I have 3 problems & one question left over from a mostly successful removal of AntiPolice Pro/AntiVirus Pro/Total Security 2009 a couple of weeks ago. What's left over is:
(1) Event logs cannot be accessed; the Event Log service is stopped (although set for auto-startup) & will not start from Administrative Tools/Services; manual attempts to start produce "Error 126: The specified module could not be found." The path is correct & the file (services.exe) is in the proper place.
(2) Anti-Malware auto-updates don't function (manual updates work ok); the Task Scheduler service is stopped (although set for auto-startup) & will not start from Administrative Tools/Services; manual attempts to start produce "Error 1717: The interface is unknown." The path is correct & the file (svchost.exe) is in the proper place. (svchost.exe does seem to be working ok other than for Task Scheduler.)
(3) Anti-Malware Protection (real-time) doesn't function (manual scans work okay); the MBAMService service is stopped (although set for auto-startup) & will not start from Administrative Tools/Services; manual attempts to start produce "Error 3: The system cannot find the path specified." The path is correct & the file (mbamservice.exe) is in the proper place.
(4) The Question is, there is a suspicious Registry entry that Ant-Malware has not identified for removal. It is HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_, and it has a subkey 0000 with 7 data items. I wonder why Anti-malware doesn't recognize this? (When I try to manually delete it, it will not delete.)
I believe there is probably some residual damage from the virus , resulting in these conditions (somehow stopping these services & then preventing them from being started).
Just curious if anyone is familiar with these conditions, and how to fix them?
I'm glad I found this forum tonight; hours of searching for fixes to these have not yet produced anything.
Thanx for reading!

Please run the following and post back the log. We'll get you fixed up.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Tools->Options->Main tab
   • Set to "Always ask me where to Save the files".
2. During the download, rename Combofix to Combo-Fix as follows:
   
   
   
   
   
   
3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   -----------------------------------------------------------
   
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
     
     -----------------------------------------------------------
   
   
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
   
   
   -----------------------------------------------------------
7. Double click on combo-Fix.exe & follow the prompts.
8. When finished, it will produce a report for you.
9. Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Please post an update on this. Thanks.

Hello! Thanks so much for the assistance!
Sorry for the delay - wanted to be sure I set aside enough time for this (first time for me with ComboFix).
Early in the ComboFix scan, it noted no Windows Recovery Console installed, and presented Yes/No options. I selected No, since I was unsure of that - hope that was the right thing. If I should have selected Yes, please advise and I'll rerun it for you.
A couple of quick notes: One, to correct my topic title - it's Windows Police Pro, not AntiPolice Pro (I guess I was thinking about the interesting Registry key with the ANTIPPOL name). Second, services.exe is shown as running in Task Manager, but I believe in fact it is stopped.
Here's paste-ins of the ComboFix and HijackThis logs requested.
Again, thanks!

ComboFix 09-10-26.06 - Paul Walker 10/27/2009 16:53.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1489 [GMT -5:00]
Running from: c:\documents and settings\Paul Walker\Desktop\Combo-Fix.exe
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\Install.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))
.

