PDA

View Full Version : Koobface - bill104.exe is winning.


iflyok
2010-03-21, 21:29
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:51 PM, on 3/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Internet Content Filter\SafeEyes.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\STOPzilla!\SZOptions.exe
C:\Documents and Settings\Rod\Desktop\SaveMev1550\HT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Safe &Eyes Toolbar - {430DDB4F-38CC-4E91-AF33-4157334EC937} - C:\Program Files\Internet Content Filter\setoolbar.dll
O4 - HKLM\..\Run: [ICF] "C:\Program Files\Internet Content Filter\SafeEyes.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: icf.dll
O10 - Unknown file in Winsock LSP: icf.dll
O10 - Unknown file in Winsock LSP: icf.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/Oneclickfix/tgctlsr.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215555590453
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229154001250
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://vpn.safelnk.net/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 8907 bytes


Please note that I've made this fix harder on everyone involved after reading the warnings here. When I fell for the "Flash update" bait from what seemed a movie sent by a Facebook friend, I was not running all that is listed above nor had I obviously tried any fixes. Since that time of allowing this travesty into my system, I've attempted various fixes in an effort to be self-reliant. Not only do I now give up on that endeavor, I apologize to any guru who might take this charity case. That being said, this what I remember trying on my own and under what conditions:

Auto updates for Microsoft products always on
Auto updates for McAfee suite always on (McAfee did not stop this infection)
Occasionally, manually updating Spybot whenever I thought something was amiss. I have been running and contributing occasionally to S&D for many years. Unfortunately, I was not up to date when my system was hit (later on that).
Once I knew I was infected (immediately), I was mad at McAfee and replaced it with Avast! in order to rid my PC of the infection. That worked up to the point where my PC was not allowed to update avast definition files to current level. Definition file is stuck at 3/9/210 or so and does not see this infection.
Tried to update definition files for Spybot but virus seems to be blocking the attempt as it can't find any server. In fact, I'm writing this from my laptop after emailing myself the HJT file to post. I can't even get to this, or any other protection help forum associated by name with protection software from my infected PC. I'm getting ahead of myself...
Stopped bill104 manually from running in process manager. Ran HiJack This and manually removed bill104.exe from C:\windows and "fixed" all evidence of bill104 via HJT tool (I know... I know...now).
D/L and ran StopZilla (paid version -was surprised my infected PC allowed this) and, while this found a few things, did not fix my browser issues even after running at startup.
Tried to restore system to a point prior to infection and am not allowed.
Maybe tried a few other things I forgot to mention before breaking out my laptop and, initially looking for a way to transfer new definition files to S&
D via flashdrive, gave up and typed this out after reading about all of the things I should not have done. My infected PC has been physically removed from my home network and the internet after continuing to exhibit signs that it is being used as a zombie. I still can not access several sites for help via browser or software update tools. Am I totally screwed? :sick:

I was running IE exclusively, with updates automated, when I was infected. I have since also d/l and tried, with no luck, Google Chrome and Firefox browsers.
km2357
2010-03-23, 19:12
Hello and welcome to Safer Networking.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh HiJackThis Log
iflyok
2010-03-24, 00:50
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:17 PM, on 3/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Internet Content Filter\SafeEyes.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast5\setup\avast.setup
C:\Documents and Settings\Rod\Desktop\SaveMev1550\HT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Safe &Eyes Toolbar - {430DDB4F-38CC-4E91-AF33-4157334EC937} - C:\Program Files\Internet Content Filter\setoolbar.dll
O4 - HKLM\..\Run: [ICF] "C:\Program Files\Internet Content Filter\SafeEyes.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: icf.dll
O10 - Unknown file in Winsock LSP: icf.dll
O10 - Unknown file in Winsock LSP: icf.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/Oneclickfix/tgctlsr.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215555590453
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229154001250
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://vpn.safelnk.net/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 8955 bytes


I appreciate your willingness to help. If you read my initial post, you know I made this harder than it should have been by trying to fix this on my own. Please note that I can't currently reach this forum using the infected PC as my browser is not under my control. I will continue to email myself a copy of test results and transfer the info to this forum with my laptop until I regain control of the PC's browser. As you requested, this is a current HJT scan of the infected system. Thanks again!
km2357
2010-03-24, 05:03
I will continue to email myself a copy of test results and transfer the info to this forum with my laptop until I regain control of the PC's browser.

Sounds like a good plan. :bigthumb:


Step # 1: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.


Step # 2 Download and run DDS

Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.



Step # 3: Download and Run Gmer

Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.

GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


In your next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log

Use multiple posts if you can't fit everything into one post.
iflyok
2010-03-25, 00:30
DDS:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Rod at 19:04:43.42 on Wed 03/24/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3002 [GMT -4:00]

AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k tapisrvs
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Content Filter\SafeEyes.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = *.local
TB: Safe &Eyes Toolbar: {430ddb4f-38cc-4e91-af33-4157334ec937} - c:\program files\internet content filter\setoolbar.dll
TB: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ICF] "c:\program files\internet content filter\SafeEyes.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
LSP: ICF.dll
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: emusic.com\www
Trusted Zone: taxactonline.com\www
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/Oneclickfix/tgctlsr.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215555590453
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229154001250
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vpn.safelnk.net/dana-cached/setup/JuniperSetupSP1.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rod\applic~1\mozilla\firefox\profiles\2o4pzc8y.default\
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 apto6ko;Control HTML Folder Table Windows Shell Thumbnail Detection;c:\windows\system32\drivers\imapioko.sys [2008-12-1 32768]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-20 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-20 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-20 40384]
R2 cpqoko6;ConnectionAgent Software Display Coordinator;c:\windows\system32\svchost.exe -k tapisrvs [2004-8-4 14336]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
RUnknown szkg5;szkg5; [x]
RUnknown szkgfs;szkgfs; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-20 133104]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-20 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-20 40384]
UnknownUnknown is3srv;is3srv; [x]

=============== Created Last 30 ================

2010-03-24 23:00:42 336 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-03-24 22:58:23 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-21 04:09:13 0 d-----w- c:\docume~1\rod\applic~1\Malwarebytes
2010-03-21 04:09:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-21 04:09:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-21 04:09:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 04:09:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-21 02:58:37 16384 ---ha-w- C:\SZKGFS.dat
2010-03-21 02:57:57 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-03-21 02:57:31 0 d-----w- c:\program files\common files\iS3
2010-03-21 02:57:31 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-03-21 00:50:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-03-19 22:29:13 1 ---h--w- c:\windows\bk23567.dat
2010-03-19 22:29:13 1 ----a-w- c:\windows\lgo
2010-03-19 22:29:13 1 ----a-w- c:\windows\fdgg34353edfgdfdf
2010-03-19 22:24:00 1 ----a-w- c:\windows\ligh
2010-03-12 00:06:08 3252 ----a-w- c:\windows\system32\wbem\Outlook_01cac177d120e686.mof

==================== Find3M ====================

2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2008-07-08 22:44:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070820080709\index.dat
2009-06-13 19:05:00 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-06-13 19:05:00 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-06-13 19:05:00 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 19:05:22.42 ===============

GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-24 19:18:09
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Rod\LOCALS~1\Temp\uwldiuod.sys


---- System - GMER 1.0.15 ----

SSDT spbf.sys ZwEnumerateKey [0xBA69FCA2]
SSDT spbf.sys ZwEnumerateValueKey [0xBA6A0030]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xA75D44FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA75D4322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA75D445C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)
Device \FileSystem\Ntfs \Ntfs 8AFFA1F8

AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)
Device \FileSystem\Fastfat \Fat 8AB11500

AttachedDevice \FileSystem\Fastfat \Fat szkgfs.sys
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

fyi - I had to remove the StopZilla program on the infected PC. It was hanging up and causing notepad to hang. I had d/l and installed this while trying to fix my own problem. I do not believe it was part of the original problem. Hopefully, this action will not hinder the fix. Thanks again for you time! :friend:
km2357
2010-03-25, 03:42
Thanks for the logs. :)

From now on, please do not attach any logs, just post them normally. Only attach them if I request you to do so. Thanks. :)


Please disable avast! Antivirus as it may interfere with the fixes. Remember to re-enable it back before posting the logs.

