Hi Broni,
Sorry for the delay,

update for website redirects: no change, with the exception that there now are at least a half dozen site names flashing across the bottom of my page in a second or two, just until I am able to close the tab.

here is the combofix log:

ComboFix 10-02-06.01 - Robert Lee Dorr 02/07/2010 9:44.1.2 - x86
Microsoft® Windows Vista™ Starter 6.0.6002.2.1252.63.1033.18.1977.1008 [GMT 8:00]
Running from: c:\users\Robert Lee Dorr\Pictures\Downloads\8cdft5ek78.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\temp
c:\programdata\Microsoft\Network\Downloader\qmgr0. dat
c:\programdata\Microsoft\Network\Downloader\qmgr1. dat
c:\windows\Suyin.reg

----- BITS: Possible infected sites -----

hxxp://armmf.adobe.com
.
((((((((((((((((((((((((( Files Created from 2010-01-07 to 2010-02-07 )))))))))))))))))))))))))))))))
.

2010-02-07 01:53 . 2010-02-07 01:53 -------- d-----w- c:\users\Leslie Dorr\AppData\Local\temp
2010-02-07 01:53 . 2010-02-07 01:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-07 01:53 . 2010-02-07 01:53 -------- d-----w- c:\users\Joem Dorr\AppData\Local\temp
2010-02-06 22:12 . 2010-02-06 22:12 -------- d-----w- c:\program files\Trend Micro
2010-02-06 17:34 . 2010-02-06 17:34 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\Malwarebytes
2010-02-06 17:34 . 2010-01-07 08:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-06 17:34 . 2010-02-06 17:34 -------- d-----w- c:\programdata\Malwarebytes
2010-02-06 17:34 . 2010-02-06 17:34 -------- d-----w- C:\desktop
2010-02-06 17:34 . 2010-01-07 08:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-05 03:50 . 2010-02-05 03:50 52224 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\SUPERAntiSpyware.com\SUPERAnt iSpyware\SDDLLS\SD10005.dll
2010-02-05 03:50 . 2010-02-06 13:12 117760 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\SUPERAntiSpyware.com\SUPERAnt iSpyware\SDDLLS\UIREPAIR.DLL
2010-02-05 03:50 . 2010-02-05 03:50 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-02-05 03:49 . 2010-02-05 03:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-05 03:49 . 2010-02-05 03:49 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\SUPERAntiSpyware.com
2010-02-05 03:47 . 2010-02-05 03:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-29 10:32 . 2010-01-29 10:33 -------- d-----w- c:\users\Joem Dorr\AppData\Local\Adobe
2010-01-29 05:24 . 2010-01-29 05:24 -------- d-----w- c:\programdata\FLEXnet
2010-01-29 03:17 . 2010-02-04 15:14 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-28 10:41 . 2010-01-28 10:41 -------- d-----w- c:\users\Joem Dorr\AppData\Local\Microsoft Help
2010-01-28 10:23 . 2010-01-28 10:23 -------- d-sh--we c:\users\Leslie Dorr\AppData\Local\Temporary Internet Files
2010-01-28 10:23 . 2010-01-28 10:23 -------- d-sh--we c:\users\Leslie Dorr\AppData\Local\History
2010-01-28 10:23 . 2010-01-28 10:23 -------- d-sh--we c:\users\Leslie Dorr\AppData\Local\Application Data
2010-01-28 01:06 . 2010-01-28 01:06 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\com.adobe.mauby.4875E02D9FB21 EE389F73B8D1702B320485DF8CE.1
2010-01-27 06:09 . 2010-01-27 06:09 -------- d-----w- c:\users\Joem Dorr\AppData\Local\Mozilla
2010-01-27 06:09 . 2010-01-27 06:09 -------- d-----w- c:\users\Joem Dorr\AppData\Local\Scansoft
2010-01-27 06:09 . 2010-02-05 13:53 68560 ----a-w- c:\users\Joem Dorr\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-27 04:27 . 2010-01-27 04:27 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-01-21 10:48 . 2009-11-10 06:39 607472 ----a-w- c:\programdata\Yahoo!\YUpdater\yupdater.exe
2010-01-19 08:08 . 2010-01-20 04:12 -------- d-----w- c:\program files\SMART BRO(12)
2010-01-19 08:08 . 2010-01-20 03:03 -------- d-----w- c:\program files\SMART BRO(137)
2010-01-15 00:54 . 2010-01-15 00:54 2855 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Microsoft\Windows\Recent\Comf y Cakes.pif
2010-01-13 02:57 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 02:57 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-09 16:21 . 2010-01-09 16:21 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\Teleca
2010-01-09 16:03 . 2010-01-09 16:03 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\Sony Ericsson
2010-01-09 16:02 . 2010-01-20 03:40 -------- d-----w- c:\program files\Common Files\Teleca Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-02-06 22:02 . 2009-10-27 02:33 12 ----a-w- c:\windows\bthservsdp.dat
2010-02-04 19:12 . 2009-10-27 02:13 68560 ----a-w- c:\users\Robert Lee Dorr\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-28 10:24 . 2010-01-28 10:24 68168 ----a-w- c:\users\Leslie Dorr\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-27 15:31 . 2009-11-30 07:28 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\PCF-VLC
2010-01-27 06:49 . 2010-01-07 17:29 -------- d-----w- c:\programdata\NOS
2010-01-21 10:48 . 2009-10-28 13:28 -------- d-----w- c:\program files\Yahoo!