2009-10-21 16:23 . 2009-10-21 16:23 -------- d-----w- c:\documents and settings\Paul Walker\Application Data\Uniblue
2009-10-21 16:23 . 2009-10-21 16:23 -------- d-----w- c:\program files\Uniblue
2009-10-15 18:52 . 2009-10-15 18:52 -------- d-----w- c:\documents and settings\Contingency\Application Data\Malwarebytes
2009-10-12 22:25 . 2009-10-12 22:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\SupportSoft
2009-10-12 18:58 . 2009-10-12 18:58 -------- d-----w- c:\documents and settings\Paul Walker\Local Settings\Application Data\Apple Computer
2009-10-12 17:53 . 2009-10-12 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-12 17:53 . 2009-10-12 17:53 -------- d-----w- c:\program files\NOS
2009-10-06 22:17 . 2009-10-06 22:17 0 ------w- c:\windows\nsreg.dat
2009-10-06 22:17 . 2009-10-06 22:17 -------- d-----w- c:\documents and settings\Paul Walker\Local Settings\Application Data\Mozilla
2009-10-05 19:34 . 2009-10-05 19:34 102664 ------w- c:\windows\system32\drivers\tmcomm.sys
2009-10-05 19:05 . 2009-10-05 19:49 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
2009-10-05 19:00 . 2009-10-05 19:00 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-10-05 18:58 . 2009-10-05 18:58 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-05 15:11 . 2009-10-21 16:49 -------- d-----w- C:\MalwareBytes
2009-10-01 14:00 . 2009-10-01 14:00 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 14:06 . 2009-10-26 14:06 20908293 ------w- c:\documents and settings\All Users\SPL10.tmp
2009-10-24 13:42 . 2008-02-19 07:02 103488 ------w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 17:27 . 2008-03-09 05:50 2516 --sh--w- c:\windows\system32\KGyGaAvL.sys
2009-10-23 17:26 . 2008-03-09 05:50 88 --sh--r- c:\windows\system32\4EBE654F96.sys
2009-10-23 17:26 . 2008-03-09 05:50 -------- d-----w- c:\documents and settings\Paul Walker\Application Data\Corel
2009-10-14 03:58 . 2008-03-09 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-10 01:05 . 2008-04-25 18:02 -------- d-----w- c:\program files\RR-Track v4
2009-10-05 22:33 . 2009-09-27 05:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\iolo
2009-10-01 20:58 . 2008-02-19 06:53 -------- d-----w- c:\program files\Trend Micro
2009-09-23 23:45 . 2009-09-23 23:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-23 19:11 . 2008-05-13 20:37 -------- d-----w- c:\program files\Microsoft Digital Image 10
2009-09-23 16:30 . 2009-09-23 16:30 -------- d-----w- c:\documents and settings\Paul Walker\Application Data\Malwarebytes
2009-09-23 16:30 . 2009-09-23 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-22 19:06 . 2009-04-05 16:20 -------- d-----w- c:\documents and settings\Guest\Application Data\968 Series
2009-09-22 18:57 . 2009-04-05 16:19 103488 ------w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-22 18:52 . 2009-09-22 18:52 -------- d-----w- c:\documents and settings\Guest\Application Data\iolo
2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-09-23 23:45 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-09-23 23:45 19160 ------w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 23:01 . 2009-03-31 15:51 -------- d-----w- c:\program files\CCleaner
2009-08-29 08:08 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ------w- c:\windows\system32\FM20.DLL
2009-08-07 00:24 . 2004-08-11 22:12 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-11 22:12 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2007-07-31 00:19 44768 ------w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-11 22:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-08-11 22:12 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-11 22:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-11 22:12 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-03-25 16:38 274288 ------w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2007-07-31 00:18 215920 ------w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2004-08-11 22:12 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-11 22:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 03:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-04-12 18:02 . 2009-04-12 18:01 2104360 ------w- c:\program files\hidemyip.exe
2009-03-31 15:49 . 2009-03-31 15:49 3190688 ------w- c:\program files\ccsetup218.exe
2009-01-03 20:11 . 2009-01-03 20:11 3634243 ------w- c:\program files\vdownloader.zip
2008-04-04 20:22 . 2008-04-04 20:22 17067560 ------w- c:\program files\DivXInstaller.exe
2008-04-01 23:48 . 2008-04-01 23:48 411509 ------w- c:\program files\GSpot270a.zip
2008-03-24 20:17 . 2008-03-24 20:17 14243808 ------w- c:\program files\Anonymizer_Software.exe
2004-09-10 18:40 . 2004-09-10 18:40 75264 ------w- c:\program files\DECCHECK.exe
2004-09-10 18:40 . 2004-09-10 18:40 5970 ------w- c:\program files\eula.txt
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"HideMyIP2009"="c:\program files\Hide My IP 2009\HideMyIP2009.exe" [2009-03-29 889104]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\malwarebytes\mbam.exe" [2009-09-10 1312080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-23 8429568]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-11-13 23:00 10536 ------w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
backup=c:\windows\pss\Image Transfer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sofatnet"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dldocoms.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldomon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldopswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldotime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldojswx.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldoaiox.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\DLDOFax.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Anonymizer\\Anonymizer Software\\Common\\AnonProxy.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Anonymizer\\Anonymizer Software\\Anonymizer.exe"=
"c:\\Program Files\\Hide My IP 2009\\HideMyIP2009.exe"=

R2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe -service --> c:\windows\system32\dldocoms.exe -service [?]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/4/2009 12:57 PM 600944]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/4/2009 12:57 PM 600944]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [11/8/2007 7:19 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/8/2007 7:19 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [11/8/2007 7:20 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [11/8/2007 7:19 PM 566872]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/23/2009 6:45 PM 19160]
R3 SecureSrv;SecureSrv;c:\program files\Hide My IP 2009\SecureSrv.exe [4/12/2009 1:03 PM 532784]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/8/2007 7:20 PM 280392]
S2 AnonMgmtSvc;Anonymizer Management Service;c:\program files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe [11/17/2008 8:42 PM 37560]
S2 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldoserv.exe [3/9/2008 12:37 AM 99568]
S2 MBAMService;MBAMService;"c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe" --> c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [?]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/11/2004 5:00 PM 14336]
S3 mfsdisk;mfsdisk;\??\c:\windows\system32\mfsdisk.sys --> c:\windows\system32\mfsdisk.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-10-10 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Paul Walker.job
- c:\malwarebytes\mbam.exe [2009-10-05 19:53]

