# Windows error code 80070020...HELP!!!



## schweety (Apr 10, 2006)

I have been trying up download a Windows Security update since the end of last year. I have tried talking to every tech support people that I can and I'm running out of options. The update is KB970430 is always fails (everything else updates) with the error code 80070020. I have disabled firewalls and other internet browser programs that can affect the connection, renamed the windows update software distribution folder, tried to download in safe mode, disabled all of my antivirus software nothing works. My system info is: Dell Latitude D620,
Windows Vista Business
Service Pack 2
32-bit operating system

I have also included a Highjack this report......

Please help me figure out why this won't download, I am headed back to college this weekend and the network there won't let me log on until it's updated. I'm tired of hearing there is nothing wrong with the computer....I just need this update to download! thanks so much.

**If no one can help, please let me know so I'll go elsewhere for help**

Amanda

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:30 PM, on 8/25/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Users\Amanda\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Amanda\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Users\Amanda\AppData\Local\Google\Chrome\Application\chrome.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKCU\..\Run: [syst32] C:\Users\Amanda\AppData\Roaming\syst32.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Amanda\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: Dell Internal Network Card Power Management (nicconfigsvc) - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8079 bytes


----------



## Brett_WinTeam (Jul 8, 2010)

Not sure if you have already seen this, but it looks like this site should be able to give you the information you need to solve your error code 80070020.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;883825

I hope this helps!

Brett M,
Windows Outreach Team


----------



## schweety (Apr 10, 2006)

Yes I have tried that, that was the first thing I did. Thanks for trying to help me out. 

Amanda


----------



## Phantom010 (Mar 9, 2009)

Your computer is infected. Please click on *Report* and kindly ask to be moved to the *Virus & Other Malware Removal *forum. Be sure to provide the appropriate reports in that forum after reading *THIS*. From there, be patient. You should get an answer within the next 48 hours. These guys are really busy!


----------



## schweety (Apr 10, 2006)

Thank you, I'll do that is there anyway you can tell me what it is infected with....the tech that I took the laptop to said that he got rid of everything. Thanks again

Amanda


----------



## Phantom010 (Mar 9, 2009)

You're infected with a Backdoor Trojan.


----------



## schweety (Apr 10, 2006)

I read the page on the virus and other malware removal forum and some of it I don't understand will someone help me to accomplish the things that are needed for that forum? Thank you again.


----------



## Phantom010 (Mar 9, 2009)

Once moved to that forum, a malware removal expert will walk you through it. Have your thread moved and please wait for further instructions.


----------



## schweety (Apr 10, 2006)

I sent the report, thanks


----------



## Phantom010 (Mar 9, 2009)

You're welcome!


----------



## Cookiegal (Aug 27, 2003)

Please post the logs requested at the following link:

http://forums.techguy.org/virus-other-malware-removal/943214-everyone-must-read-before-posting.html

It looks like an autorun infection. Do you use a USB flash or other type of external drive?


----------



## schweety (Apr 10, 2006)

yes I use a USB flash drive to store some of my college items on. I downloaded the DDS.scr I'm not sure how to disable my script blocker. Can you help me with that?


----------



## Phantom010 (Mar 9, 2009)

It's a good habit to disable USB autorun. It will give you a chance to scan the flash drive before opening the files on it.


----------



## schweety (Apr 10, 2006)

OK, How do I do that?


----------



## Cookiegal (Aug 27, 2003)

One of the tools we will be using will do it for you automatically. You should then leave it that way as it's more secure.

Don't worry about script blockers but if you get any prompts from programs asking if you want to allow DDS to run don't click anything that would block or interfere with it so you need to allow it.


----------



## Cookiegal (Aug 27, 2003)

Another word of advice while I'm thinking of it as I'm sure I'll forget. Flash drives should not be used to STORE data. They are meant for transfers but not for long-term storage and can fail (of course any type of drive can fail but flash drives are more prone to failure when used to store data for long periods of time). You should get an external drive for storing data and backups which is much more reliable.


----------



## schweety (Apr 10, 2006)

DDS (Ver_10-03-17.01) - NTFSx86 
Run by Amanda at 17:42:18.74 on Wed 08/25/2010
Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2045.1094 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\LEXPPS.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Amanda\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Amanda\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Amanda\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Amanda\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uStart Page = hxxp://www.aol.com/?src=aim
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
uRun: [syst32] c:\users\amanda\appdata\roaming\syst32.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\amanda\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
StartupFolder: c:\users\amanda\appdata\roaming\micros~1\windows\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
LSA: Authentication Packages = msv1_0 wvauth

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R3 b57nd60x;%SvcDispName%;c:\windows\system32\drivers\b57nd60x.sys [2008-9-24 179712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-24 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-9-21 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 ekrn;ESET Service; [x]