* Right click on avast! Antivirus icon near the clock and select Stop On-Access Protection.
* Right click on this icon again and select Program Settings.
* On the left, click on Troubleshooting.
* Uncheck (untick) this box - Disable avast! self-defense module.
* Click OK to apply the settings.


Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.
iflyok
2010-03-25, 23:18
Big improvement! I'm posting this from the (previously?) infected PC because I can. :thanks:

I disabled avast! but not exactly as instructed. The steps listed did not correspond with my particular software and/or version. I right-clicked on the toolbar icon, pulled down "avast shield control" and clicked "Disable for 1 hour". I then ran ComboFix.exe from my desktop. ComboFix's process rebooted the PC which started avast! again. I knew things were looking better for the PC when avast! was allowed to autoupdate. It didn't stop ComboFix from generating this log:

ComboFix 10-03-25.02 - Rod 03/25/2010 17:35:40.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3134 [GMT -4:00]
Running from: c:\documents and settings\Rod\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 7


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rod\Local Settings\Application Data\010112010146111103.xxe
c:\windows\bk23567.dat
c:\windows\fdgg34353edfgdfdf
c:\windows\lgo
c:\windows\ligh
c:\windows\system32\42KJE738.ocx
c:\windows\system32\drivers\imapioko.sys
c:\windows\system32\erokosvc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_APTO6KO
-------\Legacy_CPQOKO6
-------\Legacy_NPF
-------\Service_apto6ko
-------\Service_cpqoko6


((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))
.

2010-03-21 16:01 . 2010-03-21 16:01 0 ----a-w- c:\windows\nsreg.dat
2010-03-21 16:01 . 2010-03-21 16:01 -------- d-----w- c:\documents and settings\Rod\Local Settings\Application Data\Mozilla
2010-03-21 04:09 . 2010-03-21 04:09 -------- d-----w- c:\documents and settings\Rod\Application Data\Malwarebytes
2010-03-21 04:09 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-21 04:09 . 2010-03-21 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-21 04:09 . 2010-03-21 04:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-21 04:09 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 02:58 . 2010-03-21 02:58 16384 ---ha-w- C:\SZKGFS.dat
2010-03-21 02:57 . 2010-03-21 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-03-21 02:57 . 2010-03-24 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-03-21 02:57 . 2010-03-21 02:57 -------- d-----w- c:\program files\Common Files\iS3
2010-03-21 00:55 . 2010-03-21 00:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-03-21 00:50 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-21 00:50 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-21 00:50 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-21 00:50 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-21 00:50 . 2010-03-09 10:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-21 00:50 . 2010-03-09 10:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-21 00:50 . 2010-03-09 10:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-21 00:50 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-21 00:50 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-21 00:50 . 2010-03-21 00:50 -------- d-----w- c:\program files\Alwil Software
2010-03-21 00:50 . 2010-03-21 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-24 23:01 . 2010-03-24 23:00 336 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-03-24 22:58 . 2010-03-24 22:58 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-21 15:54 . 2008-09-03 12:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-21 01:38 . 2008-03-22 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-21 00:51 . 2008-11-17 05:45 -------- d-----w- c:\program files\Google
2010-02-14 16:01 . 2010-02-14 16:01 -------- d-----w- c:\program files\R-Undelete
2010-02-14 05:54 . 2010-02-14 05:54 -------- d-----w- c:\documents and settings\Rod\Application Data\Canneverbe Limited
2010-02-14 05:54 . 2010-02-14 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2010-02-14 05:54 . 2010-02-14 05:54 -------- d-----w- c:\program files\CDBurnerXP
2010-02-12 07:55 . 2008-03-22 00:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-06 23:46 . 2009-09-15 00:33 -------- d-----w- c:\program files\QuickTime
2010-02-06 23:43 . 2010-02-06 23:42 -------- d-----w- c:\program files\iTunes
2010-02-06 23:43 . 2008-04-07 15:07 -------- d-----w- c:\program files\iPod
2010-02-06 23:43 . 2009-04-26 01:02 -------- d-----w- c:\program files\Common Files\Apple
2010-02-06 23:36 . 2010-02-06 23:36 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-05 10:00 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ICF"="c:\program files\Internet Content Filter\SafeEyes.exe" [2009-07-27 1236712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8523776]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rod^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]
backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGEIA PhysX SysTray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ----a-r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2008-03-20 16:46 217544 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
2006-11-14 06:25 363008 ----a-r- c:\program files\ASUS\AASP\1.00.17\AsRunHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-01 14:21 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-07-20 13:34 851968 ----a-w- c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 00:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
2006-10-30 12:44 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2006-10-30 12:44 36864 ----a-r- c:\windows\JM\JMInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-07-18 21:55 451872 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
2006-02-17 15:40 270336 ----a-w- c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-11-07 01:00 8523776 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-11-07 01:00 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2008-07-08 20:41 2828184 ----a-w- c:\program files\Registry Mechanic\RegMech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-11-14 09:21 16270848 ----a-r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 10:04 2879488 ----a-r- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
2008-04-04 16:38 88584 ----a-w- c:\program files\Logitech\Gaming Software\LWEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\GRAW.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2_dedicated.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\EA SPORTS\\Tiger Woods PGA TOUR 08\\bin\\TW2008.exe"=
"c:\\Program Files\\Ubisoft\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Internet Content Filter\\Pop3Proxy.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:OKOToGate

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/30/2008 11:58 PM 716272]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/20/2010 8:50 PM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/20/2010 8:50 PM 19024]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 8:50 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrvs REG_MULTI_SZ cpqoko6

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-07-18 21:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-21 00:50]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-21 00:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: ICF.dll
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: emusic.com\www
Trusted Zone: taxactonline.com\www
FF - ProfilePath - c:\documents and settings\Rod\Application Data\Mozilla\Firefox\Profiles\2o4pzc8y.default\
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS



**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AFF01F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba91cf28
\Driver\ACPI -> ACPI.sys @ 0xba66acb8
\Driver\atapi -> atapi.sys @ 0xba5ffb40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xba4dcbb0
PacketIndicateHandler -> NDIS.sys @ 0xba4e9a21
SendHandler -> NDIS.sys @ 0xba4c787b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-1563985344-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0c,f2,1d,02,a4,cc,fc,da,eb,fd,93,e7,0b,9c,98,1b,0d,65,56,a5,1d,92,b3,
6e,4b,ae,a5,99,6a,fc,df,5f,62,65,28,e4,6b,1c,f9,a5,76,81,c3,70,d7,5b,ad,8e,\
"??"=hex:2b,23,0c,90,3a,d0,bf,8d,46,df,35,83,99,87,98,89

[HKEY_USERS\S-1-5-21-1085031214-1563985344-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:83,7d,57,da,ed,74,95,f6,47,d9,ff,bf,09,15,b4,57,18,1d,d0,17,2a,
8b,f2,e9,02,70,8a,dd,c7,79,27,ee,73,7f,db,cd,4e,85,bc,50,9a,4b,f6,ad,af,9e,\
"rkeysecu"=hex:92,bd,db,51,71,b7,65,85,99,32,57,c9,c3,16,c8,64
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(924)
c:\windows\system32\ICF.dll
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(824)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-25 17:48:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-25 21:48

Pre-Run: 370,347,528,192 bytes free
Post-Run: 370,461,609,984 bytes free

- - End Of File - - BF7A79216BCC2FB4685B7162026A80B6

I did not choose to veer from the process to install the Recovery Console as I had not been instructed to do so. SafeEyes, an internet filter that runs to protect my children from some content, will not connect now and I have it disabled to eliminate the nag screen. I assume that can be remedied. Thanks again for your time km2357! Awaiting further instructions...
km2357
2010-03-26, 06:19
SafeEyes, an internet filter that runs to protect my children from some content, will not connect now and I have it disabled to eliminate the nag screen. I assume that can be remedied.

Don't know why it can't connect. What ComboFix deleted was all bad and it didn't look like it took out anything related to SafeEyes. You may have to end up uninstalling and reinstalling it to get the program to work again.

The ComboFix Log says that Avast is out of date, please update it as soon as possible, if you can.

Do you recognize/did you open the following port?

"8085:TCP"= 8085:TCP:OKOToGate


Seems your missing an important part of your operating system. Let's get it reinstalled in case you ever need it.
Nothing is going to change on your computer other than we are going to reinstall the Recovery Console.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop. If you are using Windows XP Service Pack 3 (SP3), then select the Service Pack 2 download. If you are using Windows XP Media Center, then you should select the Windows XP Pro Service Pack 2 download. If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information.