2009-10-10 c:\windows\Tasks\Malwarebytes' Scheduled Update for Paul Walker.job
- c:\malwarebytes\mbam.exe [2009-10-05 19:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080219
uInternet Settings,ProxyServer = 75.102.39.210:58258
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\SecureNet.dll
FF - ProfilePath - c:\documents and settings\Paul Walker\Application Data\Mozilla\Firefox\Profiles\1mflqt84.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - prefs.js: network.proxy.ftp - 75.102.39.210
FF - prefs.js: network.proxy.ftp_port - 58258
FF - prefs.js: network.proxy.gopher - 75.102.39.210
FF - prefs.js: network.proxy.gopher_port - 58258
FF - prefs.js: network.proxy.http - 75.102.39.210
FF - prefs.js: network.proxy.http_port - 58258
FF - prefs.js: network.proxy.socks - 75.102.39.210
FF - prefs.js: network.proxy.socks_port - 58258
FF - prefs.js: network.proxy.ssl - 75.102.39.210
FF - prefs.js: network.proxy.ssl_port - 58258
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\Paul Walker\Application Data\Mozilla\Firefox\Profiles\1mflqt84.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-Malwarebytes' Anti-Malware - c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-27 16:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2112616915-2110991331-1531577997-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,a4,14,98,01,db,09,45,a9,1b,e5,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,a4,14,98,01,db,09,45,a9,1b,e5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(1088)
c:\windows\system32\SecureNet.dll

- - - - - - - > 'explorer.exe'(2708)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\dldocoms.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\combo-fix\CF101.exe
c:\progra~1\TRENDM~1\INTERN~1\PccGuide.exe
c:\combo-fix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-27 17:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-27 22:02

Pre-Run: 440,172,810,240 bytes free
Post-Run: 440,075,501,568 bytes free

Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - 4E6A8609E76316E5E7C471B265DDC61C


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:30 PM, on 10/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dldocoms.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Hide My IP 2009\HideMyIP2009.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Hide My IP 2009\SecureSrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080219
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 75.102.39.210:58258
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\MalwareBytes\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [HideMyIP2009] C:\Program Files\Hide My IP 2009\HideMyIP2009.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206375737171
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Anonymizer Management Service (AnonMgmtSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
O23 - Service: dldoCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe
O23 - Service: dldo_device - - C:\WINDOWS\system32\dldocoms.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: MBAMService - Unknown owner - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (file missing)
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SecureSrv - My Privacy Tools, Inc. - C:\Program Files\Hide My IP 2009\SecureSrv.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 9350 bytes

Interesting, that the logs show eventlog.dll and mbamservice.exe as missing.

Did you set these proxy settings on purpose? If not then you should remove them
uInternet Settings,ProxyServer = 75.102.39.210:58258
uInternet Settings,ProxyOverride = <local>
FF - prefs.js: network.proxy.ftp - 75.102.39.210
FF - prefs.js: network.proxy.ftp_port - 58258
FF - prefs.js: network.proxy.gopher - 75.102.39.210
FF - prefs.js: network.proxy.gopher_port - 58258
FF - prefs.js: network.proxy.http - 75.102.39.210
FF - prefs.js: network.proxy.http_port - 58258
FF - prefs.js: network.proxy.socks - 75.102.39.210
FF - prefs.js: network.proxy.socks_port - 58258
FF - prefs.js: network.proxy.ssl - 75.102.39.210
FF - prefs.js: network.proxy.ssl_port - 58258

STEP 02
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• Disconnect from the Internet.
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 03
Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***

• Double-click on JavaRa.exe to start the program.
• From the drop-down menu, choose English and click on Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location and post it back when you reply
  
  Then look for the following Java folders and if found delete them.
  C:\Program Files\Java
  C:\Program Files\Common Files\Java
  C:\Windows\Sun
  C:\Documents and Settings\All Users\Application Data\Java
  C:\Documents and Settings\All Users\Application Data\Sun\Java
  C:\Documents and Settings\username\Application Data\Java
  C:\Documents and Settings\username\Application Data\Sun\Java

STEP 04

Download and install CCleaner
• CCleaner
• Double-click on the downloaded file "ccsetup225_slim.exe" and install the application.
• Keep the default installation folder "C:\Program Files\CCleaner"
• Click finish when done and close ALL PROGRAMS
• Start the CCleaner program.
• Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
• Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
• Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
• Click on Run Cleaner button on the bottom right side of the program.
• Click OK to any prompts

Restart the computer now

STEP 05
Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 16.

• Go to http://java.sun.com/javase/downloads/index.jsp
• Go to Java SE Runtime Environment (JRE) - JRE 6 Update 16 about half way down the page and click on the Download button.
• In Platform box choose Windows.
• Check the box to Accept License Agreement and click Continue.
• Click on Windows Offline Installation, click on the link under it which says jre-6u16-windows-i586.exe and save the downloaded file to your desktop.
• Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
• Uncheck the Toolbar button (unless you want the toolbar)
• Reboot your computer

STEP 06
Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
• When the update is complete, select the Scanner tab
• Select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Hello!
I have made limited (but still good, I think) progress. Below is my update from tonite so far:
STEP 01: These are proxy IP's set by Hide My IP 2009 during Windows startup, and are legitimate. If they need to not be there for ComboFix, that could probably be done by me disabling Hide My IP from auto-startup before running ComboFix. Please let me know if you would like me to do this.
STEP 02: By the point where ComboFix prompted the Windows Recovery Console install, I had previously disabled the Internet connection. When I went to Enable (to get the download) in Control Panel, it would not enable. So, there seemed no choice but for ComboFix to complete its scan without that.
Question: Should I leave the Internet connection enabled at the launching of ComboFix? (That seems to be the only way I could get the Windows Recovery Console download?)
STEPS 03 - 06: I did not complete these due to concern that I had not successfully completed STEP 02, and pending your advice re: the above question.
Note: Just a quick look at Event Viewer showed that all logs can now be accessed, and appear populated with all historic events.
Again, thank you so much for your assistance
Pasted in below is the ComboFix log.