=============== Created Last 30 ================

2010-08-25 19:17:51	0	d-----w-	c:\program files\Trend Micro
2010-08-20 19:49:47	0	d-----w-	c:\program files\Windows Portable Devices
2010-08-20 19:46:00	92672	----a-w-	c:\windows\system32\UIAnimation.dll
2010-08-20 19:44:44	30208	----a-w-	c:\windows\system32\WPDShextAutoplay.exe
2010-08-20 19:43:12	555520	----a-w-	c:\windows\system32\UIAutomationCore.dll
2010-08-20 19:43:12	4096	----a-w-	c:\windows\system32\oleaccrc.dll
2010-08-20 19:43:12	234496	----a-w-	c:\windows\system32\oleacc.dll
2010-08-13 22:27:11	0	d-----w-	c:\windows\system32\eu-ES
2010-08-13 22:27:11	0	d-----w-	c:\windows\system32\ca-ES
2010-08-13 22:27:10	0	d-----w-	c:\windows\system32\vi-VN
2010-08-13 22:12:13	0	d-----w-	c:\windows\system32\SPReview
2010-08-13 21:47:09	87552	----a-w-	c:\windows\system32\SearchFilterHost.exe
2010-08-13 21:47:09	441344	----a-w-	c:\windows\system32\SearchIndexer.exe
2010-08-13 21:47:09	185344	----a-w-	c:\windows\system32\SearchProtocolHost.exe
2010-08-13 21:47:09	1169408	----a-w-	c:\windows\system32\sdclt.exe
2010-08-13 21:47:05	241128	----a-w-	c:\windows\system32\rsaenh.dll
2010-08-13 21:47:03	20992	----a-w-	c:\windows\system32\rwinsta.exe
2010-08-13 21:47:03	113664	----a-w-	c:\windows\system32\drivers\rmcast.sys
2010-08-13 21:47:02	33280	----a-w-	c:\windows\system32\drivers\RNDISMP.sys
2010-08-13 21:47:02	127488	----a-w-	c:\windows\system32\rpchttp.dll
2010-08-13 21:47:01	172032	----a-w-	c:\windows\system32\scrrun.dll
2010-08-13 21:44:57	19968	----a-w-	c:\windows\system32\fc.exe
2010-08-13 21:43:59	61440	----a-w-	c:\windows\system32\msjter40.dll
2010-08-13 21:42:58	980	----a-w-	c:\windows\system32\wbem\WmiPerfInst.mof
2010-08-13 14:43:29	0	d-----w-	c:\programdata\Yahoo! Companion
2010-08-13 13:55:13	18904	----a-w-	c:\windows\system32\StructuredQuerySchemaTrivial.bin
2010-08-13 13:25:43	896	----a-w-	c:\windows\system32\wbem\ServiceModel.mof.uninstall
2010-08-13 13:25:43	84985	----a-w-	c:\windows\system32\wbem\ServiceModel.mof
2010-08-13 13:25:43	0	d-----w-	c:\windows\system32\XPSViewer
2010-08-13 13:10:53	65536	----a-w-	c:\windows\ocsetup_cbs_install_NetFx3.dpx
2010-08-13 13:10:53	196608	----a-w-	c:\windows\ocsetup_cbs_install_NetFx3.perf
2010-08-13 13:10:53	174063616	----a-w-	c:\windows\ocsetup_install_NetFx3.etl
2010-08-12 12:04:19	0	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-08-10 19:37:33	0	d-----w-	C:\acccore
2010-08-10 18:31:54	302080	----a-w-	c:\windows\system32\drivers\srv.sys
2010-08-10 18:31:54	144896	----a-w-	c:\windows\system32\drivers\srv2.sys
2010-08-10 18:30:57	905088	----a-w-	c:\windows\system32\drivers\tcpip.sys
2010-07-30 03:52:56	0	d-----w-	c:\users\amanda\.limewire

==================== Find3M ====================

2010-08-24 23:53:49	55526	----a-w-	c:\users\amanda\appdata\roaming\nvModes.dat
2010-08-20 19:49:44	665600	----a-w-	c:\windows\inf\drvindex.dat
2010-08-20 19:49:44	51200	----a-w-	c:\windows\inf\infpub.dat
2010-08-20 19:49:43	143360	----a-w-	c:\windows\inf\infstrng.dat
2010-08-20 19:49:43	143360	----a-w-	c:\windows\inf\infstor.dat
2010-08-13 22:08:40	37665	----a-w-	c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-08-13 13:25:13	29779	----a-w-	c:\windows\fonts\GlobalSerif.CompositeFont
2010-08-13 13:25:13	26489	----a-w-	c:\windows\fonts\GlobalSansSerif.CompositeFont
2010-08-13 13:25:13	26040	----a-w-	c:\windows\fonts\GlobalMonospace.CompositeFont
2010-06-26 06:05:49	916480	----a-w-	c:\windows\system32\wininet.dll
2010-06-26 06:02:15	71680	----a-w-	c:\windows\system32\iesetup.dll
2010-06-26 06:02:15	109056	----a-w-	c:\windows\system32\iesysprep.dll
2010-06-26 04:25:02	133632	----a-w-	c:\windows\system32\ieUnatt.exe
2010-06-21 13:37:03	2037760	----a-w-	c:\windows\system32\win32k.sys
2010-06-18 17:31:29	36864	----a-w-	c:\windows\system32\rtutils.dll
2010-06-11 16:16:20	274944	----a-w-	c:\windows\system32\schannel.dll
2010-06-11 16:15:06	1248768	----a-w-	c:\windows\system32\msxml3.dll
2010-06-08 17:35:04	3548040	----a-w-	c:\windows\system32\ntoskrnl.exe
2010-06-08 17:35:03	3600768	----a-w-	c:\windows\system32\ntkrnlpa.exe
2009-01-26 00:58:33	174	--sha-w-	c:\program files\desktop.ini
2007-08-26 13:48:39	774144	----a-w-	c:\program files\RngInterstitial.dll
2006-11-02 12:42:07	30674	----a-w-	c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07	30674	----a-w-	c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07	287440	----a-w-	c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07	287440	----a-w-	c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21	287440	----a-w-	c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21	287440	----a-w-	c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19	30674	----a-w-	c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19	30674	----a-w-	c:\windows\inf\perflib\0000\perfc.dat
2009-10-16 07:33:32	245760	--sha-w-	c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-07-18 10:50:03	8192	--sha-w-	c:\windows\users\default\NTUSER.DAT

============= FINISH: 17:43:41.60 ===============


----------



## schweety (Apr 10, 2006)

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Business 
Boot Device: \Device\HarddiskVolume3
Install Date: 7/17/2007 10:59:04 PM
System Uptime: 8/25/2010 3:02:43 PM (2 hours ago)

Motherboard: Dell Inc. | | 0KX350
Processor: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz | Microprocessor | 1667/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 110 GiB total, 14.567 GiB free.
D: is FIXED (NTFS) - 2 GiB total, 1.409 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0004
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #2
PNP Device ID: ROOT\*ISATAP\0004
Service: tunnel

==== System Restore Points ===================

RP849: 8/25/2010 11:05:25 AM - Scheduled Checkpoint
RP850: 8/25/2010 3:08:39 PM - Windows Update

