X2="C:\Documents and Settings\larry\Application Data\Microsoft\Internet Explorer\Quick Launch\TMS Explorer.lnk" X3="" />
<ITEM File="C:\Program Files\Watchtower\Watchtower Library 2009\E\WTLibrary.exe" CheckResult="-1" Enabled="1" Type="LNK" Size="2398720" Attr="rsAh" CreateDate="11/2/2009 5:16:58 PM" ChageDate="11/2/2009 5:16:58 PM" MD5="639579C3D5D09AB672653E10825C0082" X1="C:\Documents and Settings\larry\Application Data\Microsoft\Internet Explorer\Quick Launch\" X2="C:\Documents and Settings\larry\Application Data\Microsoft\Internet Explorer\Quick Launch\Watchtower Library 2009 - English (2).lnk" X3="" />
<ITEM File="C:\WINDOWS\System32\PrintFilterPipelineSvc.exe" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System\PrintFilterPipelineSvc" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\appmgmts.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters" X3="ServiceDll" />
<ITEM File="C:\WINDOWS\System32\appmgmts.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\Application\Application Management" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\appmgr.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\Application\Software Installation" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\fdeploy.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\Application\File Deployment" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\fdeploy.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\Application\Folder Redirection" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\hidserv.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\HidServ\Parameters" X3="ServiceDll" />
<ITEM File="C:\WINDOWS\System32\igmpv2.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\ipbootp.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\iprip2.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\ntbackup.exe" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\Application\ntbackup" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\ospf.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPF" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\ospfmib.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPFMib" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\polagent.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System\PolicyAgent" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\tssdis.exe" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System\TermServSessDir" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\system32\MsSip1.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1" X3="$DLL" />
<ITEM File="C:\WINDOWS\system32\MsSip2.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2" X3="$DLL" />
<ITEM File="C:\WINDOWS\system32\MsSip3.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3" X3="$DLL" />
<ITEM File="C:\WINDOWS\system32\asr_pfu.exe" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\Asr\Commands" X3="ASR protected file utility" />
<ITEM File="C:\WINDOWS\system32\emsmtp.dll" CheckResult="-1" Enabled="1" Type="REG" Size="131072" Attr="rsAh" CreateDate="10/16/2007 10:04:29 PM" ChageDate="3/7/2003 11:32:34 AM" MD5="B62E557375CDC1DE8F40CB3DDDB8D112" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\Application\EasyMail SMTP Object" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\system32\psxss.exe" CheckResult="-1" Enabled="-1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="System\CurrentControlSet\Control\Session Manager\SubSystems" X3="Posix" />
<ITEM File="C:\WINDOWS\system32\stisvc.exe" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\system\IR32.dll" CheckResult="-1" Enabled="1" Type="REG" Size="151040" Attr="rsAh" CreateDate="1/5/2008 11:46:09 PM" ChageDate="9/2/1994 1:00:00 AM" MD5="80DC931C64124CCE7D94AC8B94EE074B" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\Drivers" X3="VIDC.IV31" />
<ITEM File="C:\WINDOWS\system\MSRLE.drv" CheckResult="-1" Enabled="1" Type="REG" Size="11776" Attr="rsAh" CreateDate="1/5/2008 11:46:09 PM" ChageDate="11/19/1993 1:00:00 AM" MD5="9DA0C3FBD73F5C4DC0406E8D67E25C38" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\Drivers" X3="VIDC.MRLE" />
<ITEM File="C:\WINDOWS\system\iccvid.drv" CheckResult="-1" Enabled="1" Type="REG" Size="65408" Attr="rsAh" CreateDate="1/5/2008 11:46:08 PM" ChageDate="9/2/1994 1:00:00 AM" MD5="54753D315D35F0A19A84EE7B18A29DE0" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\Drivers" X3="VIDC.CVID" />
<ITEM File="C:\WINDOWS\system\imaadpcm.acm" CheckResult="-1" Enabled="1" Type="REG" Size="17936" Attr="rsAh" CreateDate="1/5/2008 11:46:07 PM" ChageDate="9/2/1994 1:00:00 AM" MD5="9490DF01AD780BC72E661B27A30E12BA" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\Drivers" X3="MSACM.imaadpcm" />