2010-01-21 10:48 . 2009-10-28 13:28 -------- d-----w- c:\programdata\Yahoo!
2010-01-20 04:45 . 2009-12-12 06:12 -------- d-----w- c:\program files\SMART BRO
2010-01-20 04:45 . 2009-10-27 02:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-14 03:12 . 2009-10-27 11:54 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 22:37 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-08 00:30 . 2010-01-08 00:30 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\FireShot
2010-01-07 17:59 . 2010-01-07 17:59 -------- d-----w- c:\program files\ConvertHelper
2010-01-06 04:08 . 2010-01-07 17:03 4726272 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\libs\ cooliris190.dll
2010-01-06 04:08 . 2010-01-07 17:03 103424 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\libs\ pixomatic.dll
2010-01-06 04:08 . 2010-01-07 17:03 57856 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\compo nents\coolirisstub.dll
2010-01-06 04:08 . 2010-01-07 17:03 545280 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\libs\ PicLensHelper.exe
2010-01-06 04:08 . 2010-01-07 17:03 4725760 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\libs\ cooliris192.dll
2010-01-06 04:08 . 2010-01-07 17:03 344064 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\libs\ LaunchCooliris.exe
2010-01-06 04:08 . 2010-01-07 17:03 153600 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\plugi ns\npcoolirisplugin.dll
2010-01-05 22:57 . 2010-01-05 22:57 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\ScanSoft
2010-01-04 04:29 . 2009-10-28 13:31 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\Yahoo!
2010-01-04 01:13 . 2009-11-03 01:53 126970 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Move Networks\uninstall.exe
2010-01-04 01:13 . 2009-11-01 16:51 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\Move Networks
2010-01-04 01:13 . 2009-08-03 21:48 4187512 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
2010-01-02 06:38 . 2010-01-21 19:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 19:37 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-21 19:37 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-21 19:37 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-30 04:08 . 2009-12-30 04:07 -------- d-----w- c:\program files\PhotoScape
2009-12-30 02:56 . 2009-12-30 02:48 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\Nokia
2009-12-30 02:52 . 2009-12-30 02:52 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDrive r_01_07_00.Wdf
2009-12-30 02:52 . 2009-12-30 02:48 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\PC Suite
2009-12-30 02:52 . 2009-12-30 02:48 -------- d-----w- c:\programdata\PC Suite
2009-12-30 02:48 . 2009-12-30 02:47 -------- d-----w- c:\program files\DIFX
2009-12-30 02:42 . 2009-12-30 02:42 95232 ----a-w- c:\programdata\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpc si.exe
2009-12-30 02:42 . 2009-12-30 02:42 8192 ----a-w- c:\programdata\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\Uninst CCD.exe
2009-12-30 02:42 . 2009-12-30 02:42 61440 ----a-w- c:\programdata\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\Uninst PCSFEMsi.exe
2009-12-30 02:42 . 2009-12-30 02:42 10240 ----a-w- c:\programdata\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\Uninst PCS.exe
2009-12-30 02:41 . 2009-12-30 02:41 -------- d-----w- c:\programdata\Installations
2009-12-30 02:41 . 2009-12-30 02:42 34440160 ----a-w- c:\programdata\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng_us_web.e xe
2009-12-28 12:26 . 2009-10-27 02:43 -------- d-----w- c:\program files\McAfee
2009-12-27 07:14 . 2009-12-27 07:14 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_ 07_00.Wdf
2009-12-27 00:59 . 2009-10-27 02:44 -------- d-----w- c:\programdata\McAfee
2009-12-26 18:37 . 2009-12-26 18:37 -------- d-----w- c:\programdata\SiteAdvisor
2009-12-26 18:35 . 2009-12-26 18:34 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-26 18:34 . 2009-12-26 18:34 -------- d-----w- c:\program files\McAfee.com
2009-12-26 17:12 . 2009-12-26 17:12 -------- d-----w- c:\program files\Alwil Software
2009-12-26 11:34 . 2009-10-27 02:52 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\Ahead
2009-11-14 02:00 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-13 01:46 . 2009-11-13 01:46 57344 ----a-w- c:\windows\system32\drivers\L1C60x86.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-05 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-05 178712]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2008-11-05 154136]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-02-28 6957600]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-02-28 1833504]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-29 200704]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-28 1218008]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]