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Adobe Shockwave Player
AIM 7
ALPS Touch Pad Driver
American Greetings® Art & More Store
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 5
Are You Smarter Than A 5th Grader?
biolsp patch
Bonjour
Broadcom Management Programs
Canon iP2600 series
Canon iP2600 series User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
Conexant HDA D110 MDC V.92 Modem
Dell Embassy Trust Suite by Wave Systems
Dell Photo Printer 720
Dell Resource CD
Dell System Customization Wizard
Digital Line Detect
Document Manager Lite
EMBASSY Security Center
EMBASSY Security Setup
EMBASSY Trust Suite by Wave Systems
ESC Home Page Plugin
ETS Upgrade
Fingerprint Sensor Minimum Install
Google Chrome
GoToAssist 8.0.0.514
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java(TM) 6 Update 20
Java(TM) SE Runtime Environment 6
Junk Mail filter update
LimeWire 5.5.8
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.5
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Modem Diagnostic Tool
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
NTRU TCG Software Stack
NVIDIA Drivers
O2Micro USB Smart Card Reader
OGA Notifier 2.0.0048.0
Photo Story 3 for Windows
PowerDVD
Preboot Manager
PrintMaster 7.00
Private Information Manager
QuickSet
QuickTime
Respondus LockDown Browser
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio Update Manager
Secure Update
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB980376)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Wizards
Serif DrawPlus 3.0
SigmaTel Audio
Sonic Activation Module
The Print Shop Premier Edition 5.0
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb2202131)
upekmsi
URL Assistant
User's Guides
VideoLAN VLC media player 0.8.6h
Wave Infrastructure Installer
Wave Support Software
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar

==== End Of File ===========================


----------



## schweety (Apr 10, 2006)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-08-25 18:01:29
Windows 6.0.6002 Service Pack 2
Running: ypsc9xcx.exe; Driver: C:\Users\Amanda\AppData\Local\Temp\awryqpog.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs  eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)

---- EOF - GMER 1.0.15 ----


----------



## schweety (Apr 10, 2006)

Ok, those are the logs that were asked for, Thank you for helping me out!

Amanda

Oh and thanks for the advice on the flash drive....I'll get something a bit more dependable, I don't want to lose all of my college things that I have on there. Thanks again!


----------



## Cookiegal (Aug 27, 2003)

Please uninstall this older version of Java via the Control Panel - Add or Remove programs:

Java(TM) SE Runtime Environment 6

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.


----------



## schweety (Apr 10, 2006)

Ok, finally got the ComboFix log!

ComboFix 10-08-24.0C - Amanda 08/25/2010 19:44:07.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2045.1313 [GMT -4:00]
Running from: c:\users\Amanda\Desktop\puppy.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Amanda\GoToAssistDownloadHelper.exe

c:\windows\system32\wininit.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-07-26 to 2010-08-26 )))))))))))))))))))))))))))))))
.