ComboFix 09-10-28.01 - Paul Walker 10/28/2009 21:36.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1585 [GMT -5:00]
Running from: c:\documents and settings\Paul Walker\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Paul Walker\Desktop\CFscript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\documents and settings\All Users\SPL10.tmp"
"c:\windows\system32\4EBE654F96.sys"
"c:\windows\system32\mfsdisk.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\SPL10.tmp
c:\windows\system32\4EBE654F96.sys

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MFSDISK
-------\Service_mfsdisk


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-29 02:36 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-10-29 02:36 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-10-21 16:23 . 2009-10-21 16:23 -------- d-----w- c:\documents and settings\Paul Walker\Application Data\Uniblue
2009-10-21 16:23 . 2009-10-21 16:23 -------- d-----w- c:\program files\Uniblue
2009-10-15 18:52 . 2009-10-15 18:52 -------- d-----w- c:\documents and settings\Contingency\Application Data\Malwarebytes
2009-10-12 22:25 . 2009-10-12 22:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\SupportSoft
2009-10-12 18:58 . 2009-10-12 18:58 -------- d-----w- c:\documents and settings\Paul Walker\Local Settings\Application Data\Apple Computer
2009-10-12 17:53 . 2009-10-12 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-12 17:53 . 2009-10-12 17:53 -------- d-----w- c:\program files\NOS
2009-10-06 22:17 . 2009-10-06 22:17 0 ------w- c:\windows\nsreg.dat
2009-10-06 22:17 . 2009-10-06 22:17 -------- d-----w- c:\documents and settings\Paul Walker\Local Settings\Application Data\Mozilla
2009-10-05 19:34 . 2009-10-05 19:34 102664 ------w- c:\windows\system32\drivers\tmcomm.sys
2009-10-05 19:05 . 2009-10-05 19:49 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
2009-10-05 19:00 . 2009-10-05 19:00 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-10-05 18:58 . 2009-10-05 18:58 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-05 15:11 . 2009-10-21 16:49 -------- d-----w- C:\MalwareBytes
2009-10-01 14:00 . 2009-10-01 14:00 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 13:42 . 2008-02-19 07:02 103488 ------w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 17:27 . 2008-03-09 05:50 2516 --sh--w- c:\windows\system32\KGyGaAvL.sys
2009-10-23 17:26 . 2008-03-09 05:50 -------- d-----w- c:\documents and settings\Paul Walker\Application Data\Corel
2009-10-14 03:58 . 2008-03-09 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-10 01:05 . 2008-04-25 18:02 -------- d-----w- c:\program files\RR-Track v4
2009-10-05 22:33 . 2009-09-27 05:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\iolo
2009-10-01 20:58 . 2008-02-19 06:53 -------- d-----w- c:\program files\Trend Micro
2009-09-23 23:45 . 2009-09-23 23:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-23 19:11 . 2008-05-13 20:37 -------- d-----w- c:\program files\Microsoft Digital Image 10
2009-09-23 16:30 . 2009-09-23 16:30 -------- d-----w- c:\documents and settings\Paul Walker\Application Data\Malwarebytes
2009-09-23 16:30 . 2009-09-23 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-22 19:06 . 2009-04-05 16:20 -------- d-----w- c:\documents and settings\Guest\Application Data\968 Series
2009-09-22 18:57 . 2009-04-05 16:19 103488 ------w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-22 18:52 . 2009-09-22 18:52 -------- d-----w- c:\documents and settings\Guest\Application Data\iolo
2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-09-23 23:45 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-09-23 23:45 19160 ------w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-11 22:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ------w- c:\windows\system32\FM20.DLL
2009-08-07 00:24 . 2004-08-11 22:12 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-11 22:12 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2007-07-31 00:19 44768 ------w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-11 22:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-08-11 22:12 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-11 22:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-11 22:12 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-03-25 16:38 274288 ------w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2007-07-31 00:18 215920 ------w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2004-08-11 22:12 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-11 22:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-04-12 18:02 . 2009-04-12 18:01 2104360 ------w- c:\program files\hidemyip.exe
2009-03-31 15:49 . 2009-03-31 15:49 3190688 ------w- c:\program files\ccsetup218.exe
2009-01-03 20:11 . 2009-01-03 20:11 3634243 ------w- c:\program files\vdownloader.zip
2008-04-04 20:22 . 2008-04-04 20:22 17067560 ------w- c:\program files\DivXInstaller.exe
2008-04-01 23:48 . 2008-04-01 23:48 411509 ------w- c:\program files\GSpot270a.zip
2008-03-24 20:17 . 2008-03-24 20:17 14243808 ------w- c:\program files\Anonymizer_Software.exe
2004-09-10 18:40 . 2004-09-10 18:40 75264 ------w- c:\program files\DECCHECK.exe
2004-09-10 18:40 . 2004-09-10 18:40 5970 ------w- c:\program files\eula.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"HideMyIP2009"="c:\program files\Hide My IP 2009\HideMyIP2009.exe" [2009-03-29 889104]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\malwarebytes\mbam.exe" [2009-09-10 1312080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-23 8429568]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-11-13 23:00 10536 ------w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
backup=c:\windows\pss\Image Transfer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dldocoms.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldomon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldopswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldotime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldojswx.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldoaiox.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\DLDOFax.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Anonymizer\\Anonymizer Software\\Common\\AnonProxy.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Anonymizer\\Anonymizer Software\\Anonymizer.exe"=
"c:\\Program Files\\Hide My IP 2009\\HideMyIP2009.exe"=