c:\users\Joem Dorr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\users\Robert Lee Dorr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoDFSTab"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoDFSTab"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 06:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 11:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2008-02-19 00:22 1089536 ----a-r- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2007-12-21 09:57 86016 ----a-w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-10-27 11:20 133104 ----atw- c:\users\Robert Lee Dorr\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2007-10-11 11:01 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 07:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 07:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-10-11 11:03 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 07:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):25,a3,d5,6b,d9,5e,ca,01

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/27/2009 2:37 AM 93320]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [10/27/2009 10:20 AM 112128]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\System32\drivers\L1C60x86.sy s [11/13/2009 9:46 AM 57344]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\System32\SupportAppXL\cdrom_mon .exe [1/7/2009 9:13 AM 81920]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/27/2009 8:28 PM 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [11/2/2006 6:25 PM 167936]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [10/27/2009 10:36 AM 29472]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/21/2008 10:26 AM 21504]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\System32\drivers\ewusbfake.sys [11/17/2009 10:35 AM 103040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-02-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-27 12:27]

2010-02-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-27 12:27]

2010-02-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2399084992-689958127-234286371-1000Core.job
- c:\users\Robert Lee Dorr\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-27 11:20]

2010-02-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2399084992-689958127-234286371-1000UA.job
- c:\users\Robert Lee Dorr\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-27 11:20]

2009-12-27 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-26 04:22]

2009-12-31 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-26 04:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: c:\windows\system32\wpclsp.dll
TCP: {457DB226-EA4F-43DF-BE83-4AD0E8BB4423} = 121.1.3.168 121.1.3.250
FF - ProfilePath - c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\compo nents\coolirisstub.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.d ll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\users\Robert Lee Dorr\AppData\Local\Google\Update\1.2.183.13\npGoog leOneClick8.dll
FF - plugin: c:\users\Robert Lee Dorr\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\plugi ns\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-02-07 09:54
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-07 09:57:05
ComboFix-quarantined-files.txt 2010-02-07 01:57