Click on the Start button.

Click on the Run menu option.

In the Open: field type the following: sysdm.cpl and then click on the OK button.

A screen will appear showing information about your installation. Under the System: category you should see your Windows version and the installed Service Pack.

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click and drag the setup package onto ComboFix.exe and drop it.


Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


At the next prompt, click 'No'.

http://img.photobucket.com/albums/v706/ried7/whatnext.png


When the tool is finished, it will produce a report for you.



Step # 1 Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:filefind
atapi.sys
iaStor.sys

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt


In your next post/reply, I need to see the following:

1. Recovery Console Log
2. SystemLook Log
iflyok
2010-03-27, 06:21
I'm not sure what happened but I had to do these steps twice. I thought I had everything you asked for copy/pasted to a reply already but i had to log in again (timed out?) and lost my first response.

I use a Netgear-based wired/wireless home network with a networked, Brother multi-printer. I'm not sure if the printer needs the open port or not. I do not recognize or understand why else that port is exposed. I used to do a fair amount of online racing and sometimes will join a LAN shooter with the kid(s)... don't know enough about TCP to know why that shows open. Sorry.

Avast updated before I ran any of the current instructions, so it should be up to date. I'll handle SafeEyes once I'm in the "clear". These are my reruns of the requested logs...

ComboFix 10-03-26.02 - Rod 03/27/2010 1:09.5.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2965 [GMT -4:00]
Running from: c:\documents and settings\Rod\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rod\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-21 16:01 . 2010-03-21 16:01 0 ----a-w- c:\windows\nsreg.dat
2010-03-21 16:01 . 2010-03-21 16:01 -------- d-----w- c:\documents and settings\Rod\Local Settings\Application Data\Mozilla
2010-03-21 04:09 . 2010-03-21 04:09 -------- d-----w- c:\documents and settings\Rod\Application Data\Malwarebytes
2010-03-21 04:09 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-21 04:09 . 2010-03-21 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-21 04:09 . 2010-03-21 04:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-21 04:09 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 02:58 . 2010-03-21 02:58 16384 ---ha-w- C:\SZKGFS.dat
2010-03-21 02:57 . 2010-03-21 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-03-21 02:57 . 2010-03-24 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-03-21 02:57 . 2010-03-21 02:57 -------- d-----w- c:\program files\Common Files\iS3
2010-03-21 00:55 . 2010-03-21 00:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-03-21 00:50 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-21 00:50 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-21 00:50 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-21 00:50 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-21 00:50 . 2010-03-09 10:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-21 00:50 . 2010-03-09 10:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-21 00:50 . 2010-03-09 10:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-21 00:50 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-21 00:50 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-21 00:50 . 2010-03-21 00:50 -------- d-----w- c:\program files\Alwil Software
2010-03-21 00:50 . 2010-03-21 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 01:35 . 2008-04-07 14:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-24 23:01 . 2010-03-24 23:00 336 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-03-24 22:58 . 2010-03-24 22:58 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-21 15:54 . 2008-09-03 12:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-21 01:38 . 2008-03-22 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-21 00:51 . 2008-11-17 05:45 -------- d-----w- c:\program files\Google
2010-02-14 16:01 . 2010-02-14 16:01 -------- d-----w- c:\program files\R-Undelete
2010-02-14 05:54 . 2010-02-14 05:54 -------- d-----w- c:\documents and settings\Rod\Application Data\Canneverbe Limited
2010-02-14 05:54 . 2010-02-14 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2010-02-14 05:54 . 2010-02-14 05:54 -------- d-----w- c:\program files\CDBurnerXP
2010-02-12 07:55 . 2008-03-22 00:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-06 23:46 . 2009-09-15 00:33 -------- d-----w- c:\program files\QuickTime
2010-02-06 23:43 . 2010-02-06 23:42 -------- d-----w- c:\program files\iTunes
2010-02-06 23:43 . 2008-04-07 15:07 -------- d-----w- c:\program files\iPod
2010-02-06 23:43 . 2009-04-26 01:02 -------- d-----w- c:\program files\Common Files\Apple
2010-02-06 23:36 . 2010-02-06 23:36 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-05 10:00 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ICF"="c:\program files\Internet Content Filter\SafeEyes.exe" [2009-07-27 1236712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8523776]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rod^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]
backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ----a-r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2008-03-20 16:46 217544 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
2006-11-14 06:25 363008 ----a-r- c:\program files\ASUS\AASP\1.00.17\AsRunHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-01 14:21 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-07-20 13:34 851968 ----a-w- c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 00:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
2006-10-30 12:44 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2006-10-30 12:44 36864 ----a-r- c:\windows\JM\JMInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-07-18 21:55 451872 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
2006-02-17 15:40 270336 ----a-w- c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-11-07 01:00 8523776 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-11-07 01:00 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2008-07-08 20:41 2828184 ----a-w- c:\program files\Registry Mechanic\RegMech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-11-14 09:21 16270848 ----a-r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 10:04 2879488 ----a-r- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
2008-04-04 16:38 88584 ----a-w- c:\program files\Logitech\Gaming Software\LWEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\GRAW.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2_dedicated.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\EA SPORTS\\Tiger Woods PGA TOUR 08\\bin\\TW2008.exe"=
"c:\\Program Files\\Ubisoft\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Internet Content Filter\\Pop3Proxy.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:OKOToGate

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/20/2010 8:50 PM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/20/2010 8:50 PM 19024]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/30/2008 11:58 PM 716272]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 8:50 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrvs REG_MULTI_SZ cpqoko6

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-07-18 21:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-21 00:50]

2010-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-21 00:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: ICF.dll
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: emusic.com\www
Trusted Zone: taxactonline.com\www
FF - ProfilePath - c:\documents and settings\Rod\Application Data\Mozilla\Firefox\Profiles\2o4pzc8y.default\
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-1563985344-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0c,f2,1d,02,a4,cc,fc,da,eb,fd,93,e7,0b,9c,98,1b,0d,65,56,a5,1d,92,b3,
6e,4b,ae,a5,99,6a,fc,df,5f,62,65,28,e4,6b,1c,f9,a5,76,81,c3,70,d7,5b,ad,8e,\
"??"=hex:2b,23,0c,90,3a,d0,bf,8d,46,df,35,83,99,87,98,89

[HKEY_USERS\S-1-5-21-1085031214-1563985344-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:83,7d,57,da,ed,74,95,f6,47,d9,ff,bf,09,15,b4,57,18,1d,d0,17,2a,
8b,f2,e9,02,70,8a,dd,c7,79,27,ee,73,7f,db,cd,4e,85,bc,50,9a,4b,f6,ad,af,9e,\
"rkeysecu"=hex:92,bd,db,51,71,b7,65,85,99,32,57,c9,c3,16,c8,64
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\ICF.dll
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(4084)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-27 01:12:36
ComboFix-quarantined-files.txt 2010-03-27 05:12
ComboFix2.txt 2010-03-27 04:55
ComboFix3.txt 2010-03-27 04:35
ComboFix4.txt 2010-03-27 04:24
ComboFix5.txt 2010-03-27 05:09

Pre-Run: 370,224,230,400 bytes free
Post-Run: 370,196,008,960 bytes free

- - End Of File - - A62530BB2179C9EF67962B6EEBA1DE88

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 01:19 on 27/03/2010 by Rod (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\pebuilder3110a\BartPE\i386\system32\drivers\atapi.sys --a--- 95360 bytes [08:32 12/02/2010] [12:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [22:34 08/07/2008] [12:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [21:47 25/03/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [22:32 08/07/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [12:00 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

Searching for "iaStor.sys"
No files found.

-=End Of File=-

:cleaning:
km2357
2010-03-27, 18:51
Since you don't recognize/open port 8085 by yourself, we'll close it. I also did some research on it and it looks and that open port looks to be related to your koobface infection, so we definitely want to close it.


Step # 1: Run CFScript


Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


KILLALL::

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"tapisrvs"=-


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.




http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif


Note: This CFScript is for use on iflyok's computer only! Do not use it on your computer.