<ITEM File="C:\WINDOWS\system\ir21_r.dll" CheckResult="-1" Enabled="1" Type="REG" Size="77664" Attr="rsAh" CreateDate="1/5/2008 11:46:08 PM" ChageDate="11/19/1993 1:00:00 AM" MD5="37AE6792014E6E1C3D3D38268841D7E3" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\Drivers" X3="VIDC.RT21" />
<ITEM File="C:\WINDOWS\system\ir21_r.dll" CheckResult="-1" Enabled="1" Type="REG" Size="77664" Attr="rsAh" CreateDate="1/5/2008 11:46:08 PM" ChageDate="11/19/1993 1:00:00 AM" MD5="37AE6792014E6E1C3D3D38268841D7E3" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\Drivers" X3="VIDC.YVU9" />
<ITEM File="C:\WINDOWS\system\ir32.dll" CheckResult="-1" Enabled="1" Type="REG" Size="151040" Attr="rsAh" CreateDate="1/5/2008 11:46:09 PM" ChageDate="9/2/1994 1:00:00 AM" MD5="80DC931C64124CCE7D94AC8B94EE074B" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\Drivers" X3="VIDC.IV32" />
<ITEM File="C:\WINDOWS\system\msacm.drv" CheckResult="-1" Enabled="1" Type="REG" Size="22816" Attr="rsAh" CreateDate="1/5/2008 11:46:08 PM" ChageDate="11/19/1993 1:00:00 AM" MD5="EA6F36BA81E56A746C481C36EA1FC42D" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\Drivers" X3="WaveMapper" />
<ITEM File="C:\WINDOWS\system\msadpcm.acm" CheckResult="-1" Enabled="1" Type="REG" Size="15104" Attr="rsAh" CreateDate="1/5/2008 11:46:08 PM" ChageDate="11/19/1993 1:00:00 AM" MD5="B999E47F84AC7A342102F8F0875339AD" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\Drivers" X3="MSACM.msadpcm" />
<ITEM File="C:\WINDOWS\system\msvidc.drv" CheckResult="-1" Enabled="1" Type="REG" Size="43520" Attr="rsAh" CreateDate="1/5/2008 11:46:09 PM" ChageDate="11/19/1993 1:00:00 AM" MD5="76A8179B20041ED5FA2CE2303F3B49C8" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\Drivers" X3="VIDC.MSVC" />
<ITEM File="appmgmts.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}" X3="DLLName" />
<ITEM File="kbd101a.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\i8042prt\Parameters" X3="LayerDriver KOR" />
<ITEM File="mvfs32.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_USERS" X2=".DEFAULT\Control Panel\IOProcs" X3="MVB" />
<ITEM File="mvfs32.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_USERS" X2="S-1-5-20\Control Panel\IOProcs" X3="MVB" />
<ITEM File="mvfs32.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_USERS" X2="S-1-5-18\Control Panel\IOProcs" X3="MVB" />
<ITEM File="mvfs32.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_USERS" X2="S-1-5-21-602162358-448539723-725345543-1004\Control Panel\IOProcs" X3="MVB" />
<ITEM File="vgafix.fon" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\WOW\boot" X3="fixedfon.fon" />
<ITEM File="vgaoem.fon" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\WOW\boot" X3="oemfonts.fon" />
<ITEM File="vgasys.fon" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\WOW\boot" X3="fonts.fon" />
</AUTORUN>
- <BHO>
<ITEM File="" CheckResult="-1" Enabled="1" BHOType="1" RegKey="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" CLSID="AutorunsDisabled" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" BHOType="5" RegKey="HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars" CLSID="{32683183-48a0-441b-a342-7c2a440a9478}" Descr="" LegalCopyright="" />
</BHO>
- <ExplorerExt>
<ITEM File="deskpan.dll" CheckResult="-1" Enabled="1" ExtType="1" ExtName="Display Panning CPL Extension" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{42071714-76d4-11d1-8b24-00a0c9068ff3}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="Shell extensions for file compression" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{764BF0E1-F219-11ce-972D-00AA00A14F56}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="Encryption Context Menu" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="Taskbar and Start Menu" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{0DF44EAA-FF21-4412-828E-260A8728E7F1}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="Media Band" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{32683183-48a0-441b-a342-7c2a440a9478}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="User Accounts" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{7A9D77BD-5403-11d2-8785-2E0420524153}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="Microsoft Browser Architecture" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{BC476F4C-D9D7-4100-8D4E-E043F6DEC409}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="IE User Assist" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="Shell Extensions for RealOne Player" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="BitZipper32" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{D5906221-A717-479B-9B49-CD848F9CE816}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="Trojan Remover Shell Extension" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{52B87208-9CCF-42C9-B88E-069281105805}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="Defense Center extension" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{5E2121EE-0300-11D4-8D3B-444553540000}" Descr="" LegalCopyright="" />