Pre-Run: 72,669,478,912 bytes free
Post-Run: 73,106,432,000 bytes free

- - End Of File - - D001EA50416588639F4BF3233D5893D6

================================================== =======

Here is the HighjackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:31 AM, on 2/7/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! UK & Ireland
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\ Ereg.ini"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{457DB226-EA4F-43DF-BE83-4AD0E8BB4423}: NameServer = 121.1.3.168 121.1.3.250
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Autorun CDROM Monitor - Unknown owner - C:\Windows\system32\SupportAppXL\cdrom_mon.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7713 bytes

As always, thank you, rob

don't know if this is important. The little bug, from SuperAnti-spywear appeared in my tray at the bottom right of the page when I sent you the last message, then dissapeared as soon as it was sent.

The little bug, from SuperAnti-spywear appeared in my tray at the bottom right of the page when I sent you the last message, then dissapeared as soon as it was sent.

That's fine. Don't worry about it.

Which browser is having problems?


1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\programdata\NOS\Adobe_Downloads\arh.exe
c:\users\Robert Lee Dorr\AppData\Roaming\Microsoft\Windows\Recent\Comfy Cakes.pif


Folder::

Driver::

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

<IE8 - hand typed into the address window>

A McAfee site advisary page loads. This is the URL that loaded on my system in case you need it.

McAfee SiteAdvisor Software ? Website Safety Ratings and Secure Search

in case that link dosen't work, here is a copy of the text:

www.ztomy.com/?dn=www.scubaduba-ph.c
om may cause a breach of browser security.
Why were you redirected to this page?

When we tested www.ztomy.com/?dn=www.scubaduba-ph.c
om, it attempted to make unauthorized changes to our test computer by exploiting a browser security vulnerability.
This is a serious security threat which could lead to an infection of your computer.

View our detailed report about www.ztomy.com/?dn=www.scubaduba-ph.com

Back to previous page

================================================== ================================================== ======================


<Mozilla Firefox - hand typed, or auto-assisted>

goes to the correct URL, but is tranferring data from different sites to your computer.
It starts with ztomy.com, then searchinvent.com, oascentral.com then a couple others flash to fast to read, then stops for a couple
seconds at secure.img-cdn.mediaplex.com. My site was published, but now shows as 'coming soon' with the same ads that the
actual 'coming soon page' has on it. But when you mouseover the ads, they indicate searchinvent.com, and then ad
information.

So, I am guessing i have been upgrading their virus everytime I check for progress, very sneaky, and crafty bunch,
these guys.

================================================== ================================================== =======================


<google chrome(non-beta)>

Page is not displaying correctly at the top, the address bar and the bookmarks bar are whited over, along with the tab
that is currently in use. The http info is still clear.

As with both of the other browsers, when I log onto any other sites, there seems to be no problems. But when I log onto my
own sites, hosted through register.com, they have been taken over by this 'searchinvent'. This browser loads all their stuff
faster. i also noticed the site, not sure if this is "exact", castle.media.com in the bunch that rush through. On google,
when you mouse over the ads, they say www.searchinvent.com\(actual advertisment). There is no indication that they is data
being transferred like on Firefox, but the list of names that flashes as the page loads still includes
secure.img-cdn.mediaplex.com(the one that transfers the data on Firefox)

================================================== ================================================== =======================

The exact same thing happens when you try to access either of my sites, including a McAfee site adviser warning through IE8.
Also, the first day of troubles, I believe only ztomy.com showed on the bottom of the screen, and instead of hijacking my
sites, the screen said not accessable, contact service provider. but that quickly changed.
Also, we have a 2nd computer that uses the same modem as this one. It is connected to our ISP via LAN, mine is connected
through a wire less router. The second computer also reacts in the same way as this one. But, no other problems have occurred
in it, as it is configured to dump all new info before every restart(at least i think that is why. It was formally owned by
an internet cafe. That computer is running Avast, which allowed the page to load on IE7

Since it may have been important to your help with a lady who had a similar problem back in November, I have checked my sites in the search engines. Current version is highjacked, cashed version loads correctly.