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.
iflyok
2010-03-27, 22:58
km2357,

After CFScript/ComboFix creates a restore point, the system implodes to a blue screen of death. I ran it 3 times with the same result. :sad:
iflyok
2010-03-27, 23:18
km2357,

The blue, stop screen showed this information that may or may not be helpful:

IRQL_NOT_LESS_OR_EQUAL

and:

*** STOP: 0x0000000A (0x0000BAB3, 0x00000002, 0x00000001, 0x806E6A8E)

:confused:
km2357
2010-03-28, 06:48
Thanks for the additional info. :)

Does the computer only Blue Screen when running ComboFix/CFScript? Or does it happen other times as well?

Researching the Blue Screen error code you gave me it looks like the Blue Screen is being caused by problems with your NVIDIA card. Try going to www.nvidia.com and updating your video card drivers. Then try the CFScript again and if successful post the resulting ComboFix Log. If you still get the blue screen try unistalling then reinstalling the NVIDIA drivers, then try the CFScript again.
iflyok
2010-03-29, 05:21
I've not seen this or any other blue screen in quite some time. The only time recently that I've seen one is when attempting to run ComboFix/CFScript. I updated my nvidia driver and then uninstalled/reinstalled my nvidia driver, attempting to run the ComboFix/CFScript after each with no luck. Same stop screen, same information.

After the 2nd attempt (following the uninstall/reinstall) and reboot of my system, I ran ComboFix without dragging CFScript onto it with no problem. So, the issue is not ComboFix but maybe CFScript..? I know this was not instructed and am sorry for not explicitly following instructions. I'm an engineer (hardware quality) and it bugs me to not know how stuff works. So I tried to eliminate a variable. The bare ComboFix log, without CFScript, is as follows:

ComboFix 10-03-28.01 - Rod 03/28/2010 22:53:14.6.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3074 [GMT -4:00]
Running from: c:\documents and settings\Rod\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-29 )))))))))))))))))))))))))))))))
.

2010-03-29 02:15 . 2010-03-29 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-03-29 02:14 . 2010-03-16 06:51 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-03-29 02:14 . 2010-03-16 06:51 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-03-29 02:14 . 2010-03-16 06:51 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-03-29 02:14 . 2010-03-16 06:51 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-03-29 02:14 . 2010-03-16 06:51 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-03-29 02:14 . 2010-03-16 06:51 215656 ----a-w- c:\windows\system32\nvcodins.dll
2010-03-29 02:14 . 2010-03-16 06:51 215656 ----a-w- c:\windows\system32\nvcod.dll
2010-03-29 02:14 . 2010-03-16 06:51 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-03-29 02:14 . 2010-03-16 06:51 11640832 ----a-w- c:\windows\system32\nvcompiler.dll
2010-03-29 02:14 . 2010-03-16 06:51 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-03-29 02:10 . 2010-03-29 02:10 -------- d-----w- c:\documents and settings\Rod\Application Data\SystemRequirementsLab
2010-03-29 02:10 . 2010-03-29 02:10 290816 ----a-w- c:\documents and settings\Rod\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-03-29 02:10 . 2010-03-29 02:10 290816 ----a-w- c:\documents and settings\Rod\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-03-29 02:10 . 2010-03-29 02:10 290816 ----a-w- c:\documents and settings\Rod\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-03-29 02:10 . 2010-03-29 02:10 290816 ----a-w- c:\documents and settings\Rod\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-03-21 16:01 . 2010-03-21 16:01 0 ----a-w- c:\windows\nsreg.dat
2010-03-21 16:01 . 2010-03-21 16:01 -------- d-----w- c:\documents and settings\Rod\Local Settings\Application Data\Mozilla
2010-03-21 04:09 . 2010-03-21 04:09 -------- d-----w- c:\documents and settings\Rod\Application Data\Malwarebytes
2010-03-21 04:09 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-21 04:09 . 2010-03-21 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-21 04:09 . 2010-03-21 04:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-21 04:09 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 02:58 . 2010-03-21 02:58 16384 ---ha-w- C:\SZKGFS.dat
2010-03-21 02:57 . 2010-03-21 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-03-21 02:57 . 2010-03-24 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-03-21 02:57 . 2010-03-21 02:57 -------- d-----w- c:\program files\Common Files\iS3
2010-03-21 00:55 . 2010-03-21 00:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-03-21 00:50 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-21 00:50 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-21 00:50 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-21 00:50 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-21 00:50 . 2010-03-09 10:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-21 00:50 . 2010-03-09 10:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-21 00:50 . 2010-03-09 10:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-21 00:50 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-21 00:50 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-21 00:50 . 2010-03-21 00:50 -------- d-----w- c:\program files\Alwil Software
2010-03-21 00:50 . 2010-03-21 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-16 07:37 . 2010-03-16 07:37 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-03-16 07:37 . 2010-03-16 07:37 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-03-16 07:37 . 2010-03-16 07:37 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-03-16 07:37 . 2010-03-16 07:37 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-03-16 07:37 . 2010-03-16 07:37 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-16 07:37 . 2010-03-16 07:37 81920 ----a-w- c:\windows\system32\nvwddi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-29 02:38 . 2008-03-22 00:53 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-29 02:15 . 2008-05-27 19:04 -------- d-----w- c:\program files\AGEIA Technologies
2010-03-29 02:10 . 2008-03-22 07:06 -------- d-----w- c:\program files\SystemRequirementsLab
2010-03-27 17:32 . 2008-03-22 00:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-26 01:35 . 2008-04-07 14:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-24 23:01 . 2010-03-24 23:00 336 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-03-24 22:58 . 2010-03-24 22:58 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-21 15:54 . 2008-09-03 12:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-21 01:38 . 2008-03-22 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-21 00:51 . 2008-11-17 05:45 -------- d-----w- c:\program files\Google
2010-03-16 06:51 . 2008-03-22 01:30 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-03-16 06:51 . 2007-12-05 06:41 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-03-16 06:51 . 2007-12-05 06:41 10232352 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-03-12 15:26 . 2008-03-22 00:52 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-03-11 21:47 . 2009-07-31 01:49 280280 ----a-w- c:\windows\sediag.exe
2010-02-14 16:01 . 2010-02-14 16:01 -------- d-----w- c:\program files\R-Undelete
2010-02-14 05:54 . 2010-02-14 05:54 -------- d-----w- c:\documents and settings\Rod\Application Data\Canneverbe Limited
2010-02-14 05:54 . 2010-02-14 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2010-02-14 05:54 . 2010-02-14 05:54 -------- d-----w- c:\program files\CDBurnerXP
2010-02-06 23:46 . 2009-09-15 00:33 -------- d-----w- c:\program files\QuickTime
2010-02-06 23:43 . 2010-02-06 23:42 -------- d-----w- c:\program files\iTunes
2010-02-06 23:43 . 2008-04-07 15:07 -------- d-----w- c:\program files\iPod
2010-02-06 23:43 . 2009-04-26 01:02 -------- d-----w- c:\program files\Common Files\Apple
2010-02-06 23:36 . 2010-02-06 23:36 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-05 10:00 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-03-27_04.23.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-29 02:49 . 2010-03-29 02:49 16384 c:\windows\Temp\Perflib_Perfdata_648.dat
+ 2010-03-29 02:14 . 2007-11-07 01:00 81920 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvwddi.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 81920 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvmctray.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 35328 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvcod.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 155716 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvsvc32.exe
+ 2010-03-29 02:14 . 2007-11-07 01:00 458752 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvmccssr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 188416 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvmccss.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 385024 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvapi.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 2519040 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvwssr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 2486272 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvwss.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 3715072 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvvitvsr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 3698688 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvvitvs.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 6901760 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvoglnt.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 2854912 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvmoblsr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 1212416 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvmobls.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 3330048 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvgamesr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 3407872 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvgames.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 5611520 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvdispsr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 6541312 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvdisps.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 8523776 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvcpl.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 7429088 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nv4_mini.sys
+ 2010-03-29 02:14 . 2007-11-07 01:00 5770880 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nv4_disp.dll
+ 2007-12-05 06:41 . 2010-03-16 06:51 6432128 c:\windows\system32\dllcache\nv4_disp.dll
+ 2010-03-29 02:15 . 2010-03-29 02:15 1495552 c:\windows\Installer\5901d3f.msi
+ 2007-12-05 06:41 . 2010-03-16 06:51 10232352 c:\windows\system32\dllcache\nv4_mini.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-03-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-03-16 13670504]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rod^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]
backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ----a-r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2008-03-20 16:46 217544 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
2006-11-14 06:25 363008 ----a-r- c:\program files\ASUS\AASP\1.00.17\AsRunHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-01 14:21 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-07-20 13:34 851968 ----a-w- c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 00:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
2006-10-30 12:44 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2006-10-30 12:44 36864 ----a-r- c:\windows\JM\JMInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-07-18 21:55 451872 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
2006-02-17 15:40 270336 ----a-w- c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-03-16 07:37 13670504 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2008-07-08 20:41 2828184 ----a-w- c:\program files\Registry Mechanic\RegMech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-11-14 09:21 16270848 ----a-r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 10:04 2879488 ----a-r- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
2008-04-04 16:38 88584 ----a-w- c:\program files\Logitech\Gaming Software\LWEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\GRAW.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2_dedicated.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\EA SPORTS\\Tiger Woods PGA TOUR 08\\bin\\TW2008.exe"=
"c:\\Program Files\\Ubisoft\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:OKOToGate