<ITEM File="rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_COMServer {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}" CheckResult="-1" Enabled="1" ExtType="1" ExtName="Autoplay for SlideShow" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}" Descr="" LegalCopyright="" />
</ExplorerExt>
<PrintEXT />
<TaskScheduler />
- <SPI>
<ITEM File="C:\WINDOWS\System32\mswsock.dll" CheckResult="-1" SPIType="1" SPINaim="Tcpip" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="3/31/2003 7:00:00 AM" ChageDate="6/20/2008 12:46:57 PM" MD5="832E4DD8964AB7ACC880B2837CB1ED20" />
<ITEM File="C:\WINDOWS\System32\winrnr.dll" CheckResult="-1" SPIType="1" SPINaim="NTDS" Descr="LDAP RnR Provider DLL" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="16896" Attr="rsAh" CreateDate="3/31/2003 7:00:00 AM" ChageDate="4/13/2008 7:12:09 PM" MD5="D72B9EC3337B247A666F098F3D6B43DE" />
<ITEM File="C:\WINDOWS\System32\mswsock.dll" CheckResult="-1" SPIType="1" SPINaim="Network Location Awareness (NLA) Namespace" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="3/31/2003 7:00:00 AM" ChageDate="6/20/2008 12:46:57 PM" MD5="832E4DD8964AB7ACC880B2837CB1ED20" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD Tcpip [TCP/IP]" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="3/31/2003 7:00:00 AM" ChageDate="6/20/2008 12:46:57 PM" MD5="832E4DD8964AB7ACC880B2837CB1ED20" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD Tcpip [UDP/IP]" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="3/31/2003 7:00:00 AM" ChageDate="6/20/2008 12:46:57 PM" MD5="832E4DD8964AB7ACC880B2837CB1ED20" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD Tcpip [RAW/IP]" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="3/31/2003 7:00:00 AM" ChageDate="6/20/2008 12:46:57 PM" MD5="832E4DD8964AB7ACC880B2837CB1ED20" />
<ITEM File="C:\WINDOWS\system32\rsvpsp.dll" CheckResult="-1" SPIType="3" SPINaim="RSVP UDP Service Provider" Descr="Microsoft Windows Rsvp 1.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="92672" Attr="rsAh" CreateDate="3/31/2003 7:00:00 AM" ChageDate="4/13/2008 7:12:04 PM" MD5="72451FD61DDBB0A1FB071B7C3CDE5594" />
<ITEM File="C:\WINDOWS\system32\rsvpsp.dll" CheckResult="-1" SPIType="3" SPINaim="RSVP TCP Service Provider" Descr="Microsoft Windows Rsvp 1.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="92672" Attr="rsAh" CreateDate="3/31/2003 7:00:00 AM" ChageDate="4/13/2008 7:12:04 PM" MD5="72451FD61DDBB0A1FB071B7C3CDE5594" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{E26AE9CE-A535-41A0-917A-0A043DCAA1FC}] SEQPACKET 4" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="3/31/2003 7:00:00 AM" ChageDate="6/20/2008 12:46:57 PM" MD5="832E4DD8964AB7ACC880B2837CB1ED20" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{E26AE9CE-A535-41A0-917A-0A043DCAA1FC}] DATAGRAM 4" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="3/31/2003 7:00:00 AM" ChageDate="6/20/2008 12:46:57 PM" MD5="832E4DD8964AB7ACC880B2837CB1ED20" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{A9C96233-FFC0-493C-9453-7E47A8C5E8DD}] SEQPACKET 0" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="3/31/2003 7:00:00 AM" ChageDate="6/20/2008 12:46:57 PM" MD5="832E4DD8964AB7ACC880B2837CB1ED20" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{A9C96233-FFC0-493C-9453-7E47A8C5E8DD}] DATAGRAM 0" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="3/31/2003 7:00:00 AM" ChageDate="6/20/2008 12:46:57 PM" MD5="832E4DD8964AB7ACC880B2837CB1ED20" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{03D46FFA-58C6-4A5C-A8EC-44FAA876532B}] SEQPACKET 1" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="3/31/2003 7:00:00 AM" ChageDate="6/20/2008 12:46:57 PM" MD5="832E4DD8964AB7ACC880B2837CB1ED20" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{03D46FFA-58C6-4A5C-A8EC-44FAA876532B}] DATAGRAM 1" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="3/31/2003 7:00:00 AM" ChageDate="6/20/2008 12:46:57 PM" MD5="832E4DD8964AB7ACC880B2837CB1ED20" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{533C9AB9-D6E3-4A9D-BC47-4E8D70F04C84}] SEQPACKET 2" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="3/31/2003 7:00:00 AM" ChageDate="6/20/2008 12:46:57 PM" MD5="832E4DD8964AB7ACC880B2837CB1ED20" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{533C9AB9-D6E3-4A9D-BC47-4E8D70F04C84}] DATAGRAM 2" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="3/31/2003 7:00:00 AM" ChageDate="6/20/2008 12:46:57 PM" MD5="832E4DD8964AB7ACC880B2837CB1ED20" />
</SPI>
<DPF />
<CPL />
<ActiveSetup />
<HOSTS />
<SuspFiles />
- <WIZARD-TSW>
<ITEM ID="58" Level="3" Fixed="0" />
<ITEM ID="59" Level="3" Fixed="0" />
<ITEM ID="60" Level="1" Fixed="0" />
<ITEM ID="61" Level="2" Fixed="0" />
</WIZARD-TSW>
</AVZ>