Should I still proceed with numbers 1-5 of your last post given this information?

Yes, please. We're run more tests after that.

yes sir, i will get on it right now, thank you.

Ok

Hi Brodi,
took me a while to find the Combofix, good idea hiding it in my pic downloads.

here is the combofix log:

ComboFix 10-02-06.02 - Robert Lee Dorr 02/07/2010 13:57:17.2.2 - x86
Microsoft® Windows Vista™ Starter 6.0.6002.2.1252.63.1033.18.1977.967 [GMT 8:00]
Running from: c:\users\Robert Lee Dorr\Pictures\Downloads\8cdft5ek78.exe
Command switches used :: c:\users\Robert Lee Dorr\Pictures\Downloads\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\programdata\NOS\Adobe_Downloads\arh.exe"
"c:\users\Robert Lee Dorr\AppData\Roaming\Microsoft\Windows\Recent\Comf y Cakes.pif"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\NOS\Adobe_Downloads\arh.exe
c:\users\Robert Lee Dorr\AppData\Roaming\Microsoft\Windows\Recent\Comf y Cakes.pif

.
((((((((((((((((((((((((( Files Created from 2010-01-07 to 2010-02-07 )))))))))))))))))))))))))))))))
.

2010-02-07 06:05 . 2010-02-07 06:05 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\L ocal\temp
2010-02-07 06:05 . 2010-02-07 06:05 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-07 06:05 . 2010-02-07 06:05 -------- d-----w- c:\users\Leslie Dorr\AppData\Local\temp
2010-02-07 06:05 . 2010-02-07 06:05 -------- d-----w- c:\users\Joem Dorr\AppData\Local\temp
2010-02-07 06:05 . 2010-02-07 06:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-06 22:12 . 2010-02-06 22:12 -------- d-----w- c:\program files\Trend Micro
2010-02-06 17:34 . 2010-02-06 17:34 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\Malwarebytes
2010-02-06 17:34 . 2010-01-07 08:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-06 17:34 . 2010-02-06 17:34 -------- d-----w- c:\programdata\Malwarebytes
2010-02-06 17:34 . 2010-02-06 17:34 -------- d-----w- C:\desktop
2010-02-06 17:34 . 2010-01-07 08:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-05 03:50 . 2010-02-05 03:50 52224 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\SUPERAntiSpyware.com\SUPERAnt iSpyware\SDDLLS\SD10005.dll
2010-02-05 03:50 . 2010-02-06 13:12 117760 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\SUPERAntiSpyware.com\SUPERAnt iSpyware\SDDLLS\UIREPAIR.DLL
2010-02-05 03:50 . 2010-02-05 03:50 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-02-05 03:49 . 2010-02-05 03:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-05 03:49 . 2010-02-05 03:49 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\SUPERAntiSpyware.com
2010-02-05 03:47 . 2010-02-05 03:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-29 10:32 . 2010-01-29 10:33 -------- d-----w- c:\users\Joem Dorr\AppData\Local\Adobe
2010-01-29 05:24 . 2010-01-29 05:24 -------- d-----w- c:\programdata\FLEXnet
2010-01-29 03:17 . 2010-02-04 15:14 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-28 10:41 . 2010-01-28 10:41 -------- d-----w- c:\users\Joem Dorr\AppData\Local\Microsoft Help
2010-01-28 10:23 . 2010-01-28 10:23 -------- d-sh--we c:\users\Leslie Dorr\AppData\Local\Temporary Internet Files
2010-01-28 10:23 . 2010-01-28 10:23 -------- d-sh--we c:\users\Leslie Dorr\AppData\Local\History
2010-01-28 10:23 . 2010-01-28 10:23 -------- d-sh--we c:\users\Leslie Dorr\AppData\Local\Application Data
2010-01-28 01:06 . 2010-01-28 01:06 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\com.adobe.mauby.4875E02D9FB21 EE389F73B8D1702B320485DF8CE.1
2010-01-27 06:09 . 2010-01-27 06:09 -------- d-----w- c:\users\Joem Dorr\AppData\Local\Mozilla
2010-01-27 06:09 . 2010-01-27 06:09 -------- d-----w- c:\users\Joem Dorr\AppData\Local\Scansoft
2010-01-27 06:09 . 2010-02-05 13:53 68560 ----a-w- c:\users\Joem Dorr\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-21 10:48 . 2009-11-10 06:39 607472 ----a-w- c:\programdata\Yahoo!\YUpdater\yupdater.exe
2010-01-19 08:08 . 2010-01-20 04:12 -------- d-----w- c:\program files\SMART BRO(12)
2010-01-19 08:08 . 2010-01-20 03:03 -------- d-----w- c:\program files\SMART BRO(137)
2010-01-13 02:57 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 02:57 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-09 16:21 . 2010-01-09 16:21 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\Teleca