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/20/2010 8:50 PM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/20/2010 8:50 PM 19024]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/30/2008 11:58 PM 716272]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 8:50 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrvs REG_MULTI_SZ cpqoko6

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-07-18 21:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-03-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-21 00:50]

2010-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-21 00:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: emusic.com\www
Trusted Zone: taxactonline.com\www
FF - ProfilePath - c:\documents and settings\Rod\Application Data\Mozilla\Firefox\Profiles\2o4pzc8y.default\
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-nwiz - nwiz.exe
MSConfigStartUp-nwiz - nwiz.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-1563985344-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0c,f2,1d,02,a4,cc,fc,da,eb,fd,93,e7,0b,9c,98,1b,0d,65,56,a5,1d,92,b3,
6e,4b,ae,a5,99,6a,fc,df,5f,62,65,28,e4,6b,1c,f9,a5,76,81,c3,70,d7,5b,ad,8e,\
"??"=hex:2b,23,0c,90,3a,d0,bf,8d,46,df,35,83,99,87,98,89

[HKEY_USERS\S-1-5-21-1085031214-1563985344-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:83,7d,57,da,ed,74,95,f6,47,d9,ff,bf,09,15,b4,57,18,1d,d0,17,2a,
8b,f2,e9,02,70,8a,dd,c7,79,27,ee,73,7f,db,cd,4e,85,bc,50,9a,4b,f6,ad,af,9e,\
"rkeysecu"=hex:92,bd,db,51,71,b7,65,85,99,32,57,c9,c3,16,c8,64
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(920)
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(3964)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-28 23:00:12
ComboFix-quarantined-files.txt 2010-03-29 03:00
ComboFix2.txt 2010-03-27 05:12
ComboFix3.txt 2010-03-27 04:55
ComboFix4.txt 2010-03-27 04:35
ComboFix5.txt 2010-03-27 21:34

Pre-Run: 369,392,594,944 bytes free
Post-Run: 369,363,251,200 bytes free

- - End Of File - - 6C8A2572E6AC92340CE0EE1EEBD07723

I could run DDS also if needed but I'm guessing we need to jump through the ComboFix/CFScript hoop first somehow. Thanks again for all of your time.:rockon:
km2357
2010-03-29, 06:38
I'm going to change my old CFScript and give you a new one, let's see if that works and doesn't give you the blue screen. First, before that I'd like you to do the following:

Please download RegQuery by Noviciate (http://rathat.geekstogo.com/Applications/RegQuery.exe) to your desktop
Copy the following registry keypath by highlighting the text and pressing CTRL and C at the same time
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Double click RegQuery.exe to run the program
Paste the text you have copied using CRTL and V, into the textbox
Click the Query button
A Notepad file will open. Please paste the contents in your next reply
You may now close the RegQuery program


Delete CFScript.txt from your Desktop, you will be creating and running a new one.


Step # 1: Run CFScript


Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


KILLALL::

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.




http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif


Note: This CFScript is for use on iflyok's computer only! Do not use it on your computer.


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


In your next post/reply, I need to see the following:

1. RegQuery Log
2. The ComboFix Log that appears after the new CFScript. (if your computer doesn't blue screen)

Use multiple posts if you can't fit everything into one post.
iflyok
2010-03-30, 02:47
Okay, that was strange... I ran the RegQuery and had it posted to a response. Then, I followed your instructions for the editted CFScript/ComboFix and got the blue screen again. BUT THIS TIME, after rebooting my computer, ComboFix starts on it's own and runs without hanging giving my this:

ComboFix 10-03-29.02 - Rod 03/29/2010 20:26:39.7.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3129 [GMT -4:00]
Running from: c:\documents and settings\Rod\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rod\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.