I hope this is what you have asked me for. Sorry it took so long but I have been busier than usual.. . .

Yeah - I'm in the same boat. Had to pick up extra work to just scape by these days....

-- Definitely, if you've got a user visiting questionable sites, make them stop!

Anyhoo, just saw your post. AVZ logs are incomplete, but no worries. Let's go ahead with the following now:

Locate the copy of Combofix if it is still on your machine and DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

THEN:
Please download JavaRa.zip to your Desktop and Extract it to its own folder.

-- Make sure ALL browsers are CLOSED.
-- DoubleClick on JavaRa.exe to run it and then select your language of choice.
-- Click Remove Older Versions.
-- Follow the prompts and a log will pop up. You can post this if you wish - I really don't need it, though.
-- Then, please go to http://www.java.com/en/ to download and install the latest version of Java.

Post me that Combofix log and let me know if you're still having any issues. I'll try to check back in a timely manner.

PP:)

Thanks,

Next time this stuff happens the kids will get the boot! Maybe someone could teach me how to know if someone is going to porn sites on my computer, I am gone often and there is someone that has access to this computer, often alone. I find that the cookies and temp files are deleted all the time.... other than that is there a way?

here is combo fix log and I can not tell you how much I appreciate the time spent helping me!

ComboFix 10-11-04.06 - larry 11/05/2010 7:17.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2224 [GMT -5:00]
Running from: c:\documents and settings\larry\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-10-05 to 2010-11-05 )))))))))))))))))))))))))))))))
.