2010-01-09 16:03 . 2010-01-09 16:03 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\Sony Ericsson
2010-01-09 16:02 . 2010-01-20 03:40 -------- d-----w- c:\program files\Common Files\Teleca Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-02-07 02:20 . 2009-10-27 02:33 12 ----a-w- c:\windows\bthservsdp.dat
2010-02-04 19:12 . 2009-10-27 02:13 68560 ----a-w- c:\users\Robert Lee Dorr\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-28 10:24 . 2010-01-28 10:24 68168 ----a-w- c:\users\Leslie Dorr\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-27 15:31 . 2009-11-30 07:28 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\PCF-VLC
2010-01-27 06:49 . 2010-01-07 17:29 -------- d-----w- c:\programdata\NOS
2010-01-21 10:48 . 2009-10-28 13:28 -------- d-----w- c:\program files\Yahoo!
2010-01-21 10:48 . 2009-10-28 13:28 -------- d-----w- c:\programdata\Yahoo!
2010-01-20 04:45 . 2009-12-12 06:12 -------- d-----w- c:\program files\SMART BRO
2010-01-20 04:45 . 2009-10-27 02:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-14 03:12 . 2009-10-27 11:54 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 22:37 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-08 00:30 . 2010-01-08 00:30 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\FireShot
2010-01-07 17:59 . 2010-01-07 17:59 -------- d-----w- c:\program files\ConvertHelper
2010-01-06 04:08 . 2010-01-07 17:03 4726272 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\libs\ cooliris190.dll
2010-01-06 04:08 . 2010-01-07 17:03 103424 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\libs\ pixomatic.dll
2010-01-06 04:08 . 2010-01-07 17:03 57856 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\compo nents\coolirisstub.dll
2010-01-06 04:08 . 2010-01-07 17:03 545280 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\libs\ PicLensHelper.exe
2010-01-06 04:08 . 2010-01-07 17:03 4725760 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\libs\ cooliris192.dll
2010-01-06 04:08 . 2010-01-07 17:03 344064 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\libs\ LaunchCooliris.exe
2010-01-06 04:08 . 2010-01-07 17:03 153600 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\plugi ns\npcoolirisplugin.dll
2010-01-05 22:57 . 2010-01-05 22:57 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\ScanSoft
2010-01-04 04:29 . 2009-10-28 13:31 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\Yahoo!
2010-01-04 01:13 . 2009-11-03 01:53 126970 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Move Networks\uninstall.exe
2010-01-04 01:13 . 2009-11-01 16:51 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\Move Networks
2010-01-04 01:13 . 2009-08-03 21:48 4187512 ----a-w- c:\users\Robert Lee Dorr\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
2010-01-02 06:38 . 2010-01-21 19:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 19:37 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-21 19:37 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-21 19:37 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-30 04:08 . 2009-12-30 04:07 -------- d-----w- c:\program files\PhotoScape
2009-12-30 02:56 . 2009-12-30 02:48 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\Nokia
2009-12-30 02:52 . 2009-12-30 02:52 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDrive r_01_07_00.Wdf
2009-12-30 02:52 . 2009-12-30 02:48 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\PC Suite
2009-12-30 02:52 . 2009-12-30 02:48 -------- d-----w- c:\programdata\PC Suite
2009-12-30 02:48 . 2009-12-30 02:47 -------- d-----w- c:\program files\DIFX
2009-12-30 02:42 . 2009-12-30 02:42 95232 ----a-w- c:\programdata\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpc si.exe
2009-12-30 02:42 . 2009-12-30 02:42 8192 ----a-w- c:\programdata\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\Uninst CCD.exe
2009-12-30 02:42 . 2009-12-30 02:42 61440 ----a-w- c:\programdata\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\Uninst PCSFEMsi.exe
2009-12-30 02:42 . 2009-12-30 02:42 10240 ----a-w- c:\programdata\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\Uninst PCS.exe
2009-12-30 02:41 . 2009-12-30 02:41 -------- d-----w- c:\programdata\Installations