R2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe -service --> c:\windows\system32\dldocoms.exe -service [?]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/4/2009 12:57 PM 600944]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/4/2009 12:57 PM 600944]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [11/8/2007 7:19 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/8/2007 7:19 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [11/8/2007 7:20 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [11/8/2007 7:19 PM 566872]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/23/2009 6:45 PM 19160]
R3 SecureSrv;SecureSrv;c:\program files\Hide My IP 2009\SecureSrv.exe [4/12/2009 1:03 PM 532784]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/8/2007 7:20 PM 280392]
S2 AnonMgmtSvc;Anonymizer Management Service;c:\program files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe [11/17/2008 8:42 PM 37560]
S2 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldoserv.exe [3/9/2008 12:37 AM 99568]
S2 MBAMService;MBAMService;"c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe" --> c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [?]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/11/2004 5:00 PM 14336]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-10-29 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Paul Walker.job
- c:\malwarebytes\mbam.exe [2009-10-05 19:53]

2009-10-29 c:\windows\Tasks\Malwarebytes' Scheduled Update for Paul Walker.job
- c:\malwarebytes\mbam.exe [2009-10-05 19:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080219
uInternet Settings,ProxyServer = 207.218.231.216:58258
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\SecureNet.dll
FF - ProfilePath - c:\documents and settings\Paul Walker\Application Data\Mozilla\Firefox\Profiles\1mflqt84.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - prefs.js: network.proxy.ftp - 207.218.231.216
FF - prefs.js: network.proxy.ftp_port - 58258
FF - prefs.js: network.proxy.gopher - 207.218.231.216
FF - prefs.js: network.proxy.gopher_port - 58258
FF - prefs.js: network.proxy.http - 207.218.231.216
FF - prefs.js: network.proxy.http_port - 58258
FF - prefs.js: network.proxy.socks - 207.218.231.216
FF - prefs.js: network.proxy.socks_port - 58258
FF - prefs.js: network.proxy.ssl - 207.218.231.216
FF - prefs.js: network.proxy.ssl_port - 58258
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\Paul Walker\Application Data\Mozilla\Firefox\Profiles\1mflqt84.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 21:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2112616915-2110991331-1531577997-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,a4,14,98,01,db,09,45,a9,1b,e5,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,a4,14,98,01,db,09,45,a9,1b,e5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(1088)
c:\windows\system32\SecureNet.dll

- - - - - - - > 'explorer.exe'(1480)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\windows\system32\dldocoms.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\combofix\CF5821.exe
c:\progra~1\TRENDM~1\INTERN~1\PccGuide.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-29 21:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-29 02:44
ComboFix2.txt 2009-10-27 22:02

Pre-Run: 440,093,229,056 bytes free
Post-Run: 440,050,511,872 bytes free

Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - 3557A4F00DA81E4BAEBDC0117F41FF09

Also, a check of Administrative Tools/Services shows Event Log and Task Scheduler as started, although MBAMService remains stopped.

Please download the following program to your desktop. Close all other open applications and then run the program.
It will restore file permissions to the system and automatically restart the computer when done.
restoredefaultperms.exe

Then please download and run the following fix from Microsoft How do I restore security settings to the default settings?
When completed please reboot your computer.




Then run the following if you can, if not let me know.

Please try this on the computer that is having an issue.

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. mbam-clean.exe
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. mbam-setup.exe
Note: You will need to reactivate the program using the license you were sent
Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
Run a Quick Scan and post back the log.

Everything from your last post completed successfully.
AntiMalware running successfully after reinstall, including the previously stopped MBAMService.exe
A minor problem I hadn't even mentioned in my original post also fixed (Adobe Photoshop Elements failure to launch).
All automatically started services are started appropriately.
Here is the Quick Scan log requested:

Malwarebytes' Anti-Malware 1.41
Database version: 3064
Windows 5.1.2600 Service Pack 3

10/30/2009 10:41:26 PM
mbam-log-2009-10-30 (22-41-26).txt

Scan type: Quick Scan
Objects scanned: 126188
Time elapsed: 5 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

That looks good.

Please download and run the following tool and reboot when it asks you to.
http://oldtimer.geekstogo.com/OTC.exe

Then uninstall any versions of Java prior to the latest.
After removal and another reboot you can run this update.
Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 16.

