[Essexboy]

I think they are being generated by the hidden image files on your desktop that I am unable to delete, at the moment



Download Dr Web from here Fill in the small form and download

It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that

[Advertisements]

ComboFix 11-06-22.02 - Veronica 06/23/2011 16:46:12.3.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1978.1473 [GMT -4:00]
Running from: c:\users\Veronica\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Disabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-23 to 2011-06-23 )))))))))))))))))))))))))))))))
.
.
2011-06-23 20:53 . 2011-06-23 20:54 -------- d-----w- c:\users\Veronica\AppData\Local\temp
2011-06-23 20:53 . 2011-06-23 20:53 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-06-23 20:53 . 2011-06-23 20:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-22 22:38 . 2011-06-22 22:38 -------- d-----w- C:\_OTL
2011-06-11 21:18 . 2011-06-11 21:18 -------- d-----w- c:\users\Guest\AppData\Local\Western_Digital
2011-06-11 21:18 . 2011-06-11 21:18 -------- d-----w- c:\users\Guest\AppData\Roaming\Western Digital
2011-06-11 21:18 . 2011-06-11 21:18 -------- d-----w- c:\users\Guest\AppData\Local\Western Digital
2011-06-04 00:05 . 2011-06-04 00:05 -------- d-----w- c:\users\Veronica\AppData\Local\Western_Digital
2011-06-01 02:09 . 2011-06-01 02:09 -------- d-----w- c:\users\Veronica\AppData\Roaming\Western Digital
2011-06-01 02:09 . 2011-06-01 02:09 -------- d-----w- c:\programdata\Western Digital
2011-06-01 02:08 . 2011-06-01 02:08 -------- d-----w- c:\program files\Western Digital
2011-06-01 02:07 . 2011-06-01 02:07 -------- d-----w- c:\users\Veronica\AppData\Local\Western Digital
2011-05-31 21:52 . 2011-05-31 21:52 -------- d-----w- c:\users\Guest\AppData\Local\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-07 15:55 . 2010-11-19 08:15 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-29 13:11 . 2011-04-21 01:05 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2011-04-21 01:05 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"RegistryBooster"="c:\program files\Uniblue\RegistryBooster\launcher.exe" [2011-03-14 67456]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-23 149280]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"DLBXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-02 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]
.
c:\users\Veronica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-1-21 9136960]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 MpKsl00608dee;MpKsl00608dee;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5CF1F8BF-D447-47E2-BE96-5C07E270D106}\MpKsl00608dee.sys [x]
R1 MpKsl0909484c;MpKsl0909484c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7AAF77A2-A3C2-46D9-91ED-A856A702EEBE}\MpKsl0909484c.sys [x]
R1 MpKsl0960289c;MpKsl0960289c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{194E9C2A-569A-4BEA-BE6B-D1AFB9F40E1F}\MpKsl0960289c.sys [x]
R1 MpKsl19bbb742;MpKsl19bbb742;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4A0A44BC-031D-427E-89BF-86B61AA7C7EA}\MpKsl19bbb742.sys [x]
R1 MpKsl331eb652;MpKsl331eb652;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F72BFBBD-C39B-40A2-BA7F-2E1F8C63CE95}\MpKsl331eb652.sys [x]
R1 MpKsl39456dc4;MpKsl39456dc4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B204BD14-A422-48A7-9FB0-6116EB3682C4}\MpKsl39456dc4.sys [x]
R1 MpKsl3d441665;MpKsl3d441665;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CD74E0C3-9573-4D85-BB87-F3CE0E907865}\MpKsl3d441665.sys [x]
R1 MpKsl4b2e47a2;MpKsl4b2e47a2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B3A7D507-EB24-4A58-B9BB-67F7C4191FD6}\MpKsl4b2e47a2.sys [x]
R1 MpKsl4e008ecf;MpKsl4e008ecf;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EF8FE95A-6C4D-489E-B16C-155DEE7FEA5C}\MpKsl4e008ecf.sys [x]