2010-03-29 02:15 . 2010-03-29 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-03-29 02:14 . 2010-03-16 06:51 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-03-29 02:14 . 2010-03-16 06:51 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-03-29 02:14 . 2010-03-16 06:51 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-03-29 02:14 . 2010-03-16 06:51 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-03-29 02:14 . 2010-03-16 06:51 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-03-29 02:14 . 2010-03-16 06:51 215656 ----a-w- c:\windows\system32\nvcodins.dll
2010-03-29 02:14 . 2010-03-16 06:51 215656 ----a-w- c:\windows\system32\nvcod.dll
2010-03-29 02:14 . 2010-03-16 06:51 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-03-29 02:14 . 2010-03-16 06:51 11640832 ----a-w- c:\windows\system32\nvcompiler.dll
2010-03-29 02:14 . 2010-03-16 06:51 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-03-29 02:10 . 2010-03-29 02:10 -------- d-----w- c:\documents and settings\Rod\Application Data\SystemRequirementsLab
2010-03-29 02:10 . 2010-03-29 02:10 290816 ----a-w- c:\documents and settings\Rod\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-03-29 02:10 . 2010-03-29 02:10 290816 ----a-w- c:\documents and settings\Rod\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-03-29 02:10 . 2010-03-29 02:10 290816 ----a-w- c:\documents and settings\Rod\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-03-29 02:10 . 2010-03-29 02:10 290816 ----a-w- c:\documents and settings\Rod\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-03-21 16:01 . 2010-03-21 16:01 0 ----a-w- c:\windows\nsreg.dat
2010-03-21 16:01 . 2010-03-21 16:01 -------- d-----w- c:\documents and settings\Rod\Local Settings\Application Data\Mozilla
2010-03-21 04:09 . 2010-03-21 04:09 -------- d-----w- c:\documents and settings\Rod\Application Data\Malwarebytes
2010-03-21 04:09 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-21 04:09 . 2010-03-21 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-21 04:09 . 2010-03-21 04:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-21 04:09 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 02:58 . 2010-03-21 02:58 16384 ---ha-w- C:\SZKGFS.dat
2010-03-21 02:57 . 2010-03-21 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-03-21 02:57 . 2010-03-24 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-03-21 02:57 . 2010-03-21 02:57 -------- d-----w- c:\program files\Common Files\iS3
2010-03-21 00:55 . 2010-03-21 00:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-03-21 00:50 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-21 00:50 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-21 00:50 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-21 00:50 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-21 00:50 . 2010-03-09 10:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-21 00:50 . 2010-03-09 10:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-21 00:50 . 2010-03-09 10:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-21 00:50 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-21 00:50 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-21 00:50 . 2010-03-21 00:50 -------- d-----w- c:\program files\Alwil Software
2010-03-21 00:50 . 2010-03-21 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-16 07:37 . 2010-03-16 07:37 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-03-16 07:37 . 2010-03-16 07:37 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-03-16 07:37 . 2010-03-16 07:37 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-03-16 07:37 . 2010-03-16 07:37 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-03-16 07:37 . 2010-03-16 07:37 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-16 07:37 . 2010-03-16 07:37 81920 ----a-w- c:\windows\system32\nvwddi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-29 02:38 . 2008-03-22 00:53 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-29 02:15 . 2008-05-27 19:04 -------- d-----w- c:\program files\AGEIA Technologies
2010-03-29 02:10 . 2008-03-22 07:06 -------- d-----w- c:\program files\SystemRequirementsLab
2010-03-27 17:32 . 2008-03-22 00:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-26 01:35 . 2008-04-07 14:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-24 23:01 . 2010-03-24 23:00 336 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-03-24 22:58 . 2010-03-24 22:58 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-21 15:54 . 2008-09-03 12:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-21 01:38 . 2008-03-22 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-21 00:51 . 2008-11-17 05:45 -------- d-----w- c:\program files\Google
2010-03-16 06:51 . 2008-03-22 01:30 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-03-16 06:51 . 2007-12-05 06:41 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-03-16 06:51 . 2007-12-05 06:41 10232352 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-03-12 15:26 . 2008-03-22 00:52 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-03-11 21:47 . 2009-07-31 01:49 280280 ----a-w- c:\windows\sediag.exe
2010-02-14 16:01 . 2010-02-14 16:01 -------- d-----w- c:\program files\R-Undelete
2010-02-14 05:54 . 2010-02-14 05:54 -------- d-----w- c:\documents and settings\Rod\Application Data\Canneverbe Limited
2010-02-14 05:54 . 2010-02-14 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2010-02-14 05:54 . 2010-02-14 05:54 -------- d-----w- c:\program files\CDBurnerXP
2010-02-06 23:46 . 2009-09-15 00:33 -------- d-----w- c:\program files\QuickTime
2010-02-06 23:43 . 2010-02-06 23:42 -------- d-----w- c:\program files\iTunes
2010-02-06 23:43 . 2008-04-07 15:07 -------- d-----w- c:\program files\iPod
2010-02-06 23:43 . 2009-04-26 01:02 -------- d-----w- c:\program files\Common Files\Apple
2010-02-06 23:36 . 2010-02-06 23:36 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-05 10:00 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-03-27_04.23.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-30 00:22 . 2010-03-30 00:22 16384 c:\windows\Temp\Perflib_Perfdata_2a8.dat
+ 2010-03-29 02:14 . 2007-11-07 01:00 81920 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvwddi.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 81920 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvmctray.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 35328 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvcod.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 155716 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvsvc32.exe
+ 2010-03-29 02:14 . 2007-11-07 01:00 458752 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvmccssr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 188416 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvmccss.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 385024 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvapi.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 2519040 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvwssr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 2486272 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvwss.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 3715072 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvvitvsr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 3698688 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvvitvs.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 6901760 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvoglnt.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 2854912 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvmoblsr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 1212416 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvmobls.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 3330048 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvgamesr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 3407872 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvgames.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 5611520 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvdispsr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 6541312 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvdisps.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 8523776 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvcpl.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 7429088 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nv4_mini.sys
+ 2010-03-29 02:14 . 2007-11-07 01:00 5770880 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nv4_disp.dll
+ 2007-12-05 06:41 . 2010-03-16 06:51 6432128 c:\windows\system32\dllcache\nv4_disp.dll
+ 2010-03-29 02:15 . 2010-03-29 02:15 1495552 c:\windows\Installer\5901d3f.msi
+ 2007-12-05 06:41 . 2010-03-16 06:51 10232352 c:\windows\system32\dllcache\nv4_mini.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-03-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-03-16 13670504]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rod^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]
backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ----a-r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2008-03-20 16:46 217544 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
2006-11-14 06:25 363008 ----a-r- c:\program files\ASUS\AASP\1.00.17\AsRunHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-01 14:21 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-07-20 13:34 851968 ----a-w- c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 00:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
2006-10-30 12:44 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2006-10-30 12:44 36864 ----a-r- c:\windows\JM\JMInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-07-18 21:55 451872 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
2006-02-17 15:40 270336 ----a-w- c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-03-16 07:37 13670504 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2008-07-08 20:41 2828184 ----a-w- c:\program files\Registry Mechanic\RegMech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-11-14 09:21 16270848 ----a-r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 10:04 2879488 ----a-r- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
2008-04-04 16:38 88584 ----a-w- c:\program files\Logitech\Gaming Software\LWEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\GRAW.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2_dedicated.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\EA SPORTS\\Tiger Woods PGA TOUR 08\\bin\\TW2008.exe"=
"c:\\Program Files\\Ubisoft\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:OKOToGate

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/20/2010 8:50 PM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/20/2010 8:50 PM 19024]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/30/2008 11:58 PM 716272]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 8:50 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrvs REG_MULTI_SZ cpqoko6

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-07-18 21:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-03-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-21 00:50]

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-21 00:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: emusic.com\www
Trusted Zone: taxactonline.com\www
FF - ProfilePath - c:\documents and settings\Rod\Application Data\Mozilla\Firefox\Profiles\2o4pzc8y.default\
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-1563985344-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0c,f2,1d,02,a4,cc,fc,da,eb,fd,93,e7,0b,9c,98,1b,0d,65,56,a5,1d,92,b3,
6e,4b,ae,a5,99,6a,fc,df,5f,62,65,28,e4,6b,1c,f9,a5,76,81,c3,70,d7,5b,ad,8e,\
"??"=hex:2b,23,0c,90,3a,d0,bf,8d,46,df,35,83,99,87,98,89

[HKEY_USERS\S-1-5-21-1085031214-1563985344-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:83,7d,57,da,ed,74,95,f6,47,d9,ff,bf,09,15,b4,57,18,1d,d0,17,2a,
8b,f2,e9,02,70,8a,dd,c7,79,27,ee,73,7f,db,cd,4e,85,bc,50,9a,4b,f6,ad,af,9e,\
"rkeysecu"=hex:92,bd,db,51,71,b7,65,85,99,32,57,c9,c3,16,c8,64
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(920)
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(3888)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-29 20:34:30
ComboFix-quarantined-files.txt 2010-03-30 00:34
ComboFix2.txt 2010-03-29 03:00
ComboFix3.txt 2010-03-27 05:12
ComboFix4.txt 2010-03-27 04:55
ComboFix5.txt 2010-03-30 00:20