• Go to http://java.sun.com/javase/downloads/index.jsp
• Go to Java SE Runtime Environment (JRE) - JRE 6 Update 16 about half way down the page and click on the Download button.
• In Platform box choose Windows.
• Check the box to Accept License Agreement and click Continue.
• Click on Windows Offline Installation, click on the link under it which says jre-6u16-windows-i586.exe and save the downloaded file to your desktop.
• Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
• Uncheck the Toolbar button (unless you want the toolbar)
• Reboot your computer

Then let's get an Online AV scan to make sure all is good.

Please temporarily disable your current Anti-Virus in order to run this Online Scanner.
Using Internet Explorer:

• Vista and Windows 7 users need to right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.
• Click here to run the Eset Online Scanner using Internet Explorer.
• Click on the ESET Online Scanner button.
• Click on the checkbox Yes, I accpet the Terms of Use and click on the Start button.
• By default the ActiveX installer will be blocked by Internet Explorer. You should see a yellow banner at the top of the Window.
• Click the top of the Window and select "Run ActiveX Control" and then click the Run button on the next dialog box.
• Click the Retry button if prompted to resend the request to load and run the ActiveX control from ESET
• Make sure you Uncheck the Remove found threats checkbox in case we need you to submit a copy of any files found.
• Click on the Advanced settings selection in the middle and place a checkmark on the following items

• Scan for potentially unwanted applications
• Scan for potentially unsafe applications
• Enable Anti-Stealth technology
• Under Current scan targets: click the Change... item and make sure it's set to Local drives and the Operating memory

• Then click on the Start button and it will start downloading signature database files to update the program
• Once the database files are downloaded it should automatically start scanning your system for threats.
• When the scanner is done please click on the List of found threats and click on Export to text file...
• Save the file as NOD32_SCAN.TXT to your Desktop
• Click the << Back button. For now do not uninstall the program or delete the quarantine files, just click the Finish button.
• The next screen is advertisement to purchase the product. You can just close that window for now.
• If we need to run the program later on it can be ran from here: C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
• Open the file you saved to your Desktop as NOD32_SCAN.TXT and select all and copy/paste it back on your next reply

Using Another Browser

• Please click here to launch the application which installs and launches ESET Online Scanner in a separate window.
• You will first need to save the file to your Desktop and double-click on it to run it. Vista and Windows 7 users need to right-click and choose "Run as Administrator"
• You will should be prompted with "Do you want to run this file?", click on the Run button.
• Click on the checkbox Yes, I accpet the Terms of Use and click on the Start button.
• The program will download further files to use with the scanner and allow you to change options.
• Make sure you Uncheck the Remove found threats checkbox in case we need you to submit a copy of any files found.
• Click on the Advanced settings selection in the middle and place a checkmark on the following items

• Scan for potentially unwanted applications
• Scan for potentially unsafe applications
• Enable Anti-Stealth technology
• Under Current scan targets: click the Change... item and make sure it's set to Local drives and the Operating memory

• Then click on the Start button and it will start downloading signature database files to update the program
• Once the database files are downloaded it should automatically start scanning your system for threats.
• When the scanner is done please click on the List of found threats and click on Export to text file...
• Save the file as NOD32_SCAN.TXT to your Desktop
• Click the << Back button. For now do not uninstall the program or delete the quarantine files, just click the Finish button.
• The next screen is advertisement to purchase the product. You can just close that window for now.
• If we need to run the program later on it can be ran from here: C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
• Open the file you saved to your Desktop as NOD32_SCAN.TXT and select all and copy/paste it back on your next reply

Everything from your last post completed successfully.
Eset scan showed "No Threats Found", so no log to post from that.
I believe we are looking pretty good here.
I'll plan to make some time tonight to pretty much check out all the applications and processes one more time, and then post back here.
Again, thanks for all your help with this.

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Remove all but the most recent Restore Point on Windows XP

You should Create a New Restore Point to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore.
Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.
Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• If the shortcut is missing you can also click on START > RUN > and type in %SystemRoot%\system32\restore\rstrui.exe and click OK
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
• Give the new Restore Point a name, then click "Create".
• The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use the Disk Cleanup to remove all but the most recently created Restore Point.
• Go to Start > Run and type: Cleanmgr.exe
• Select the drive where Windows is installed and click "Ok". Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.
• On the Disk Cleanup tab, if the System Restore: Obsolete Data Stores entry is available remove them also.
• These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

Additional information
Microsoft KB article: How to turn off and turn on System Restore in Windows XP
Bert Kinney's site: All about Windows System Restore

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.



Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions


Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org

Ron, I'm not sure if I should try to add this here, or start a new topic. It is a followon to this topic.
First, THANKS, THANKS, and THANKS for your extremely thoughtful and professional assistance, WOW! If all support was like this, just think how many 1000's of person-hours could be saved.
I promised to get back with a post re: checking everything out last night. Here it is:
I checked out all the applications on the Start Menu and all the Control Panel functions. Everything launched, displayed, and ran okay (the several I tested).
Ran TrendMicro PcCillin and MalwareBytes AntiMalware scans, and they both came up negative.
However, Windows startups have been abnormal and slow (2 – 3 minutes best case, 7 – 9 minutes worst case), compared to 1 – 2 minutes normally. This is several last night and several this morning, so it is something persistent. The abnormal delay is first in loading the Internet connection (1 – 2 minutes), and then in loading HideMy IP and PcCillin (3 – 5 minutes) in the Tray. Looking at Event Viewer, there are 3 services that are shown to time out on their start commands: NvSvc, IMAPI CD-Burning COM (imapi.exe), Application Layer Gateway (alg.exe), and (sometimes) SecureSrv (Securesrv.exe). During this period, SYSTEM is using 50%+ of the CPU, which is abnormal. Imapi.exe and alg.exe do run in Task Manager during this high CPU usage, then drop off followed by CPU usage going to normal. SecureSrv.exe does run when launched from HideMyIP’s Desktop icon. Nvsvc32.exe does run automatically (I don’t know if this is the same as NVSvc). I tested a CD burn, which uses imapi.exe, and the burn went fine. I don’t know which programs are affected by alg.exe or NvSvc, so haven’t tested those out. It looks like these processes are timing out on Windows startup, but do launch okay when needed. Startup programs are the same as before.
I tried to think of what had changed, and it was just the oldtimer, Java Runtime, and the ESET things from yesterday (each of which had been followed by, I’m pretty sure, normal reboots). Also, I had reactivated the Guest user profile, but went back and undid that just in case.
Questions:
(1) I wonder what could be causing these things at Windows startup? (no problem with them previously)
(2) Is there anything that should be done? Or, since everything else seems to be working, just “leave sleeping dogs lie” with the slow Windows startups?
(3) There are still a number of items left over on the Desktop: jre-6u16-windows-i586.exe, mbam-clean.exe, mbam-setup.exe, restoreddefaultperms.exe, and MicrosoftFixit50198.msi. What should I do with them?
(4) The weird Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_ and its sub-keyHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_\0000 are still there.
They’ve never been noted by any of the scans. Do you suppose this is actually something legitimate? Or, another “sleeping dog” that should be left alone?
Again, thanks so much. Everything is looking fine except for this sudden and unexpected startup stuff.

Okay, go ahead and delete those left over tools you listed as we're done with them now.
If it will allow you go ahead and delete those Legacy keys, often those are not removed due to permissions preventing removal.

At this point you do not appear to be infected anymore but it could have damaged the overall integrity and speed of the system for sure. It's an ugly thing it does.
Let me leave you with this article though (a bit long but a lot of good advice there) and see if it helps at all. You can also open a NEW post in the PC Help forum and they can help you out trying to restore some of the speed of the system.


Computer and browser slowness are not always malware related

Poor performance and other problems can be the result of disk fragmentation, disk errors, corrupt system files, too many startup programs, unnecessary services running, not enough RAM, dirty hardware, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so cleaning and regular maintenance is essential.

Listed below are a few things you can do to improve speed and system performance. Many of the these suggestions will apply if you're using Windows Vista but may be done a bit differently. Near the bottom of this thread there is a section specifically devoted to Vista Users.

For browser problems, see:

• Its not always malware: How to fix the top 10 Internet Explorer issues
• How and Why to Clear Your Cache

If your having connectivity issues or errors such as Page cannot be displayed see

• Repair/Reset Winsock settings
• Troubleshooting Internet Connection Problems

If you're using Vista or Internet Explorer 7, see

• Why is my Internet connection so slow?
• Windows Vista - My Internet connection is slow
• The Phishing Filter may slow down the PC
• Tuning IE7 for Better Performance
• How to optimize or reset Internet Explorer 7

If you have a lot of toolbars and add-ons attached to Internet Explorer, you could try improving performance by disabling those which are unecessary. See:

• Control Internet Explorer Add-ons with Add-on Manager
• Troubleshooting and Internet Explorer’s (No Add-ons) Mode

Vista users see:

• Internet Explorer Add-ons FAQs

Clean up your hard drive by removing unused programs and transferring old data, pictures, music files to a CD or an external hard drive.

When you have moved/saved the files you want to keep, run Disk Cleanup and let it scan your system for files to remove. Don’t clean out the Prefetch folder - This is a common myth that will not improve performance.

You may be instructed to remove prefetch files if you had experienced some virus/malware issues otherwise removing prefetch files is not really necessary. Although the prefetch folder can become quite bloated in time, removing old prefetch data as a matter of routine is not recommended. Your boot time immediately after clearing the prefetch folder is much slower...but it will speed up after the first reboot when windows begins to put back some of the files that you removed.

As an alternative to Disk Cleanup you can download and scan with CCleaner.
(Scroll to the last one and click the "CCleaner Slim"...it has no toolbar that comes packaged with it)

• After installation, see see the CCleaner Tour: Using and Understanding CCleaner
• Make sure you go to Options-->Advanced and uncheck the box to Only delete files in Windows Temp folders older than 48 hours before running a scan
• An added benefit of using CCleaner is the Issues scan which allows you to clean the registry
• Always back up your registry before making any changes

Check for any unnecessary running services

If you have a typical installation, many services are configured as "automatic"; that is, they start automatically when the system starts or when the service is called for the first time. Use Black Viper's "Services Configuration" to help fine tune this area.