R1 MpKsl5f96d20b;MpKsl5f96d20b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{681DF8A2-228F-4958-A112-36CD25BD20AE}\MpKsl5f96d20b.sys [x]
R1 MpKsl70eb86f1;MpKsl70eb86f1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B204BD14-A422-48A7-9FB0-6116EB3682C4}\MpKsl70eb86f1.sys [x]
R1 MpKsl725c43fb;MpKsl725c43fb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4DFF6AE7-34CB-4859-8292-754870B21E0F}\MpKsl725c43fb.sys [x]
R1 MpKsl77c0eb11;MpKsl77c0eb11;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6998CA14-BF33-4E18-A459-8F9D386FADF2}\MpKsl77c0eb11.sys [x]
R1 MpKsl831714da;MpKsl831714da;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{89FB1A7F-D6BE-4AB4-B663-05EC49BF9B22}\MpKsl831714da.sys [x]
R1 MpKsla6e529dd;MpKsla6e529dd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5F34B971-36AB-4971-B1FD-D6E7F53B5AD5}\MpKsla6e529dd.sys [x]
R1 MpKslb47a9eff;MpKslb47a9eff;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{21C27F91-0AEC-446C-ADA7-B208B26229CD}\MpKslb47a9eff.sys [x]
R1 MpKslbe05309e;MpKslbe05309e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F72BFBBD-C39B-40A2-BA7F-2E1F8C63CE95}\MpKslbe05309e.sys [x]
R1 MpKslc43f7ba2;MpKslc43f7ba2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{681DF8A2-228F-4958-A112-36CD25BD20AE}\MpKslc43f7ba2.sys [x]
R1 MpKslcac93121;MpKslcac93121;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{118DBAFC-2403-4E53-A0E5-66520508A40D}\MpKslcac93121.sys [x]
R1 MpKslce46060e;MpKslce46060e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F72BFBBD-C39B-40A2-BA7F-2E1F8C63CE95}\MpKslce46060e.sys [x]
R1 MpKsld3e85ddc;MpKsld3e85ddc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CD74E0C3-9573-4D85-BB87-F3CE0E907865}\MpKsld3e85ddc.sys [x]
R1 MpKsld45ac79f;MpKsld45ac79f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{00E5D929-C79D-4DB0-A876-59AE00971250}\MpKsld45ac79f.sys [x]
R1 MpKsle07cee06;MpKsle07cee06;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F11AB576-502D-4E1C-B58A-71FA97F9BA76}\MpKsle07cee06.sys [x]
R1 MpKslea860ce8;MpKslea860ce8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C6141F88-2BAF-4A53-B887-48AADFC1705B}\MpKslea860ce8.sys [x]
R1 MpKsleb0e88a5;MpKsleb0e88a5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7AAF77A2-A3C2-46D9-91ED-A856A702EEBE}\MpKsleb0e88a5.sys [x]
R1 MpKsleebcb9ba;MpKsleebcb9ba;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{681DF8A2-228F-4958-A112-36CD25BD20AE}\MpKsleebcb9ba.sys [x]
R1 MpKslf83867e5;MpKslf83867e5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{118DBAFC-2403-4E53-A0E5-66520508A40D}\MpKslf83867e5.sys [x]
R1 MpKslfdf9e547;MpKslfdf9e547;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{47771F47-29C5-40A6-B40D-6838C032C19A}\MpKslfdf9e547.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2010-01-21 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-05-29 22712]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-20 c:\windows\Tasks\HPCeeScheduleForVeronica.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-23 18:34]
.
2011-06-23 c:\windows\Tasks\RegistryBooster.job
- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2011-03-14 15:31]
.
2011-06-16 c:\windows\Tasks\RegTask.job
- c:\program files\RegTask\RegTask.exe [2011-02-23 17:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Veronica\AppData\Roaming\Mozilla\Firefox\Profiles\m5wjplke.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Move Media Player: [email protected] - c:\users\Veronica\AppData\Roaming\Move Networks
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-23 16:54
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-06-23 16:55:21
ComboFix-quarantined-files.txt 2011-06-23 20:55
ComboFix2.txt 2011-06-23 19:11
ComboFix3.txt 2011-06-23 18:46
ComboFix4.txt 2011-06-23 17:36
.
Pre-Run: 79,090,339,840 bytes free
Post-Run: 79,056,764,928 bytes free
.
- - End Of File - - A085FEDF1F82320C10A0C06B8DC44155