2010-08-25 23:52 . 2010-08-26 01:03	--------	d-----w-	c:\users\Amanda\AppData\Local\temp
2010-08-25 23:52 . 2010-08-25 23:52	--------	d-----w-	c:\users\Mom\AppData\Local\temp
2010-08-25 23:52 . 2010-08-25 23:52	--------	d-----w-	c:\users\Default\AppData\Local\temp
2010-08-25 19:17 . 2010-08-25 19:17	--------	d-----w-	c:\program files\Trend Micro
2010-08-20 19:49 . 2010-08-20 19:49	--------	d-----w-	c:\program files\Windows Portable Devices
2010-08-20 19:46 . 2009-09-10 02:00	92672	----a-w-	c:\windows\system32\UIAnimation.dll
2010-08-20 19:44 . 2009-10-01 01:02	30208	----a-w-	c:\windows\system32\WPDShextAutoplay.exe
2010-08-20 19:44 . 2009-10-01 01:01	81920	----a-w-	c:\windows\system32\wpdbusenum.dll
2010-08-20 19:44 . 2009-10-01 01:01	60928	----a-w-	c:\windows\system32\PortableDeviceConnectApi.dll
2010-08-20 19:44 . 2009-10-01 01:01	40448	----a-w-	c:\windows\system32\drivers\WpdUsb.sys
2010-08-20 19:44 . 2009-10-01 01:01	61952	----a-w-	c:\windows\system32\WpdMtpUS.dll
2010-08-20 19:44 . 2009-10-01 01:01	33280	----a-w-	c:\windows\system32\WpdConns.dll
2010-08-20 19:44 . 2009-10-01 01:02	2537472	----a-w-	c:\windows\system32\wpdshext.dll
2010-08-20 19:44 . 2009-10-01 01:02	334848	----a-w-	c:\windows\system32\PortableDeviceApi.dll
2010-08-20 19:44 . 2009-10-01 01:02	87552	----a-w-	c:\windows\system32\WPDShServiceObj.dll
2010-08-20 19:44 . 2009-10-01 01:01	546816	----a-w-	c:\windows\system32\wpd_ci.dll
2010-08-20 19:44 . 2009-10-01 01:01	160256	----a-w-	c:\windows\system32\PortableDeviceTypes.dll
2010-08-20 19:44 . 2009-10-01 01:01	100864	----a-w-	c:\windows\system32\PortableDeviceClassExtension.dll
2010-08-20 19:44 . 2009-10-01 01:01	226816	----a-w-	c:\windows\system32\WpdMtp.dll
2010-08-20 19:43 . 2009-10-08 21:08	555520	----a-w-	c:\windows\system32\UIAutomationCore.dll
2010-08-20 19:43 . 2009-10-08 21:08	234496	----a-w-	c:\windows\system32\oleacc.dll
2010-08-20 19:43 . 2009-10-08 21:07	4096	----a-w-	c:\windows\system32\oleaccrc.dll
2010-08-16 00:08 . 2010-08-16 00:08	--------	d-----w-	c:\users\Mom\AppData\Local\Apple
2010-08-13 22:27 . 2010-08-13 22:29	--------	d-----w-	c:\windows\system32\ca-ES
2010-08-13 22:27 . 2010-08-13 22:29	--------	d-----w-	c:\windows\system32\eu-ES
2010-08-13 22:27 . 2010-08-13 22:29	--------	d-----w-	c:\windows\system32\vi-VN
2010-08-13 22:12 . 2010-08-13 22:12	--------	d-----w-	c:\windows\system32\SPReview
2010-08-13 21:47 . 2009-04-11 03:28	87552	----a-w-	c:\windows\system32\SearchFilterHost.exe
2010-08-13 21:47 . 2009-04-11 03:28	441344	----a-w-	c:\windows\system32\SearchIndexer.exe
2010-08-13 21:47 . 2009-04-11 03:28	185344	----a-w-	c:\windows\system32\SearchProtocolHost.exe
2010-08-13 21:47 . 2009-04-11 03:28	1169408	----a-w-	c:\windows\system32\sdclt.exe
2010-08-13 21:47 . 2009-04-11 03:27	241128	----a-w-	c:\windows\system32\rsaenh.dll
2010-08-13 21:47 . 2009-04-11 03:27	20992	----a-w-	c:\windows\system32\rwinsta.exe
2010-08-13 21:47 . 2009-04-11 01:45	113664	----a-w-	c:\windows\system32\drivers\rmcast.sys
2010-08-13 21:47 . 2009-04-11 03:28	127488	----a-w-	c:\windows\system32\rpchttp.dll
2010-08-13 21:47 . 2009-04-11 01:46	33280	----a-w-	c:\windows\system32\drivers\RNDISMP.sys
2010-08-13 21:47 . 2009-04-11 03:28	172032	----a-w-	c:\windows\system32\scrrun.dll
2010-08-13 21:44 . 2009-04-11 03:28	147456	----a-w-	c:\windows\system32\Faultrep.dll
2010-08-13 21:43 . 2009-04-11 03:32	180712	----a-w-	c:\windows\system32\drivers\msiscsi.sys
2010-08-13 21:42 . 2009-04-11 03:28	533504	----a-w-	c:\windows\system32\wmdrmsdk.dll
2010-08-13 14:43 . 2010-08-13 14:43	--------	d-----w-	c:\programdata\Yahoo! Companion
2010-08-13 13:55 . 2008-05-27 04:59	18904	----a-w-	c:\windows\system32\StructuredQuerySchemaTrivial.bin
2010-08-13 13:25 . 2010-08-13 22:29	--------	d-----w-	c:\windows\system32\XPSViewer
2010-08-12 12:04 . 2010-08-23 01:03	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-08-11 21:05 . 2010-08-11 21:20	--------	d-----w-	c:\users\Mom\AppData\Local\Google
2010-08-11 21:03 . 2010-08-11 21:03	159552	----a-w-	c:\users\Mom\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-11 21:03 . 2010-08-11 21:16	--------	d-----w-	c:\users\Mom\AppData\Local\Deployment
2010-08-11 21:03 . 2010-08-11 21:03	--------	d-----w-	c:\users\Mom\AppData\Local\Apps
2010-08-10 19:37 . 2010-08-10 19:37	--------	d-----w-	C:\acccore
2010-08-10 19:35 . 2010-08-10 19:35	--------	d-----w-	c:\users\Mom\AppData\Roaming\Dell
2010-08-10 18:31 . 2010-06-18 15:04	302080	----a-w-	c:\windows\system32\drivers\srv.sys
2010-08-10 18:31 . 2010-06-18 15:04	144896	----a-w-	c:\windows\system32\drivers\srv2.sys
2010-08-10 18:30 . 2010-06-16 16:04	905088	----a-w-	c:\windows\system32\drivers\tcpip.sys
2010-08-06 04:16 . 2010-08-06 04:17	--------	d-----w-	c:\users\Mom\AppData\Local\Adobe
2010-07-30 03:52 . 2010-08-20 02:21	--------	d-----w-	c:\users\Amanda\.limewire
2010-07-30 03:03 . 2010-07-30 03:03	--------	d-----w-	c:\users\Mom\AppData\Local\Yahoo
2010-07-30 03:02 . 2010-07-30 03:03	--------	d-----w-	c:\users\Mom\AppData\Roaming\Yahoo!
2010-07-27 19:25 . 2010-07-27 19:25	--------	d-----w-	c:\users\Mom\AppData\Local\Mozilla
2010-07-27 19:18 . 2010-08-21 13:27	--------	d-----w-	c:\users\Mom\AppData\Roaming\Apple Computer
2010-07-27 19:18 . 2010-07-27 19:18	--------	d-----w-	c:\users\Mom\AppData\Roaming\CiscoCAA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 03:08 . 2010-08-11 20:51	27145	----a-w-	c:\users\Mom\AppData\Roaming\nvModes.dat
2010-08-24 23:53 . 2007-07-23 22:19	55526	----a-w-	c:\users\Amanda\AppData\Roaming\nvModes.dat
2010-08-24 13:17 . 2007-11-07 20:13	--------	d-----w-	c:\programdata\Yahoo!
2010-08-21 12:38 . 2007-08-25 23:57	1356	----a-w-	c:\users\Amanda\AppData\Local\d3d9caps.dat
2010-08-13 22:29 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Calendar
2010-08-13 22:29 . 2006-11-02 11:18	--------	d-----w-	c:\program files\Windows Mail
2010-08-13 22:29 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Sidebar
2010-08-13 22:29 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Photo Gallery
2010-08-13 22:29 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Defender
2010-08-13 14:43 . 2007-11-07 20:12	--------	d-----w-	c:\program files\Yahoo!
2010-07-29 16:06 . 2007-08-31 01:12	--------	d-----w-	c:\users\Amanda\AppData\Roaming\LimeWire
2010-07-14 02:54 . 2007-09-12 17:05	--------	d-----w-	c:\programdata\Microsoft Help
2010-07-12 21:01 . 2009-09-08 21:02	--------	d-----w-	c:\program files\Microsoft
2010-07-12 20:57 . 2007-09-12 17:09	--------	d-----w-	c:\program files\Microsoft.NET
2010-06-26 06:05 . 2010-08-10 18:33	916480	----a-w-	c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-10 18:33	71680	----a-w-	c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-10 18:33	109056	----a-w-	c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-10 18:33	133632	----a-w-	c:\windows\system32\ieUnatt.exe
2010-06-21 13:37 . 2010-08-10 18:33	2037760	----a-w-	c:\windows\system32\win32k.sys
2010-06-18 17:31 . 2010-08-10 18:33	36864	----a-w-	c:\windows\system32\rtutils.dll
2010-06-11 16:16 . 2010-08-10 18:33	274944	----a-w-	c:\windows\system32\schannel.dll
2010-06-11 16:15 . 2010-08-10 18:33	1248768	----a-w-	c:\windows\system32\msxml3.dll
2010-06-08 17:35 . 2010-08-10 18:33	3548040	----a-w-	c:\windows\system32\ntoskrnl.exe
2010-06-08 17:35 . 2010-08-10 18:33	3600768	----a-w-	c:\windows\system32\ntkrnlpa.exe
2007-08-26 13:48 . 2007-08-26 13:48	774144	----a-w-	c:\program files\RngInterstitial.dll
2007-07-18 10:50 . 2007-07-18 10:49	8192	--sha-w-	c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Amanda\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-05-25 136176]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-10-05 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-05 81920]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2007-10-05 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-05 8497696]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2006-11-15 151552]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-7-17 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages	REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe"
"SecureUpgrade"=c:\program files\Wave Systems Corp\SecureUpgrade.exe
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"ECenter"=c:\dell\E-Center\EULALauncher.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
"MSConfig"="c:\windows\System32\msconfig.exe" /auto
"WavXMgr"=c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):3f,b9,36,f5,76,2a,ca,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 ekrn;ESET Service; [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-02-06 106208]
S3 b57nd60x;%SvcDispName%;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-19 179712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork	REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation	REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-82609333-1204623338-3527700699-1000Core.job
- c:\users\Amanda\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-25 19:04]