2009-12-30 02:41 . 2009-12-30 02:42 34440160 ----a-w- c:\programdata\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng_us_web.e xe
2009-12-28 12:26 . 2009-10-27 02:43 -------- d-----w- c:\program files\McAfee
2009-12-27 07:14 . 2009-12-27 07:14 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_ 07_00.Wdf
2009-12-27 00:59 . 2009-10-27 02:44 -------- d-----w- c:\programdata\McAfee
2009-12-26 18:37 . 2009-12-26 18:37 -------- d-----w- c:\programdata\SiteAdvisor
2009-12-26 18:35 . 2009-12-26 18:34 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-26 18:34 . 2009-12-26 18:34 -------- d-----w- c:\program files\McAfee.com
2009-12-26 17:12 . 2009-12-26 17:12 -------- d-----w- c:\program files\Alwil Software
2009-12-26 11:34 . 2009-10-27 02:52 -------- d-----w- c:\users\Robert Lee Dorr\AppData\Roaming\Ahead
2009-11-14 02:00 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-13 01:46 . 2009-11-13 01:46 57344 ----a-w- c:\windows\system32\drivers\L1C60x86.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-02-07_01.54.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:59 . 2010-02-07 02:44 56670 c:\windows\System32\WDI\ShutdownPerformanceDiagnos tics_SystemData.bin
- 2008-01-21 01:59 . 2010-02-06 22:07 56670 c:\windows\System32\WDI\ShutdownPerformanceDiagnos tics_SystemData.bin
+ 2006-11-02 13:09 . 2010-02-07 02:44 76220 c:\windows\System32\WDI\BootPerformanceDiagnostics _SystemData.bin
+ 2009-10-27 02:14 . 2010-02-07 02:44 13116 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2399084992-689958127-234286371-1000_UserData.bin
+ 2009-10-27 02:12 . 2010-02-07 02:20 32768 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
- 2009-10-27 02:12 . 2010-02-06 22:03 32768 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-27 02:12 . 2010-02-07 02:20 32768 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-27 02:12 . 2010-02-06 22:03 32768 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-27 02:12 . 2010-02-07 02:20 16384 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
- 2009-10-27 02:12 . 2010-02-06 22:03 16384 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
+ 2010-01-02 02:20 . 2010-02-07 02:21 16384 c:\windows\System32\%APPDATA%\Microsoft\Windows\IE TldCache\index.dat
- 2010-01-02 02:20 . 2010-02-06 22:03 16384 c:\windows\System32\%APPDATA%\Microsoft\Windows\IE TldCache\index.dat
+ 2009-11-02 13:51 . 2010-02-07 02:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Ro aming\Microsoft\Windows\Cookies\index.dat
- 2009-11-02 13:51 . 2010-02-06 22:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Ro aming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-02 13:51 . 2010-02-07 02:21 32768 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-02 13:51 . 2010-02-06 22:03 32768 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-02 13:51 . 2010-02-06 22:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\Microsoft\Windows\History\History.IE5\index.da t
+ 2009-11-02 13:51 . 2010-02-07 02:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\Microsoft\Windows\History\History.IE5\index.da t
- 2010-02-06 22:03 . 2010-02-06 22:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
+ 2010-02-07 02:20 . 2010-02-07 02:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
- 2010-02-06 22:03 . 2010-02-06 22:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
+ 2010-02-07 02:20 . 2010-02-07 02:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
+ 2006-11-02 10:33 . 2010-02-07 05:23 599312 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-02-07 00:04 599312 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-02-07 05:23 105518 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2010-02-07 00:04 105518 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-05 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-05 178712]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2008-11-05 154136]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-02-28 6957600]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-02-28 1833504]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-29 200704]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-28 1218008]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]