[Vero_]

ComboFix 11-06-22.02 - Veronica 06/23/2011 16:46:12.3.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1978.1473 [GMT -4:00]
Running from: c:\users\Veronica\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Disabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-23 to 2011-06-23 )))))))))))))))))))))))))))))))
.
.
2011-06-23 20:53 . 2011-06-23 20:54 -------- d-----w- c:\users\Veronica\AppData\Local\temp
2011-06-23 20:53 . 2011-06-23 20:53 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-06-23 20:53 . 2011-06-23 20:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-22 22:38 . 2011-06-22 22:38 -------- d-----w- C:\_OTL
2011-06-11 21:18 . 2011-06-11 21:18 -------- d-----w- c:\users\Guest\AppData\Local\Western_Digital
2011-06-11 21:18 . 2011-06-11 21:18 -------- d-----w- c:\users\Guest\AppData\Roaming\Western Digital
2011-06-11 21:18 . 2011-06-11 21:18 -------- d-----w- c:\users\Guest\AppData\Local\Western Digital
2011-06-04 00:05 . 2011-06-04 00:05 -------- d-----w- c:\users\Veronica\AppData\Local\Western_Digital
2011-06-01 02:09 . 2011-06-01 02:09 -------- d-----w- c:\users\Veronica\AppData\Roaming\Western Digital
2011-06-01 02:09 . 2011-06-01 02:09 -------- d-----w- c:\programdata\Western Digital
2011-06-01 02:08 . 2011-06-01 02:08 -------- d-----w- c:\program files\Western Digital
2011-06-01 02:07 . 2011-06-01 02:07 -------- d-----w- c:\users\Veronica\AppData\Local\Western Digital
2011-05-31 21:52 . 2011-05-31 21:52 -------- d-----w- c:\users\Guest\AppData\Local\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-07 15:55 . 2010-11-19 08:15 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-29 13:11 . 2011-04-21 01:05 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2011-04-21 01:05 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"RegistryBooster"="c:\program files\Uniblue\RegistryBooster\launcher.exe" [2011-03-14 67456]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-23 149280]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"DLBXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-02 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]
.
c:\users\Veronica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-1-21 9136960]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 MpKsl00608dee;MpKsl00608dee;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5CF1F8BF-D447-47E2-BE96-5C07E270D106}\MpKsl00608dee.sys [x]
R1 MpKsl0909484c;MpKsl0909484c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7AAF77A2-A3C2-46D9-91ED-A856A702EEBE}\MpKsl0909484c.sys [x]
R1 MpKsl0960289c;MpKsl0960289c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{194E9C2A-569A-4BEA-BE6B-D1AFB9F40E1F}\MpKsl0960289c.sys [x]
R1 MpKsl19bbb742;MpKsl19bbb742;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4A0A44BC-031D-427E-89BF-86B61AA7C7EA}\MpKsl19bbb742.sys [x]
R1 MpKsl331eb652;MpKsl331eb652;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F72BFBBD-C39B-40A2-BA7F-2E1F8C63CE95}\MpKsl331eb652.sys [x]
R1 MpKsl39456dc4;MpKsl39456dc4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B204BD14-A422-48A7-9FB0-6116EB3682C4}\MpKsl39456dc4.sys [x]
R1 MpKsl3d441665;MpKsl3d441665;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CD74E0C3-9573-4D85-BB87-F3CE0E907865}\MpKsl3d441665.sys [x]
R1 MpKsl4b2e47a2;MpKsl4b2e47a2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B3A7D507-EB24-4A58-B9BB-67F7C4191FD6}\MpKsl4b2e47a2.sys [x]
R1 MpKsl4e008ecf;MpKsl4e008ecf;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EF8FE95A-6C4D-489E-B16C-155DEE7FEA5C}\MpKsl4e008ecf.sys [x]
R1 MpKsl5f96d20b;MpKsl5f96d20b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{681DF8A2-228F-4958-A112-36CD25BD20AE}\MpKsl5f96d20b.sys [x]
R1 MpKsl70eb86f1;MpKsl70eb86f1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B204BD14-A422-48A7-9FB0-6116EB3682C4}\MpKsl70eb86f1.sys [x]