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-82609333-1204623338-3527700699-1000UA.job
- c:\users\Amanda\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-25 19:04]

2010-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-82609333-1204623338-3527700699-1002Core.job
- c:\users\Mom\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-11 21:16]

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-82609333-1204623338-3527700699-1002UA.job
- c:\users\Mom\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-11 21:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-syst32 - c:\users\Amanda\AppData\Roaming\syst32.exe
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-25 21:06
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(644)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'Explorer.exe'(3628)
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\LEXBCES.EXE
c:\windows\System32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\STacSV.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Dell\QuickSet\quickset.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-08-25 21:13:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-26 01:13

Pre-Run: 16,090,988,544 bytes free
Post-Run: 16,754,262,016 bytes free

- - End Of File - - C2BB3AA4FAF875348FFDB66344E517B2


----------



## schweety (Apr 10, 2006)

And the HJT report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:30 PM, on 8/25/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Users\Amanda\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Amanda\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Users\Amanda\AppData\Local\Google\Chrome\Application\chrome.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKCU\..\Run: [syst32] C:\Users\Amanda\AppData\Roaming\syst32.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Amanda\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: Dell Internal Network Card Power Management (nicconfigsvc) - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8079 bytes


----------



## Phantom010 (Mar 9, 2009)

Sorry *Cookiegal* for interfering. I just want to bring to *schweety*'s attention and yours, that this is the exact same HijackThis log that was previously posted.

I've seen this happen quite a few times with Vista. *Disabling the UAC* and running another scan usually fixes it.


----------



## schweety (Apr 10, 2006)

What scan will I have to run again?


----------



## schweety (Apr 10, 2006)

I disabled the UAC and ran HJT again. The new log is below. If I have to run a different scan please let me know. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:54 PM, on 8/25/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Apoint\Apntex.exe
C:\Users\Amanda\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Users\Amanda\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Amanda\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Amanda\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKCU\..\Run: [Google Update] "C:\Users\Amanda\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: Dell Internal Network Card Power Management (nicconfigsvc) - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6923 bytes