c:\users\Joem Dorr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\users\Robert Lee Dorr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoDFSTab"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoDFSTab"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 06:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 11:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2008-02-19 00:22 1089536 ----a-r- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2007-12-21 09:57 86016 ----a-w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-10-27 11:20 133104 ----atw- c:\users\Robert Lee Dorr\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2007-10-11 11:01 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 07:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 07:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-10-11 11:03 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 07:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):25,a3,d5,6b,d9,5e,ca,01

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/27/2009 2:37 AM 93320]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [10/27/2009 10:20 AM 112128]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\System32\drivers\L1C60x86.sy s [11/13/2009 9:46 AM 57344]
S2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\System32\SupportAppXL\cdrom_mon .exe [1/7/2009 9:13 AM 81920]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/27/2009 8:28 PM 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [11/2/2006 6:25 PM 167936]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [10/27/2009 10:36 AM 29472]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/21/2008 10:26 AM 21504]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\System32\drivers\ewusbfake.sys [11/17/2009 10:35 AM 103040]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-02-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-27 12:27]

2010-02-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-27 12:27]

2010-02-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2399084992-689958127-234286371-1000Core.job
- c:\users\Robert Lee Dorr\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-27 11:20]

2010-02-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2399084992-689958127-234286371-1000UA.job
- c:\users\Robert Lee Dorr\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-27 11:20]

2009-12-27 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-26 04:22]

2009-12-31 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-26 04:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: c:\windows\system32\wpclsp.dll
TCP: {457DB226-EA4F-43DF-BE83-4AD0E8BB4423} = 121.1.3.168 121.1.3.250
FF - ProfilePath - c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\compo nents\coolirisstub.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.d ll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\users\Robert Lee Dorr\AppData\Local\Google\Update\1.2.183.13\npGoog leOneClick8.dll
FF - plugin: c:\users\Robert Lee Dorr\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\users\Robert Lee Dorr\AppData\Roaming\Mozilla\Firefox\Profiles\m8x1 sd94.default\extensions\piclens@cooliris.com\plugi ns\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-02-07 14:05
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-07 14:08:26
ComboFix-quarantined-files.txt 2010-02-07 06:08
ComboFix2.txt 2010-02-07 01:57

Pre-Run: 73,211,744,256 bytes free
Post-Run: 72,963,522,560 bytes free

- - End Of File - - 4747A599E9288706011E2BF7D8043918


================================================== =======


Here is the highjackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:57 PM, on 2/7/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! UK & Ireland
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\ Ereg.ini"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{457DB226-EA4F-43DF-BE83-4AD0E8BB4423}: NameServer = 121.1.3.168 121.1.3.250
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Autorun CDROM Monitor - Unknown owner - C:\Windows\system32\SupportAppXL\cdrom_mon.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7712 bytes


Thanks, rob

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

================================================== =============

Download Kenco.exe to your desktop

• Close all windows and run the program.
• It wont take long to run.
• Kenco will reboot the system if it finds anything.
• Post the log it gives you ( it will be saved in the same place as Kenco.exe).