Check for disk errors by running CHKDSK in "SAFE MODE" or from the Recovery Console

In the Check Disk dialog box, select the "Scan for and attempt recovery of bad sectors" check box, click "Start" and have it repair anything it finds. As you use your hard drive, it can develop bad sectors which slow down hard disk performance and make data writing difficult. Check Disk scans the hard drive and verifies the logical integrity of a file system by checking for system errors, lost clusters, lost chains, and bad sectors. When encountering logical inconsistencies in file system data, it will perform the necessary actions to repair the file system data.

Check for damaged, altered or missing critical system files by running the System File Checker

If SFC discovers that a protected file has been damaged, altered or missing, it restores the correct version of the file from the cache folder.
You must be logged on as an administrator or as a member of the Administrators group to run sfc and it may ask you to insert your XP Installation CD so have it available.

Defrag your system

Disk fragmentation slows the overall performance of your system. When files are fragmented, the computer must search the hard disk when a file is opened. Disk Defragmenter consolidates fragmented files and folders on the hard disk so that each occupies a single space on the disk. This speeds up reading and writing to the disk. Read "The Importance of Disk Defragmentation" for instructions.

Note: It is recommended to shut down all applications (including your Anti-virus) before running Defrag to ensure that no programs attempt to write to the drive while it is being defragmented. Not doing so may cause you to have to restart the entire process. If you have disabled all running programs and still find that the defrag routine is constantly interrupted, you can defrag from "SAFE MODE".

Check for any unnecessary applications loading at startup when Windows boots by using MSConfig

Some startup programs are necessary so be careful what you disable. If you are unsure what any of the startup entries are or if they are safe to disable, then search one of the following Startup Databases:

• StartupList Index
• Startup Programs Database

Note: MSConfig.exe is a troubleshooting utility used to diagnose system configuration issues. Although it works as a basic startup manager, msconfig should not be used routinely to disable auto-start programs. It is a temporary solution and not a good practice for several reasons. When uninstalling programs while disabled with msconfig, they may not be uninstalled properly and orphaned entries often will be left behind. When used to switch back to normal startup mode, these orphan entries can result in boot up errors. Further, msconfig does not list all applications loaded in all possible startup locations (some entry points are hidden and unknown to the user) and does not allow the complete removal of disabled entries from its list.

You should not use msconfig to disable startup applications related to a running service. Doing so alters the registry and there are services that are essential for hardware and booting. When you uncheck a service in msconfig, you completely disable it. If you uncheck the wrong one, you may not be able to restart your computer. You should only disable services using Control Panel-->Administrative Tools-->Services.

A better alternative is to use a startup manager. If you have Spybot S&D installed, launch it, go to Mode and select Advanced. Then go to Tools, select System Startups. You will be provided with a list of programs that load when Windows starts. If you untick an entry it will no longer run at startup. This will allow you to experiment and see how your system performs with any of them disabled. Other startup managers you can download and use for free are:

• Startup Control Panel,
• Autoruns,
• Starter by CodeStuff, and
• StartUpLite by RubberDucky.

Remove any third party "Memory Manager" or "Optimizer"

Windows XP memory management was designed to make the best use of Ram and these memory management utilities defeat that purpose. They push applications out of RAM into the pagefile, creating holes in the RAM and slowing down your computer's performance by doing so.

Disable some visual effects

While visual embellishments may be attractive, they don’t do anything else for you. Disabling some of them frees up system resources and makes the operating system perform better.

• Right click My Computer, choose Properties-->Advanced then click on Settings
• In the Visual Effects tab, select Adjust for best performance or uncheck all the visual effects, except for the last three
• Click "Apply", then "Ok", then "Ok" again
• Then right click your Desktop and choose Propertie-->Appearance-->Effects
• Uncheck the first two boxes and hit "OK"

Add more RAM

This is a quick solution that can have a dramatic affect on your system's speed and responsiveness. You can check how much RAM you have by going to Start-->Program Files-->Accessories-->System Tools-->System Information and look at your System Summary. For more info see "Understanding, Identifying and Upgrading the RAM in your PC".

For more suggestions and performance tips read:

"Restore Your Computer's Performance with Windows XP"
"XP Performance Tweaks"
"Performance Boost for XP"

For Vista Users:

Vista Features Explained: Performance
Vista Features Explained: SuperFetch
SuperFetch & ReadyBoost
Tips to boost Vista performance
Windows Vista Performance Tuning
Top 12 Tweaks To Improve Vista Looks and Performance

When you are all done be sure to Create a new Restore Point to enable your computer to "roll-back" to a clean working state keeping all the changes you just made. Then use Disk Cleanup to "remove all but the latest Restore Point".

Vista Users can refer to these links:

• Create a New Restore Point
• Disk Cleanup

Okay well I will be closing your post probably tomorrow. If you have any last questions please let me know, otherwise if needed go ahead and open a new post in the PC Help forum for assistance with trying to improve the overall speed of the system.