2010-11-03 17:18 . 2010-11-03 17:18 7168 ----a-w- c:\windows\system32\drivers\uti2nzy4.sys
2010-11-03 16:40 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\23394592.sys
2010-11-03 16:40 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\2339459.sys
2010-11-03 16:40 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\23394591.sys
2010-10-24 16:28 . 2010-10-24 16:28 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-24 16:27 . 2010-10-28 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-10-24 16:27 . 2010-10-24 16:27 -------- d-----w- c:\program files\NOS
2010-10-22 06:34 . 2010-10-22 06:34 -------- d-----w- c:\documents and settings\LocalService\PrivacIE
2010-10-22 06:34 . 2010-10-22 06:34 -------- d-----w- c:\documents and settings\LocalService\IECompatCache
2010-10-22 06:33 . 2010-10-22 06:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-10-21 16:48 . 2010-10-21 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-10-21 13:50 . 2010-09-01 20:51 35136 ----a-w- c:\program files\Mozilla Firefox\plugins\np_gp.dll
2010-10-18 22:31 . 2010-10-25 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2010-10-18 18:59 . 2010-10-25 15:12 -------- d-----w- c:\documents and settings\larry\Local Settings\Application Data\Trend Micro
2010-10-18 18:39 . 2010-10-18 19:07 -------- d-----w- c:\windows\LMI180.tmp
2010-10-13 00:12 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 00:12 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 00:11 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-10 16:47 . 2010-10-10 16:47 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:23 . 2003-03-31 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2003-03-31 12:00 974848 ------w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2003-03-31 12:00 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2003-03-31 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2003-03-31 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2008-09-24 23:14 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-09-24 23:14 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-09-24 23:14 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 04:10 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-09-24 23:14 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-03-06 02:16 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-10-18_19.19.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-05 12:11 . 2010-11-05 12:11 16384 c:\windows\Temp\Perflib_Perfdata_54c.dat
- 2010-08-04 23:54 . 2010-08-04 23:53 24576 c:\windows\Installer\nlsdl.dll
+ 2010-08-04 23:54 . 2010-10-19 05:13 24576 c:\windows\Installer\nlsdl.dll
+ 2010-08-04 23:54 . 2010-10-19 05:13 57856 c:\windows\Installer\mfcm80u.dll
- 2010-08-04 23:54 . 2010-08-04 23:53 57856 c:\windows\Installer\mfcm80u.dll
+ 2010-08-04 23:54 . 2010-10-19 05:13 69632 c:\windows\Installer\mfcm80.dll
- 2010-08-04 23:54 . 2010-08-04 23:53 69632 c:\windows\Installer\mfcm80.dll
+ 2010-08-04 23:54 . 2010-10-19 05:13 96256 c:\windows\Installer\atl80.dll
- 2010-08-04 23:54 . 2010-08-04 23:53 96256 c:\windows\Installer\atl80.dll
+ 2010-10-28 16:12 . 2010-10-28 16:12 21504 c:\windows\Installer\802076.msi
+ 2010-10-28 16:06 . 2010-10-28 16:06 24064 c:\windows\Installer\80206d.msi
+ 2010-10-18 19:53 . 2010-10-18 19:53 28672 c:\windows\Installer\{A9DFC08E-0256-4F90-A547-FA69A4CB1D3E}\IconCDB350541.exe
+ 2010-10-18 19:53 . 2010-10-18 19:53 53248 c:\windows\Installer\{A9DFC08E-0256-4F90-A547-FA69A4CB1D3E}\IconCDB35054.exe
+ 2010-09-24 19:31 . 2010-11-04 22:51 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
- 2010-09-24 19:31 . 2010-09-24 19:31 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2010-11-04 22:51 . 2010-11-04 22:51 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
- 2010-09-24 19:31 . 2010-09-24 19:31 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
- 2010-09-24 19:31 . 2010-09-24 19:31 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-11-04 22:51 . 2010-11-04 22:51 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