R1 MpKsl725c43fb;MpKsl725c43fb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4DFF6AE7-34CB-4859-8292-754870B21E0F}\MpKsl725c43fb.sys [x]
R1 MpKsl77c0eb11;MpKsl77c0eb11;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6998CA14-BF33-4E18-A459-8F9D386FADF2}\MpKsl77c0eb11.sys [x]
R1 MpKsl831714da;MpKsl831714da;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{89FB1A7F-D6BE-4AB4-B663-05EC49BF9B22}\MpKsl831714da.sys [x]
R1 MpKsla6e529dd;MpKsla6e529dd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5F34B971-36AB-4971-B1FD-D6E7F53B5AD5}\MpKsla6e529dd.sys [x]
R1 MpKslb47a9eff;MpKslb47a9eff;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{21C27F91-0AEC-446C-ADA7-B208B26229CD}\MpKslb47a9eff.sys [x]
R1 MpKslbe05309e;MpKslbe05309e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F72BFBBD-C39B-40A2-BA7F-2E1F8C63CE95}\MpKslbe05309e.sys [x]
R1 MpKslc43f7ba2;MpKslc43f7ba2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{681DF8A2-228F-4958-A112-36CD25BD20AE}\MpKslc43f7ba2.sys [x]
R1 MpKslcac93121;MpKslcac93121;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{118DBAFC-2403-4E53-A0E5-66520508A40D}\MpKslcac93121.sys [x]
R1 MpKslce46060e;MpKslce46060e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F72BFBBD-C39B-40A2-BA7F-2E1F8C63CE95}\MpKslce46060e.sys [x]
R1 MpKsld3e85ddc;MpKsld3e85ddc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CD74E0C3-9573-4D85-BB87-F3CE0E907865}\MpKsld3e85ddc.sys [x]
R1 MpKsld45ac79f;MpKsld45ac79f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{00E5D929-C79D-4DB0-A876-59AE00971250}\MpKsld45ac79f.sys [x]
R1 MpKsle07cee06;MpKsle07cee06;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F11AB576-502D-4E1C-B58A-71FA97F9BA76}\MpKsle07cee06.sys [x]
R1 MpKslea860ce8;MpKslea860ce8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C6141F88-2BAF-4A53-B887-48AADFC1705B}\MpKslea860ce8.sys [x]
R1 MpKsleb0e88a5;MpKsleb0e88a5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7AAF77A2-A3C2-46D9-91ED-A856A702EEBE}\MpKsleb0e88a5.sys [x]
R1 MpKsleebcb9ba;MpKsleebcb9ba;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{681DF8A2-228F-4958-A112-36CD25BD20AE}\MpKsleebcb9ba.sys [x]
R1 MpKslf83867e5;MpKslf83867e5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{118DBAFC-2403-4E53-A0E5-66520508A40D}\MpKslf83867e5.sys [x]
R1 MpKslfdf9e547;MpKslfdf9e547;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{47771F47-29C5-40A6-B40D-6838C032C19A}\MpKslfdf9e547.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2010-01-21 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-05-29 22712]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-20 c:\windows\Tasks\HPCeeScheduleForVeronica.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-23 18:34]
.
2011-06-23 c:\windows\Tasks\RegistryBooster.job
- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2011-03-14 15:31]
.
2011-06-16 c:\windows\Tasks\RegTask.job
- c:\program files\RegTask\RegTask.exe [2011-02-23 17:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Veronica\AppData\Roaming\Mozilla\Firefox\Profiles\m5wjplke.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Move Media Player: [email protected] - c:\users\Veronica\AppData\Roaming\Move Networks
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-23 16:54
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-06-23 16:55:21
ComboFix-quarantined-files.txt 2011-06-23 20:55
ComboFix2.txt 2011-06-23 19:11
ComboFix3.txt 2011-06-23 18:46
ComboFix4.txt 2011-06-23 17:36
.
Pre-Run: 79,090,339,840 bytes free
Post-Run: 79,056,764,928 bytes free
.
- - End Of File - - A085FEDF1F82320C10A0C06B8DC44155

[Essexboy]

Well that killled the rootkit I could see - lets see if Dr Web can find the culprit

[Vero_]

it says no viruses found. whats next?