----------



## Cookiegal (Aug 27, 2003)

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*
Double-click *SystemLook.exe* to run it.
Copy the content of the following code box into the main text field:

```
:filefind
*wininit*
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found at on your Desktop entitled *SystemLook.txt*


----------



## schweety (Apr 10, 2006)

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:03 on 26/08/2010 by Amanda (Administrator - Elevation successful)

========== filefind ==========

Searching for "*wininit*"
C:\Qoobox\Quarantine\C\Windows\System32\wininit.exe.vir	--a--- 96768 bytes	[13:26 24/09/2008]	[07:33 19/01/2008] 101BA3EA053480BB5D957EF37C06B5ED
C:\Windows\ERDNT\cache\wininit.exe	--a--- 96768 bytes	[01:12 26/08/2010]	[07:33 19/01/2008] 101BA3EA053480BB5D957EF37C06B5ED
C:\Windows\PolicyDefinitions\en-US\WinInit.adml	--a--- 2026 bytes	[12:41 02/11/2006]	[12:41 02/11/2006] 5A55EFE78F5DE3C24FAD6717DE1A550F
C:\Windows\PolicyDefinitions\WinInit.admx	--a--- 1955 bytes	[12:36 02/11/2006]	[12:36 02/11/2006] F66D412710F29E576EAF728735E0A520
C:\Windows\System32\en-US\wininit.exe.mui	--a--- 5120 bytes	[12:40 02/11/2006]	[12:40 02/11/2006] 8B319B0E4689F18F8AEE2107B8D06461
C:\Windows\System32\wbem\wininit.mof	--a--- 1333 bytes	[08:44 02/11/2006]	[21:41 18/09/2006] 9B876BF451B9A67511A8893F0B24CD96
C:\Windows\System32\wininit.exe	--a--- 96768 bytes	[13:26 24/09/2008]	[07:33 19/01/2008] 101BA3EA053480BB5D957EF37C06B5ED
C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit.resources_31bf3856ad364e35_6.0.6000.16386_en-us_432ececa0d9c34d3.manifest	--a--- 2754 bytes	[12:42 02/11/2006]	[12:42 02/11/2006] E0805962347FF8573D6759A0756C3029
C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit.resources_31bf3856ad364e35_6.0.6000.16386_en-us_432ececa0d9c34d3_wininit.exe.mui_997435f5	--a--- 5120 bytes	[12:42 02/11/2006]	[12:42 02/11/2006] 8B319B0E4689F18F8AEE2107B8D06461
C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2.manifest	--a--- 10732 bytes	[00:45 26/01/2009]	[21:49 25/01/2009] E3331251C1A644527767AD79F1F2F423
C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2_wininit.exe_7a527f28	--a--- 96768 bytes	[00:45 26/01/2009]	[21:49 25/01/2009] 101BA3EA053480BB5D957EF37C06B5ED
C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2_wmsgapi.dll_2b5c2330	--a--- 10752 bytes	[00:45 26/01/2009]	[21:49 25/01/2009] F0321DA5203F1E71917F3B7A13DC4912
C:\Windows\winsxs\Manifests\x86_microsoft-windows-wininit-adm.resources_31bf3856ad364e35_6.0.6000.16386_en-us_61a89c6e4f1abf46.manifest	--a--- 2612 bytes	[12:40 02/11/2006]	[12:40 02/11/2006] 6242030EC5AB6F112F94ED04A38D406A
C:\Windows\winsxs\Manifests\x86_microsoft-windows-wininit-adm_31bf3856ad364e35_6.0.6000.16386_none_dbb9c3df4aa94a73.manifest	--a--- 2912 bytes	[12:34 02/11/2006]	[12:34 02/11/2006] 7A2517EC6046CC49E3149D7A7C674CD2
C:\Windows\winsxs\Manifests\x86_microsoft-windows-wininit-events_31bf3856ad364e35_6.0.6000.16386_none_7b812b227f6bf462.manifest	--a--- 7556 bytes	[10:20 02/11/2006]	[10:04 02/11/2006] 5594B85AA1488EC6EAA001DF3EA11DE7
C:\Windows\winsxs\Manifests\x86_microsoft-windows-wininit-mof_31bf3856ad364e35_6.0.6000.16386_none_d8aa1a7d4c9e74c1.manifest	--a--- 1572 bytes	[10:20 02/11/2006]	[10:07 02/11/2006] 0593E16973B71FD0CBB49F864083B600
C:\Windows\winsxs\Manifests\x86_microsoft-windows-wininit.resources_31bf3856ad364e35_6.0.6000.16386_en-us_432ececa0d9c34d3.manifest	--a--- 2754 bytes	[12:39 02/11/2006]	[12:39 02/11/2006] E0805962347FF8573D6759A0756C3029
C:\Windows\winsxs\Manifests\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce.manifest	--a--- 10777 bytes	[10:20 02/11/2006]	[10:06 02/11/2006] 3F2C9E0937A6F1495A85E956B07357BC
C:\Windows\winsxs\Manifests\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2.manifest	------ 10732 bytes	[22:51 23/09/2008]	[04:40 19/01/2008] E3331251C1A644527767AD79F1F2F423
C:\Windows\winsxs\x86_microsoft-windows-wininit-adm.resources_31bf3856ad364e35_6.0.6000.16386_en-us_61a89c6e4f1abf46\WinInit.adml	--a--- 2026 bytes	[12:41 02/11/2006]	[12:41 02/11/2006] 5A55EFE78F5DE3C24FAD6717DE1A550F
C:\Windows\winsxs\x86_microsoft-windows-wininit-adm_31bf3856ad364e35_6.0.6000.16386_none_dbb9c3df4aa94a73\WinInit.admx	--a--- 1955 bytes	[12:36 02/11/2006]	[12:36 02/11/2006] F66D412710F29E576EAF728735E0A520
C:\Windows\winsxs\x86_microsoft-windows-wininit-mof_31bf3856ad364e35_6.0.6000.16386_none_d8aa1a7d4c9e74c1\wininit.mof	--a--- 1333 bytes	[08:44 02/11/2006]	[21:41 18/09/2006] 9B876BF451B9A67511A8893F0B24CD96
C:\Windows\winsxs\x86_microsoft-windows-wininit.resources_31bf3856ad364e35_6.0.6000.16386_en-us_432ececa0d9c34d3\wininit.exe.mui	--a--- 5120 bytes	[12:40 02/11/2006]	[12:40 02/11/2006] 8B319B0E4689F18F8AEE2107B8D06461
C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe	--a--- 96768 bytes	[13:26 24/09/2008]	[07:33 19/01/2008] 101BA3EA053480BB5D957EF37C06B5ED

-=End Of File=-


----------



## schweety (Apr 10, 2006)

I know you'all are busy, I go back to college on Sunday and was hoping to have this solved by then. Please take a look at the log I posted this afternoon and let me know my next step. I appreciate the help very much!

Amanda


----------



## Cookiegal (Aug 27, 2003)

Please go to the link below and upload the following file(s) for analysis and post the results please:

http://virusscan.jotti.org/

C:\Windows\System32\wininit.exe


----------



## schweety (Apr 10, 2006)

Filename:	wininit.exe
Status:	
Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Fri 27 Aug 2010 20:29:08 (CET) Permalink

I wasn't sure if you needed this information or not.File size: 96768 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 101ba3ea053480bb5d957ef37c06b5ed
SHA1: 738ef691944f08cf0c405a52f3f55e99ef6e8e6e


----------



## Cookiegal (Aug 27, 2003)

Please run ComboFix one more time (be sure to disable security programs - last time you didn't disable Windows Defender) then post the new log please.


----------



## schweety (Apr 10, 2006)

how do I disable that, I was under the impression that I had already done that long before I had this problem


----------



## schweety (Apr 10, 2006)

I disabled it and will run the combo fix again.


----------



## Cookiegal (Aug 27, 2003)

OK, thanks.


----------