- 2010-09-24 19:31 . 2010-09-24 19:31 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-11-04 22:51 . 2010-11-04 22:51 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-11-04 22:51 . 2010-11-04 22:51 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
- 2010-09-24 19:31 . 2010-09-24 19:31 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-11-04 22:51 . 2010-11-04 22:51 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
- 2010-09-24 19:31 . 2010-09-24 19:31 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
- 2010-09-24 19:31 . 2010-09-24 19:31 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\ARPPRODUCTICON.exe
+ 2010-11-04 22:51 . 2010-11-04 22:51 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\ARPPRODUCTICON.exe
+ 2008-04-16 08:00 . 2008-04-14 00:09 6144 c:\windows\system32\kbd106.dll
- 2008-04-16 08:00 . 2008-04-14 00:09 6144 c:\windows\system32\kbd106.dll
+ 2008-04-16 08:00 . 2008-04-14 00:09 6144 c:\windows\system32\dllcache\kbd106.dll
- 2008-04-16 08:00 . 2008-04-14 00:09 6144 c:\windows\system32\dllcache\kbd106.dll
- 2008-12-30 02:43 . 2008-12-30 02:43 9728 c:\windows\Installer\{8C92D38B-C1DE-490A-B6D1-AAAA8E17DCE2}\Icon8C92D38B.exe
+ 2008-12-30 02:43 . 2010-10-18 19:54 9728 c:\windows\Installer\{8C92D38B-C1DE-490A-B6D1-AAAA8E17DCE2}\Icon8C92D38B.exe
+ 2010-10-10 13:27 . 2010-10-28 16:07 232912 c:\windows\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe
- 2010-10-10 13:27 . 2010-10-10 13:36 232912 c:\windows\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe
- 2010-10-10 13:27 . 2010-10-10 13:36 311760 c:\windows\system32\Macromed\Flash\FlashUtil10k_ActiveX.dll
+ 2010-10-10 13:27 . 2010-10-28 16:07 311760 c:\windows\system32\Macromed\Flash\FlashUtil10k_ActiveX.dll
+ 2010-08-04 23:54 . 2010-10-19 05:13 126208 c:\windows\Installer\tmdbg32.dll
- 2010-08-04 23:54 . 2010-08-04 23:54 126208 c:\windows\Installer\tmdbg32.dll
+ 2010-08-04 23:54 . 2010-10-19 05:13 626688 c:\windows\Installer\msvcr80.dll
- 2010-08-04 23:54 . 2010-08-04 23:53 626688 c:\windows\Installer\msvcr80.dll
+ 2010-08-04 23:54 . 2010-10-19 05:13 548864 c:\windows\Installer\msvcp80.dll
- 2010-08-04 23:54 . 2010-08-04 23:53 548864 c:\windows\Installer\msvcp80.dll
- 2010-08-04 23:54 . 2010-08-04 23:53 479232 c:\windows\Installer\msvcm80.dll
+ 2010-08-04 23:54 . 2010-10-19 05:13 479232 c:\windows\Installer\msvcm80.dll
- 2010-08-04 23:54 . 2010-08-04 23:53 159168 c:\windows\Installer\libexpat.dll
+ 2010-08-04 23:54 . 2010-10-19 05:13 159168 c:\windows\Installer\libexpat.dll
+ 2010-07-18 12:17 . 2010-10-24 16:29 3002220 c:\windows\system32\Restore\rstrlog.dat
- 2010-08-04 23:54 . 2010-08-04 23:53 1093120 c:\windows\Installer\mfc80u.dll
+ 2010-08-04 23:54 . 2010-10-19 05:13 1093120 c:\windows\Installer\mfc80u.dll
- 2010-08-04 23:54 . 2010-08-04 23:53 1101824 c:\windows\Installer\mfc80.dll
+ 2010-08-04 23:54 . 2010-10-19 05:13 1101824 c:\windows\Installer\mfc80.dll
+ 2010-11-04 22:51 . 2010-11-04 22:51 1223680 c:\windows\Installer\533d0d8.msi
+ 2007-10-16 23:19 . 2010-10-07 15:46 35385288 c:\windows\system32\MRT.exe
- 2007-10-16 23:19 . 2010-10-13 08:01 35385288 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SpeedUpMyPC.lnk - c:\program files\LIUtilities\SpeedUpMyPC\speedupmypc.exe [2004-10-5 3508736]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRealMode"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ SDEarlyDelete \??\0autocheck autochk *\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0cdasnative\0bootdelete\0bootdelete\0bootdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpeedUpMyPC.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpeedUpMyPC.lnk
backup=c:\windows\pss\SpeedUpMyPC.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^larry^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\documents and settings\larry\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-12-10 09:06 7311360 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 21:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"gupdate1c9baada9a92374"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