[Essexboy]

OK lets retry combofix to remove the jpg's - If combofix asks to update please allow it to

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Users\Veronica\Desktop\IMG_0578.JPG
C:\Users\Veronica\Desktop\IMG_0576.JPG
C:\Users\Veronica\Desktop\IMG_0577.JPG
C:\Users\Veronica\Desktop\IMG_0575.JPG
C:\Users\Veronica\Desktop\IMG_0574.JPG
C:\Users\Veronica\Desktop\IMG_0571.JPG
C:\Users\Veronica\Desktop\IMG_0572.JPG
C:\Users\Veronica\Desktop\IMG_0573.JPG
C:\Users\Veronica\Desktop\IMG_0570.JPG
C:\Users\Veronica\Desktop\IMG_0568.JPG
C:\Users\Veronica\Desktop\IMG_0569.JPG
C:\Users\Veronica\Desktop\IMG_0566.JPG
C:\Users\Veronica\Desktop\IMG_0567.JPG
C:\Users\Veronica\Desktop\IMG_0580.JPG
C:\Users\Veronica\Desktop\IMG_0579.JPG

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[Vero_]

ok. here it is:
ComboFix 11-06-22.02 - Veronica 06/24/2011 15:00:28.3.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1978.1127 [GMT -4:00]
Running from: c:\users\Veronica\Desktop\ComboFix.exe
Command switches used :: c:\users\Veronica\Desktop\CFScript.txt,.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Disabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Veronica\Desktop\IMG_0566.JPG"
"c:\users\Veronica\Desktop\IMG_0567.JPG"
"c:\users\Veronica\Desktop\IMG_0568.JPG"
"c:\users\Veronica\Desktop\IMG_0569.JPG"
"c:\users\Veronica\Desktop\IMG_0570.JPG"
"c:\users\Veronica\Desktop\IMG_0571.JPG"
"c:\users\Veronica\Desktop\IMG_0572.JPG"
"c:\users\Veronica\Desktop\IMG_0573.JPG"
"c:\users\Veronica\Desktop\IMG_0574.JPG"
"c:\users\Veronica\Desktop\IMG_0575.JPG"
"c:\users\Veronica\Desktop\IMG_0576.JPG"
"c:\users\Veronica\Desktop\IMG_0577.JPG"
"c:\users\Veronica\Desktop\IMG_0578.JPG"
"c:\users\Veronica\Desktop\IMG_0579.JPG"
"c:\users\Veronica\Desktop\IMG_0580.JPG"
.
.
((((((((((((((((((((((((( Files Created from 2011-05-24 to 2011-06-24 )))))))))))))))))))))))))))))))
.
.
2011-06-24 19:07 . 2011-06-24 19:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-24 19:07 . 2011-06-24 19:07 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-06-24 18:56 . 2011-06-24 18:57 -------- d-----w- C:\32788R22FWJFW
2011-06-24 17:50 . 2011-06-24 17:50 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FDC58F4F-97EE-484C-B13F-ABD35B5F6F8B}\MpKsl8db17a9e.sys
2011-06-24 17:50 . 2011-06-07 15:55 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FDC58F4F-97EE-484C-B13F-ABD35B5F6F8B}\mpengine.dll
2011-06-23 21:20 . 2011-06-23 21:20 -------- d-----w- c:\users\Veronica\DoctorWeb
2011-06-23 20:55 . 2011-06-24 19:08 -------- d-----w- c:\users\Veronica\AppData\Local\temp
2011-06-22 22:38 . 2011-06-22 22:38 -------- d-----w- C:\_OTL
2011-06-11 21:18 . 2011-06-11 21:18 -------- d-----w- c:\users\Guest\AppData\Local\Western_Digital
2011-06-11 21:18 . 2011-06-11 21:18 -------- d-----w- c:\users\Guest\AppData\Roaming\Western Digital
2011-06-11 21:18 . 2011-06-11 21:18 -------- d-----w- c:\users\Guest\AppData\Local\Western Digital
2011-06-04 00:05 . 2011-06-04 00:05 -------- d-----w- c:\users\Veronica\AppData\Local\Western_Digital
2011-06-01 02:09 . 2011-06-01 02:09 -------- d-----w- c:\users\Veronica\AppData\Roaming\Western Digital
2011-06-01 02:09 . 2011-06-01 02:09 -------- d-----w- c:\programdata\Western Digital
2011-06-01 02:08 . 2011-06-01 02:08 -------- d-----w- c:\program files\Western Digital
2011-06-01 02:07 . 2011-06-01 02:07 -------- d-----w- c:\users\Veronica\AppData\Local\Western Digital