## schweety (Apr 10, 2006)

ComboFix 10-08-26.04 - Amanda 08/27/2010 15:01:34.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2045.1071 [GMT -4:00]
Running from: c:\users\Amanda\Desktop\puppy.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-07-27 to 2010-08-27 )))))))))))))))))))))))))))))))
.

2010-08-27 19:08 . 2010-08-27 19:08	--------	d-----w-	c:\users\Amanda\AppData\Local\temp
2010-08-27 19:08 . 2010-08-27 19:08	--------	d-----w-	c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-08-27 19:08 . 2010-08-27 19:08	--------	d-----w-	c:\users\Public\AppData\Local\temp
2010-08-27 19:08 . 2010-08-27 19:08	--------	d-----w-	c:\users\Mom\AppData\Local\temp
2010-08-27 19:08 . 2010-08-27 19:08	--------	d-----w-	c:\users\Default\AppData\Local\temp
2010-08-25 19:17 . 2010-08-25 19:17	--------	d-----w-	c:\program files\Trend Micro
2010-08-24 13:17 . 2010-04-20 20:45	607472	----a-w-	c:\programdata\Yahoo!\YUpdater\yupdater.exe
2010-08-20 19:49 . 2010-08-20 19:49	--------	d-----w-	c:\program files\Windows Portable Devices
2010-08-20 19:46 . 2009-09-10 02:00	92672	----a-w-	c:\windows\system32\UIAnimation.dll
2010-08-20 19:44 . 2009-10-01 01:02	30208	----a-w-	c:\windows\system32\WPDShextAutoplay.exe
2010-08-20 19:44 . 2009-10-01 01:01	81920	----a-w-	c:\windows\system32\wpdbusenum.dll
2010-08-20 19:44 . 2009-10-01 01:01	60928	----a-w-	c:\windows\system32\PortableDeviceConnectApi.dll
2010-08-20 19:44 . 2009-10-01 01:01	40448	----a-w-	c:\windows\system32\drivers\WpdUsb.sys
2010-08-20 19:44 . 2009-10-01 01:01	61952	----a-w-	c:\windows\system32\WpdMtpUS.dll
2010-08-20 19:44 . 2009-10-01 01:01	33280	----a-w-	c:\windows\system32\WpdConns.dll
2010-08-20 19:44 . 2009-10-01 01:02	2537472	----a-w-	c:\windows\system32\wpdshext.dll
2010-08-20 19:44 . 2009-10-01 01:02	334848	----a-w-	c:\windows\system32\PortableDeviceApi.dll
2010-08-20 19:44 . 2009-10-01 01:02	87552	----a-w-	c:\windows\system32\WPDShServiceObj.dll
2010-08-20 19:44 . 2009-10-01 01:01	546816	----a-w-	c:\windows\system32\wpd_ci.dll
2010-08-20 19:44 . 2009-10-01 01:01	160256	----a-w-	c:\windows\system32\PortableDeviceTypes.dll
2010-08-20 19:44 . 2009-10-01 01:01	100864	----a-w-	c:\windows\system32\PortableDeviceClassExtension.dll
2010-08-20 19:44 . 2009-10-01 01:01	226816	----a-w-	c:\windows\system32\WpdMtp.dll
2010-08-20 19:43 . 2009-10-08 21:08	555520	----a-w-	c:\windows\system32\UIAutomationCore.dll
2010-08-20 19:43 . 2009-10-08 21:08	234496	----a-w-	c:\windows\system32\oleacc.dll
2010-08-20 19:43 . 2009-10-08 21:07	4096	----a-w-	c:\windows\system32\oleaccrc.dll
2010-08-16 00:08 . 2010-08-16 00:08	--------	d-----w-	c:\users\Mom\AppData\Local\Apple
2010-08-13 22:27 . 2010-08-13 22:29	--------	d-----w-	c:\windows\system32\ca-ES
2010-08-13 22:27 . 2010-08-13 22:29	--------	d-----w-	c:\windows\system32\eu-ES
2010-08-13 22:27 . 2010-08-13 22:29	--------	d-----w-	c:\windows\system32\vi-VN
2010-08-13 22:12 . 2010-08-13 22:12	--------	d-----w-	c:\windows\system32\SPReview
2010-08-13 21:47 . 2009-04-11 03:28	87552	----a-w-	c:\windows\system32\SearchFilterHost.exe
2010-08-13 21:47 . 2009-04-11 03:28	441344	----a-w-	c:\windows\system32\SearchIndexer.exe
2010-08-13 21:47 . 2009-04-11 03:28	185344	----a-w-	c:\windows\system32\SearchProtocolHost.exe
2010-08-13 21:47 . 2009-04-11 03:28	1169408	----a-w-	c:\windows\system32\sdclt.exe
2010-08-13 21:47 . 2009-04-11 03:27	241128	----a-w-	c:\windows\system32\rsaenh.dll
2010-08-13 21:47 . 2009-04-11 03:27	20992	----a-w-	c:\windows\system32\rwinsta.exe
2010-08-13 21:47 . 2009-04-11 01:45	113664	----a-w-	c:\windows\system32\drivers\rmcast.sys
2010-08-13 21:47 . 2009-04-11 03:28	127488	----a-w-	c:\windows\system32\rpchttp.dll
2010-08-13 21:47 . 2009-04-11 01:46	33280	----a-w-	c:\windows\system32\drivers\RNDISMP.sys
2010-08-13 21:47 . 2009-04-11 03:28	172032	----a-w-	c:\windows\system32\scrrun.dll
2010-08-13 21:44 . 2009-04-11 03:28	147456	----a-w-	c:\windows\system32\Faultrep.dll
2010-08-13 21:43 . 2009-04-11 03:32	180712	----a-w-	c:\windows\system32\drivers\msiscsi.sys
2010-08-13 21:42 . 2009-04-11 03:28	533504	----a-w-	c:\windows\system32\wmdrmsdk.dll
2010-08-13 14:43 . 2010-08-26 20:00	--------	d-----w-	c:\programdata\Yahoo! Companion
2010-08-13 13:55 . 2008-05-27 04:59	18904	----a-w-	c:\windows\system32\StructuredQuerySchemaTrivial.bin
2010-08-13 13:25 . 2010-08-13 22:29	--------	d-----w-	c:\windows\system32\XPSViewer
2010-08-12 12:04 . 2010-08-23 01:03	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-08-11 21:05 . 2010-08-11 21:20	--------	d-----w-	c:\users\Mom\AppData\Local\Google
2010-08-11 21:03 . 2010-08-11 21:03	159552	----a-w-	c:\users\Mom\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-11 21:03 . 2010-08-11 21:16	--------	d-----w-	c:\users\Mom\AppData\Local\Deployment
2010-08-11 21:03 . 2010-08-11 21:03	--------	d-----w-	c:\users\Mom\AppData\Local\Apps
2010-08-10 19:37 . 2010-08-10 19:37	--------	d-----w-	C:\acccore
2010-08-10 19:35 . 2010-08-10 19:35	--------	d-----w-	c:\users\Mom\AppData\Roaming\Dell
2010-08-10 18:31 . 2010-06-18 15:04	302080	----a-w-	c:\windows\system32\drivers\srv.sys
2010-08-10 18:31 . 2010-06-18 15:04	144896	----a-w-	c:\windows\system32\drivers\srv2.sys
2010-08-10 18:30 . 2010-06-16 16:04	905088	----a-w-	c:\windows\system32\drivers\tcpip.sys
2010-08-06 04:16 . 2010-08-06 04:17	--------	d-----w-	c:\users\Mom\AppData\Local\Adobe
2010-07-30 03:52 . 2010-08-20 02:21	--------	d-----w-	c:\users\Amanda\.limewire
2010-07-30 03:03 . 2010-07-30 03:03	--------	d-----w-	c:\users\Mom\AppData\Local\Yahoo
2010-07-30 03:02 . 2010-07-30 03:03	--------	d-----w-	c:\users\Mom\AppData\Roaming\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-27 03:39 . 2007-07-23 22:19	55526	----a-w-	c:\users\Amanda\AppData\Roaming\nvModes.dat
2010-08-25 03:08 . 2010-08-11 20:51	27145	----a-w-	c:\users\Mom\AppData\Roaming\nvModes.dat
2010-08-24 13:17 . 2007-11-07 20:13	--------	d-----w-	c:\programdata\Yahoo!
2010-08-21 13:27 . 2010-07-27 19:18	--------	d-----w-	c:\users\Mom\AppData\Roaming\Apple Computer
2010-08-21 12:38 . 2007-08-25 23:57	1356	----a-w-	c:\users\Amanda\AppData\Local\d3d9caps.dat
2010-08-20 19:49 . 2006-11-02 10:25	665600	----a-w-	c:\windows\inf\drvindex.dat
2010-08-13 22:29 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Calendar
2010-08-13 22:29 . 2006-11-02 11:18	--------	d-----w-	c:\program files\Windows Mail