R0 23394592;23394592 Boot Guard Driver;c:\windows\system32\drivers\23394592.sys [11/3/2010 11:40 AM 37392]
R1 23394591;23394591;c:\windows\system32\drivers\23394591.sys [11/3/2010 11:40 AM 128016]
R1 setup_9.0.0.722_03.11.2010_18-09drv;setup_9.0.0.722_03.11.2010_18-09drv;c:\windows\system32\drivers\2339459.sys [11/3/2010 11:40 AM 315408]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/28/2010 11:06 AM 136176]
S3 CDASPROT;CyberDefender AntiSpyware 2010;\??\c:\program files\CyberDefender\CDAntiSpyware\cdasprot.sys --> c:\program files\CyberDefender\CDAntiSpyware\cdasprot.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [3/31/2003 7:00 AM 14336]
S3 uti2nzy4;AVZ Kernel Driver;c:\windows\system32\drivers\uti2nzy4.sys [11/3/2010 12:18 PM 7168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-28 16:06]

2010-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-28 16:06]

2010-11-05 c:\windows\Tasks\User_Feed_Synchronization-{4E2881CA-C1A9-42F3-AD18-0FDF70062CBB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: {E2CD81CE-04C8-441A-933F-2FB2BF51FD65} = 68.87.68.162,68.87.74.162
FF - ProfilePath - c:\documents and settings\larry\Application Data\Mozilla\Firefox\Profiles\7ku57xn6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\NOS\bin\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
MSConfigStartUp-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-05 07:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-602162358-448539723-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(776)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-05 07:26:23
ComboFix-quarantined-files.txt 2010-11-05 12:26

Pre-Run: 52,289,150,976 bytes free
Post-Run: 52,391,903,232 bytes free

- - End Of File - - 006334DA83955915C5022045A431440A

Next time this stuff happens the kids will get the boot! Maybe someone could teach me how to know if someone is going to porn sites on my computer, I am gone often and there is someone that has access to this computer, often alone. I find that the cookies and temp files are deleted all the time.... other than that is there a way?

In all honesty, the best thing that you can do is lay down the law to whomever is using the machine.
There is site-blocking software as well as spyware tools to tell you who is surfing what sites, but I don't recommend them. There are ways to get around them + the ones that report "after the fact" are only good for assigning blame for the infected machine.

Best thing you can do is to threaten to take away access to the computer....

-- Or, learn to use a tool such as SandBoxIE and then teach them how to use it to run their browser "sandboxed" and how to clear the sandbox after use.
The SandBoxIE site has a good tutorial - check it out.

-- Also, make sure to install a good AV / Firewall / Anti-malware solution. I like the Kaspersky Suite, but there are also many decent free options as well.

Gave the combofix a quick look - looks OK. How are things running?
I am going to leave the Kaspersky drivers alone in the event you need to run AVZ again in the future. If you do, be sure to update it!

There are a couple CyberDefender drivers left over as well - If you want to remove those, let me know.
Otherwise:
• Click Start > Run
• Type or Copy&Paste ComboFix /Uninstall into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.

Again, let me know how things are running and where you stand in implementing some security measures.....

Cheers :)
PP

Thank you for all your trouble.

As fas as speed and performance I am good. The issue is the redirecting browser. It is intermitent but still doing it.

As far as the security. I think the boy was at it again today. He was on here and all the temp files are gone again as well as all the history deleted. There is no real reason to do that unless that person does not want others to know where he has been. Last chance, if he clears the history and temp files again he will have to find another place to look at his porn. Not my computer!

I deleted the combofix, maybe we got rid of it and he got it bact today? I do not know. Right now it is not bad and what ever and where ever it is, it does not seem to be a serious threat. Maybe we can leave this thread open for a few days and see what happens and I have a feeling that my guest will wear out his welcome soon. Either way the problem with the security is solved and once I am sure that is done. I will go back and run them again.

thanks again

thanks again

Happy to help :)

-- Go ahead and download a fresh copy of combofix and give it another run and let's see what it finds.

-- Definitely look into SandBoxIE. He's got a great tutorial on site + plus it is easy to use. Install will put a shortcut on your desktop to "run browser sandboxed." Have them use that.....

PP:)