2011-05-31 21:52 . 2011-05-31 21:52 -------- d-----w- c:\users\Guest\AppData\Local\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-07 15:55 . 2010-11-19 08:15 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-29 13:11 . 2011-04-21 01:05 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2011-04-21 01:05 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"RegistryBooster"="c:\program files\Uniblue\RegistryBooster\launcher.exe" [2011-03-14 67456]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-23 149280]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"DLBXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-02 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]
.
c:\users\Veronica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-1-21 9136960]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 MpKsl00608dee;MpKsl00608dee;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5CF1F8BF-D447-47E2-BE96-5C07E270D106}\MpKsl00608dee.sys [x]
R1 MpKsl0909484c;MpKsl0909484c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7AAF77A2-A3C2-46D9-91ED-A856A702EEBE}\MpKsl0909484c.sys [x]
R1 MpKsl0960289c;MpKsl0960289c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{194E9C2A-569A-4BEA-BE6B-D1AFB9F40E1F}\MpKsl0960289c.sys [x]
R1 MpKsl19bbb742;MpKsl19bbb742;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4A0A44BC-031D-427E-89BF-86B61AA7C7EA}\MpKsl19bbb742.sys [x]
R1 MpKsl331eb652;MpKsl331eb652;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F72BFBBD-C39B-40A2-BA7F-2E1F8C63CE95}\MpKsl331eb652.sys [x]
R1 MpKsl39456dc4;MpKsl39456dc4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B204BD14-A422-48A7-9FB0-6116EB3682C4}\MpKsl39456dc4.sys [x]
R1 MpKsl3d441665;MpKsl3d441665;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CD74E0C3-9573-4D85-BB87-F3CE0E907865}\MpKsl3d441665.sys [x]
R1 MpKsl4b2e47a2;MpKsl4b2e47a2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B3A7D507-EB24-4A58-B9BB-67F7C4191FD6}\MpKsl4b2e47a2.sys [x]
R1 MpKsl4e008ecf;MpKsl4e008ecf;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EF8FE95A-6C4D-489E-B16C-155DEE7FEA5C}\MpKsl4e008ecf.sys [x]
R1 MpKsl5f96d20b;MpKsl5f96d20b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{681DF8A2-228F-4958-A112-36CD25BD20AE}\MpKsl5f96d20b.sys [x]
R1 MpKsl70eb86f1;MpKsl70eb86f1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B204BD14-A422-48A7-9FB0-6116EB3682C4}\MpKsl70eb86f1.sys [x]
R1 MpKsl725c43fb;MpKsl725c43fb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4DFF6AE7-34CB-4859-8292-754870B21E0F}\MpKsl725c43fb.sys [x]
R1 MpKsl77c0eb11;MpKsl77c0eb11;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6998CA14-BF33-4E18-A459-8F9D386FADF2}\MpKsl77c0eb11.sys [x]
R1 MpKsl831714da;MpKsl831714da;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{89FB1A7F-D6BE-4AB4-B663-05EC49BF9B22}\MpKsl831714da.sys [x]
R1 MpKsla6e529dd;MpKsla6e529dd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5F34B971-36AB-4971-B1FD-D6E7F53B5AD5}\MpKsla6e529dd.sys [x]
R1 MpKslb47a9eff;MpKslb47a9eff;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{21C27F91-0AEC-446C-ADA7-B208B26229CD}\MpKslb47a9eff.sys [x]
R1 MpKslbe05309e;MpKslbe05309e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F72BFBBD-C39B-40A2-BA7F-2E1F8C63CE95}\MpKslbe05309e.sys [x]
R1 MpKslc43f7ba2;MpKslc43f7ba2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{681DF8A2-228F-4958-A112-36CD25BD20AE}\MpKslc43f7ba2.sys [x]
R1 MpKslcac93121;MpKslcac93121;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{118DBAFC-2403-4E53-A0E5-66520508A40D}\MpKslcac93121.sys [x]