2010-08-13 22:29 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Sidebar
2010-08-13 22:29 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Photo Gallery
2010-08-13 22:29 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Defender
2010-08-13 14:43 . 2007-11-07 20:12	--------	d-----w-	c:\program files\Yahoo!
2010-07-29 16:06 . 2007-08-31 01:12	--------	d-----w-	c:\users\Amanda\AppData\Roaming\LimeWire
2010-07-27 19:18 . 2010-07-27 19:18	--------	d-----w-	c:\users\Mom\AppData\Roaming\CiscoCAA
2010-07-14 02:54 . 2007-09-12 17:05	--------	d-----w-	c:\programdata\Microsoft Help
2010-07-12 21:01 . 2009-09-08 21:02	--------	d-----w-	c:\program files\Microsoft
2010-07-12 20:57 . 2007-09-12 17:09	--------	d-----w-	c:\program files\Microsoft.NET
2010-06-26 06:05 . 2010-08-10 18:33	916480	----a-w-	c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-10 18:33	71680	----a-w-	c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-10 18:33	109056	----a-w-	c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-10 18:33	133632	----a-w-	c:\windows\system32\ieUnatt.exe
2010-06-21 13:37 . 2010-08-10 18:33	2037760	----a-w-	c:\windows\system32\win32k.sys
2010-06-18 17:31 . 2010-08-10 18:33	36864	----a-w-	c:\windows\system32\rtutils.dll
2010-06-11 16:16 . 2010-08-10 18:33	274944	----a-w-	c:\windows\system32\schannel.dll
2010-06-11 16:15 . 2010-08-10 18:33	1248768	----a-w-	c:\windows\system32\msxml3.dll
2010-06-08 17:35 . 2010-08-10 18:33	3548040	----a-w-	c:\windows\system32\ntoskrnl.exe
2010-06-08 17:35 . 2010-08-10 18:33	3600768	----a-w-	c:\windows\system32\ntkrnlpa.exe
2007-08-26 13:48 . 2007-08-26 13:48	774144	----a-w-	c:\program files\RngInterstitial.dll
2007-07-18 10:50 . 2007-07-18 10:49	8192	--sha-w-	c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Amanda\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-05-25 136176]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-10-05 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-05 81920]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2007-10-05 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-05 8497696]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2006-11-15 151552]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-7-17 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages	REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe"
"SecureUpgrade"=c:\program files\Wave Systems Corp\SecureUpgrade.exe
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"ECenter"=c:\dell\E-Center\EULALauncher.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
"MSConfig"="c:\windows\System32\msconfig.exe" /auto
"WavXMgr"=c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):3f,b9,36,f5,76,2a,ca,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 ekrn;ESET Service; [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-02-06 106208]
S3 b57nd60x;%SvcDispName%;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-19 179712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork	REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation	REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-82609333-1204623338-3527700699-1000Core.job
- c:\users\Amanda\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-25 19:04]

2010-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-82609333-1204623338-3527700699-1000UA.job
- c:\users\Amanda\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-25 19:04]

2010-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-82609333-1204623338-3527700699-1002Core.job
- c:\users\Mom\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-11 21:16]

2010-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-82609333-1204623338-3527700699-1002UA.job
- c:\users\Mom\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-11 21:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-27 15:08
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(640)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2010-08-27 15:12:20
ComboFix-quarantined-files.txt 2010-08-27 19:12
ComboFix2.txt 2010-08-26 01:13

Pre-Run: 16,257,986,560 bytes free
Post-Run: 16,229,761,024 bytes free

- - End Of File - - 860B99A71C829704DB1F2A0D2E769A68


----------



## schweety (Apr 10, 2006)

After looking at the beginning of the log it says windows defender is enabled, but the computer says it's off. I'm not sure if I did turn it off correctly.


----------



## schweety (Apr 10, 2006)

I will be back in a few hours to post whatever you need me to, work calls!


----------



## Cookiegal (Aug 27, 2003)

Please go to the link below and upload the following file(s) for analysis and post the results please:

http://virusscan.jotti.org/

C:\Qoobox\Quarantine\C\Windows\System32\wininit.exe.vir


----------



## schweety (Apr 10, 2006)

Filename:	wininit.exe.vir
Status:	
Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Sat 28 Aug 2010 04:50:39 (CET) Permalink

File size: 96768 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 101ba3ea053480bb5d957ef37c06b5ed
SHA1: 738ef691944f08cf0c405a52f3f55e99ef6e8e6e


----------



## Cookiegal (Aug 27, 2003)

Why do you not have any antivirus program installed? I see you had Eset as there are a few leftovers. Did you uninstall it?


----------



## schweety (Apr 10, 2006)

Yes I did have NOD32 downloaded and uninstalled it. Then I have been trying to get rid of that update, so I downloaded avg today and ran it, it got rid of the trojan but the update won't download. How do I get rid of the Eset things.


----------



## Cookiegal (Aug 27, 2003)

What did AVG detect? The name of the file and the location please.


----------



## schweety (Apr 10, 2006)

Trojan horse Dropper.Generic2AIBK and it was in my downloads. I also got rid of some of the ESET items, the only one that I couldn't get rid of was the file INFCACHE.1 how do I do that.


----------



## Cookiegal (Aug 27, 2003)

I need the name of the file and the location (path) as opposed to the name of the infection please.


----------



## Cookiegal (Aug 27, 2003)

Also, please go *Here* and enter the URL to this thread beside *Link to topic where this file was requested:*

Then click on *Browse* and locate the following file on your computer:

*C:\Qoobox\Quarantine\C\Windows\System32\wininit.exe.vir*

Select the file and click OK. Then click on *Send File*.


----------