Pre-Run: 369,303,851,008 bytes free
Post-Run: 369,254,825,984 bytes free

- - End Of File - - F92B616C1789B94E344DC77907D4DDB3

And it appears to this novice as it ran the CFScript command. However, I lost my original response along with my original RegQuery (I did not save it either):oops:. So, here is what I got following your instructions for RegQuery AFTER sort of successfully running ComboFix/CFScript:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"HTTPFilter"=hex(7):48,00,54,00,54,00,50,00,46,00,69,00,6c,00,74,00,65,00,72,\
00,00,00,00,00
"LocalService"=hex(7):41,00,6c,00,65,00,72,00,74,00,65,00,72,00,00,00,57,00,65,\
00,62,00,43,00,6c,00,69,00,65,00,6e,00,74,00,00,00,4c,00,6d,00,48,00,6f,00,\
73,00,74,00,73,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,52,00,65,00,67,\
00,69,00,73,00,74,00,72,00,79,00,00,00,75,00,70,00,6e,00,70,00,68,00,6f,00,\
73,00,74,00,00,00,53,00,53,00,44,00,50,00,53,00,52,00,56,00,00,00,00,00
"NetworkService"=hex(7):44,00,6e,00,73,00,43,00,61,00,63,00,68,00,65,00,00,00,\
00,00
"netsvcs"=hex(7):36,00,74,00,6f,00,34,00,00,00,41,00,70,00,70,00,4d,00,67,00,\
6d,00,74,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,42,\
00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,43,00,72,00,79,00,70,00,74,00,\
53,00,76,00,63,00,00,00,44,00,4d,00,53,00,65,00,72,00,76,00,65,00,72,00,00,\
00,44,00,48,00,43,00,50,00,00,00,45,00,52,00,53,00,76,00,63,00,00,00,45,00,\
76,00,65,00,6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,46,00,61,\
00,73,00,74,00,55,00,73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,\
69,00,6e,00,67,00,43,00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,\
00,69,00,74,00,79,00,00,00,48,00,69,00,64,00,53,00,65,00,72,00,76,00,00,00,\
49,00,61,00,73,00,00,00,49,00,70,00,72,00,69,00,70,00,00,00,49,00,72,00,6d,\
00,6f,00,6e,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,53,00,65,00,72,00,\
76,00,65,00,72,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,\
00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4d,00,65,00,73,00,\
73,00,65,00,6e,00,67,00,65,00,72,00,00,00,4e,00,65,00,74,00,6d,00,61,00,6e,\
00,00,00,4e,00,6c,00,61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,00,\
00,00,4e,00,57,00,43,00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,69,\
00,6f,00,6e,00,00,00,4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,00,\
74,00,00,00,52,00,61,00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,73,\
00,6d,00,61,00,6e,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,00,\
63,00,65,00,73,00,73,00,00,00,53,00,63,00,68,00,65,00,64,00,75,00,6c,00,65,\
00,00,00,53,00,65,00,63,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,53,00,45,00,\
4e,00,53,00,00,00,53,00,68,00,61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,\
00,73,00,73,00,00,00,53,00,52,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
00,00,54,00,61,00,70,00,69,00,73,00,72,00,76,00,00,00,54,00,68,00,65,00,6d,\
00,65,00,73,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,57,00,33,00,\
32,00,54,00,69,00,6d,00,65,00,00,00,57,00,5a,00,43,00,53,00,56,00,43,00,00,\
00,57,00,6d,00,69,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,70,00,\
00,00,77,00,69,00,6e,00,6d,00,67,00,6d,00,74,00,00,00,77,00,73,00,63,00,73,\
00,76,00,63,00,00,00,78,00,6d,00,6c,00,70,00,72,00,6f,00,76,00,00,00,42,00,\
49,00,54,00,53,00,00,00,77,00,75,00,61,00,75,00,73,00,65,00,72,00,76,00,00,\
00,53,00,68,00,65,00,6c,00,6c,00,48,00,57,00,44,00,65,00,74,00,65,00,63,00,\
74,00,69,00,6f,00,6e,00,00,00,68,00,65,00,6c,00,70,00,73,00,76,00,63,00,00,\
00,6e,00,61,00,70,00,61,00,67,00,65,00,6e,00,74,00,00,00,68,00,6b,00,6d,00,\
73,00,76,00,63,00,00,00,00,00
"DcomLaunch"=hex(7):44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,6e,00,63,00,68,\
00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
00,00,00,00
"rpcss"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"imgsvc"=hex(7):53,00,74,00,69,00,53,00,76,00,63,00,00,00,00,00
"termsvcs"=hex(7):54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,\
65,00,00,00,00,00
"WudfServiceGroup"=hex(7):57,00,55,00,44,00,46,00,53,00,76,00,63,00,00,00,00,\
00
"eapsvcs"=hex(7):65,00,61,00,70,00,68,00,6f,00,73,00,74,00,00,00,00,00
"dot3svc"=hex(7):64,00,6f,00,74,00,33,00,73,00,76,00,63,00,00,00,00,00
"tapisrvs"=hex(7):63,00,70,00,71,00,6f,00,6b,00,6f,00,36,00,00,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\DComLaunch]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\dot3svc]
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\eapsvcs]
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\HTTPFilter]
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\LocalService]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00002000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\netsvcs]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00003020

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\PCHealth]
"CoInitializeSecurityParam"=dword:00000002
"AuthenticationCapabilities"=dword:00000040

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:00000008
km2357
2010-03-30, 20:27
What the new CFScript was supposed to do was close the bad port (8085), for some reason it didn't lets see if we can do it manually.


Step # 1: Download and run ERUNT

You will be downloading ERUNT, a registry backup tool.
For version with the Installer (http://aumha.org/downloads/erunt-setup.exe):
Use the setup program to install ERUNT on your computer
For the zipped version (http://aumha.org/downloads/erunt.zip):
Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note:to restore your registry, go to the folder and start ERDNT.exe

Open Notepad!
Copy and Paste everything from the Quote box into Notepad:


REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"8085:TCP"=-




Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Go to File > Save As
Save File name as Fix.reg
Change Save as Type to All Files and save the file to your desktop.

Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK. Reboot the computer.


Once your computer boots back up, rerun ComboFix (be sure to let it update if it asks you to) and post back the resulting log in your next reply.


I'd also like for you to do the following as well:


Registry Cleaners + "Tweak" Tools

Re. Registry Mechanic 8.0

I don't personally recommend the use of ANY Registry Cleaners or "Tweak" Tools

They are marketed as ways to make your machine run faster and more efficiently ...... Some will actually achieve this .... IF you know how to use them correctly.
Removing "Orphaned/Old/Obsolete" registry entries is fine ..... as long as they actually are "Orphaned/Old/Obsolete", it won't speed up your machine though
Stopping services and setting policies can speed up your machine ..... as long as you stop and set the right ones, and even then it's debatable if you will notice the improvement.

Remove the wrong registry entry, or stop the wrong service, and not only can you slow your machine .... you could kill it !

To use a Registry Cleaner or "Tweak" tool to its full advantage, you really need to know what it is they are doing and what else the changes may affect.
In short, if you know how to use them safely ----- you don't actually need them.

discussion on regcleaners >> http://forums.whatthetech.com/Regcleaner_t42862.html
And for more good information see what Miekiemoes has to say >> http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html


Step # 2 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u19 (http://www.java.com/en/download/manual.jsp).
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:


Java(TM) 6 Update 15


Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.

From your desktop double-click on the download to install the newest version.


Step # 3: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Step # 4 Run Malwarebytes' Anti-Malware

Launch Malwarebytes' Anti-Malware.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:

Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.


In your next post/reply, I need to see the following:

1. ComboFix Log
2. MalwareBytes' Log
3. A fresh DDS Log

Use multiple posts if you can't fit everything into one post.
iflyok
2010-03-31, 06:25
Steps followed (somewhat out of sequence) and advice taken in following order:

1. Ran ERUNT
2. Ran Fix.reg - did not see the warning about lines before and after quote box contents until after running. Hopefully got lucky...
3. Uninstalled Registry Mechanic
4. Updated Java Runtime
5. Ran ATF cleaner
6. Ran Malwarebytes (which found and hopefully eradicated Koobface :mad:)
7. Saved Malwarebytes log
8. Ran and saved ComboFix log'
9. Ran and saved DDS logs
0. Posted all saved logs here in order ran:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3935

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/30/2010 11:43:49 PM
mbam-log-2010-03-30 (23-43-49).txt

Scan type: Quick scan
Objects scanned: 100260
Time elapsed: 4 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\tapisrvs (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ComboFix 10-03-29.04 - Rod 03/30/2010 23:51:16.8.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3150 [GMT -4:00]
Running from: c:\documents and settings\Rod\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-31 )))))))))))))))))))))))))))))))
.