R1 MpKslce46060e;MpKslce46060e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F72BFBBD-C39B-40A2-BA7F-2E1F8C63CE95}\MpKslce46060e.sys [x]
R1 MpKsld3e85ddc;MpKsld3e85ddc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CD74E0C3-9573-4D85-BB87-F3CE0E907865}\MpKsld3e85ddc.sys [x]
R1 MpKsld45ac79f;MpKsld45ac79f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{00E5D929-C79D-4DB0-A876-59AE00971250}\MpKsld45ac79f.sys [x]
R1 MpKsle07cee06;MpKsle07cee06;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F11AB576-502D-4E1C-B58A-71FA97F9BA76}\MpKsle07cee06.sys [x]
R1 MpKslea860ce8;MpKslea860ce8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C6141F88-2BAF-4A53-B887-48AADFC1705B}\MpKslea860ce8.sys [x]
R1 MpKsleb0e88a5;MpKsleb0e88a5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7AAF77A2-A3C2-46D9-91ED-A856A702EEBE}\MpKsleb0e88a5.sys [x]
R1 MpKsleebcb9ba;MpKsleebcb9ba;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{681DF8A2-228F-4958-A112-36CD25BD20AE}\MpKsleebcb9ba.sys [x]
R1 MpKslf83867e5;MpKslf83867e5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{118DBAFC-2403-4E53-A0E5-66520508A40D}\MpKslf83867e5.sys [x]
R1 MpKslfdf9e547;MpKslfdf9e547;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{47771F47-29C5-40A6-B40D-6838C032C19A}\MpKslfdf9e547.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2010-01-21 110592]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-05-29 22712]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - DWPROT
*NewlyCreated* - MPKSL6A43D330
*NewlyCreated* - MPKSL8DB17A9E
*Deregistered* - Dwsh00007E95
*Deregistered* - MpKsl6a43d330
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-20 c:\windows\Tasks\HPCeeScheduleForVeronica.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-23 18:34]
.
2011-06-24 c:\windows\Tasks\RegistryBooster.job
- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2011-03-14 15:31]
.
2011-06-16 c:\windows\Tasks\RegTask.job
- c:\program files\RegTask\RegTask.exe [2011-02-23 17:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Veronica\AppData\Roaming\Mozilla\Firefox\Profiles\m5wjplke.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Move Media Player: [email protected] - c:\users\Veronica\AppData\Roaming\Move Networks
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-24 15:08
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-06-24 15:09:45
ComboFix-quarantined-files.txt 2011-06-24 19:09
ComboFix2.txt 2011-06-23 20:55
ComboFix3.txt 2011-06-23 19:11
ComboFix4.txt 2011-06-23 18:46
ComboFix5.txt 2011-06-24 18:57
.
Pre-Run: 77,033,865,216 bytes free
Post-Run: 77,165,461,504 bytes free
.
- - End Of File - - 559A111C37E0078E68938C369BA83B6E

[Essexboy]

Are you still getting the Ads ?

[Vero_]

Yes still getting them. Why??

[Vero_]

Another thing called RegTask comes up. What is that?

[Essexboy]

Did you not install that ?

Go to programs and features in control panel and uninstall RegTask

Also are the ads specific with reference to websites/products

[Vero_]

Ads on my screen rite now are: Dove, pink letter b, I think maybe bingo. Deer crossing, even deer knows safety comes first, cat prays to fridge, robbery referral, plan b one step emergency contraception, ketchup robots. There are so many. And they change every 10 seconds

[Vero_]

It's blinkxs player 4.3.324

[Essexboy]

Within programmes and features do you have anything like this “blinkx beat” as it has set itself up as your screen saver

control panel->personalization->screen saver - set to none

[Vero_]

ok did that. is my laptop clean now?

[Essexboy]

Have the ads disappeared ?