2010-03-31 03:37 . 2010-03-31 03:37 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-31 03:31 . 2010-03-31 03:31 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 03:31 . 2010-03-31 03:31 503808 ----a-w- c:\documents and settings\Rod\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5db0f0c7-n\msvcp71.dll
2010-03-31 03:31 . 2010-03-31 03:31 499712 ----a-w- c:\documents and settings\Rod\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5db0f0c7-n\jmc.dll
2010-03-31 03:31 . 2010-03-31 03:31 348160 ----a-w- c:\documents and settings\Rod\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5db0f0c7-n\msvcr71.dll
2010-03-31 03:31 . 2010-03-31 03:31 61440 ----a-w- c:\documents and settings\Rod\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1e18761d-n\decora-sse.dll
2010-03-31 03:31 . 2010-03-31 03:31 12800 ----a-w- c:\documents and settings\Rod\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1e18761d-n\decora-d3d.dll
2010-03-31 03:30 . 2010-03-31 03:30 79488 ----a-w- c:\documents and settings\Rod\Application Data\Sun\Java\jre1.6.0_19\gtapi.dll
2010-03-31 03:30 . 2010-03-31 03:30 152576 ----a-w- c:\documents and settings\Rod\Application Data\Sun\Java\jre1.6.0_19\lzma.dll
2010-03-31 03:09 . 2010-03-31 03:09 -------- d-----w- c:\program files\ERUNT
2010-03-29 02:15 . 2010-03-29 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-03-29 02:14 . 2010-03-16 06:51 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-03-29 02:14 . 2010-03-16 06:51 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-03-29 02:14 . 2010-03-16 06:51 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-03-29 02:14 . 2010-03-16 06:51 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-03-29 02:14 . 2010-03-16 06:51 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-03-29 02:14 . 2010-03-16 06:51 215656 ----a-w- c:\windows\system32\nvcodins.dll
2010-03-29 02:14 . 2010-03-16 06:51 215656 ----a-w- c:\windows\system32\nvcod.dll
2010-03-29 02:14 . 2010-03-16 06:51 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-03-29 02:14 . 2010-03-16 06:51 11640832 ----a-w- c:\windows\system32\nvcompiler.dll
2010-03-29 02:14 . 2010-03-16 06:51 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-03-29 02:10 . 2010-03-29 02:10 -------- d-----w- c:\documents and settings\Rod\Application Data\SystemRequirementsLab
2010-03-29 02:10 . 2010-03-29 02:10 290816 ----a-w- c:\documents and settings\Rod\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-03-29 02:10 . 2010-03-29 02:10 290816 ----a-w- c:\documents and settings\Rod\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-03-29 02:10 . 2010-03-29 02:10 290816 ----a-w- c:\documents and settings\Rod\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-03-29 02:10 . 2010-03-29 02:10 290816 ----a-w- c:\documents and settings\Rod\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-03-21 16:01 . 2010-03-21 16:01 0 ----a-w- c:\windows\nsreg.dat
2010-03-21 16:01 . 2010-03-21 16:01 -------- d-----w- c:\documents and settings\Rod\Local Settings\Application Data\Mozilla
2010-03-21 04:09 . 2010-03-21 04:09 -------- d-----w- c:\documents and settings\Rod\Application Data\Malwarebytes
2010-03-21 04:09 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-21 04:09 . 2010-03-21 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-21 04:09 . 2010-03-31 03:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-21 04:09 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 02:58 . 2010-03-21 02:58 16384 ---ha-w- C:\SZKGFS.dat
2010-03-21 02:57 . 2010-03-21 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-03-21 02:57 . 2010-03-24 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-03-21 02:57 . 2010-03-21 02:57 -------- d-----w- c:\program files\Common Files\iS3
2010-03-21 00:55 . 2010-03-21 00:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-03-21 00:50 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-21 00:50 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-21 00:50 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-21 00:50 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-21 00:50 . 2010-03-09 10:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-21 00:50 . 2010-03-09 10:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-21 00:50 . 2010-03-09 10:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-21 00:50 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-21 00:50 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-21 00:50 . 2010-03-21 00:50 -------- d-----w- c:\program files\Alwil Software
2010-03-21 00:50 . 2010-03-21 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-16 07:37 . 2010-03-16 07:37 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-03-16 07:37 . 2010-03-16 07:37 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-03-16 07:37 . 2010-03-16 07:37 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-03-16 07:37 . 2010-03-16 07:37 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-03-16 07:37 . 2010-03-16 07:37 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-16 07:37 . 2010-03-16 07:37 81920 ----a-w- c:\windows\system32\nvwddi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 03:31 . 2008-11-24 13:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-29 02:38 . 2008-03-22 00:53 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-29 02:15 . 2008-05-27 19:04 -------- d-----w- c:\program files\AGEIA Technologies
2010-03-29 02:10 . 2008-03-22 07:06 -------- d-----w- c:\program files\SystemRequirementsLab
2010-03-27 17:32 . 2008-03-22 00:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-26 01:35 . 2008-04-07 14:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-24 23:01 . 2010-03-24 23:00 336 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-03-24 22:58 . 2010-03-24 22:58 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-21 15:54 . 2008-09-03 12:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-21 01:38 . 2008-03-22 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-21 00:51 . 2008-11-17 05:45 -------- d-----w- c:\program files\Google
2010-03-16 06:51 . 2008-03-22 01:30 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-03-16 06:51 . 2007-12-05 06:41 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-03-16 06:51 . 2007-12-05 06:41 10232352 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-03-12 15:26 . 2008-03-22 00:52 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-03-11 21:47 . 2009-07-31 01:49 280280 ----a-w- c:\windows\sediag.exe
2010-02-14 16:01 . 2010-02-14 16:01 -------- d-----w- c:\program files\R-Undelete
2010-02-14 05:54 . 2010-02-14 05:54 -------- d-----w- c:\documents and settings\Rod\Application Data\Canneverbe Limited
2010-02-14 05:54 . 2010-02-14 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2010-02-14 05:54 . 2010-02-14 05:54 -------- d-----w- c:\program files\CDBurnerXP
2010-02-06 23:46 . 2009-09-15 00:33 -------- d-----w- c:\program files\QuickTime
2010-02-06 23:43 . 2010-02-06 23:42 -------- d-----w- c:\program files\iTunes
2010-02-06 23:43 . 2008-04-07 15:07 -------- d-----w- c:\program files\iPod
2010-02-06 23:43 . 2009-04-26 01:02 -------- d-----w- c:\program files\Common Files\Apple
2010-02-06 23:36 . 2010-02-06 23:36 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-05 10:00 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-03-27_04.23.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-31 03:48 . 2010-03-31 03:48 16384 c:\windows\Temp\Perflib_Perfdata_63c.dat
+ 2010-03-29 02:14 . 2007-11-07 01:00 81920 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvwddi.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 81920 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvmctray.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 35328 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvcod.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 155716 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvsvc32.exe
+ 2010-03-29 02:14 . 2007-11-07 01:00 458752 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvmccssr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 188416 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvmccss.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 385024 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvapi.dll
+ 2010-03-31 03:31 . 2010-03-31 03:31 153376 c:\windows\system32\javaws.exe
+ 2010-03-31 03:31 . 2010-03-31 03:31 145184 c:\windows\system32\javaw.exe
- 2009-06-13 16:01 . 2009-07-25 09:23 145184 c:\windows\system32\javaw.exe
- 2009-06-13 16:01 . 2009-07-25 09:23 145184 c:\windows\system32\java.exe
+ 2010-03-31 03:31 . 2010-03-31 03:31 145184 c:\windows\system32\java.exe
+ 2010-03-31 03:31 . 2010-03-31 03:31 180224 c:\windows\Installer\203d8.msi
+ 2010-03-31 03:31 . 2010-03-31 03:31 577536 c:\windows\Installer\203d3.msi
+ 2010-03-31 03:09 . 2010-03-31 03:09 192512 c:\windows\ERDNT\3-30-2010\Users\00000002\UsrClass.dat
+ 2010-03-31 03:09 . 2005-10-20 16:02 163328 c:\windows\ERDNT\3-30-2010\ERDNT.EXE
+ 2010-03-29 02:14 . 2007-11-07 01:00 2519040 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvwssr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 2486272 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvwss.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 3715072 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvvitvsr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 3698688 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvvitvs.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 6901760 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvoglnt.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 2854912 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvmoblsr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 1212416 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvmobls.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 3330048 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvgamesr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 3407872 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvgames.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 5611520 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvdispsr.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 6541312 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvdisps.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 8523776 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nvcpl.dll
+ 2010-03-29 02:14 . 2007-11-07 01:00 7429088 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nv4_mini.sys
+ 2010-03-29 02:14 . 2007-11-07 01:00 5770880 c:\windows\system32\ReinstallBackups\0005\DriverFiles\nv4_disp.dll
+ 2007-12-05 06:41 . 2010-03-16 06:51 6432128 c:\windows\system32\dllcache\nv4_disp.dll
+ 2010-03-29 02:15 . 2010-03-29 02:15 1495552 c:\windows\Installer\5901d3f.msi
+ 2007-12-05 06:41 . 2010-03-16 06:51 10232352 c:\windows\system32\dllcache\nv4_mini.sys
+ 2010-03-31 03:09 . 2010-03-31 03:09 10510336 c:\windows\ERDNT\3-30-2010\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-03-16 13670504]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rod^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]
backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ----a-r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2008-03-20 16:46 217544 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
2006-11-14 06:25 363008 ----a-r- c:\program files\ASUS\AASP\1.00.17\AsRunHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-01 14:21 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-07-20 13:34 851968 ----a-w- c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 00:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
2006-10-30 12:44 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2006-10-30 12:44 36864 ----a-r- c:\windows\JM\JMInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-07-18 21:55 451872 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
2006-02-17 15:40 270336 ----a-w- c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-03-16 07:37 13670504 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-03-16 07:37 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-11-14 09:21 16270848 ----a-r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 10:04 2879488 ----a-r- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
2008-04-04 16:38 88584 ----a-w- c:\program files\Logitech\Gaming Software\LWEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\GRAW.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2_dedicated.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\EA SPORTS\\Tiger Woods PGA TOUR 08\\bin\\TW2008.exe"=
"c:\\Program Files\\Ubisoft\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/20/2010 8:50 PM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/20/2010 8:50 PM 19024]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/30/2008 11:58 PM 716272]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 8:50 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-07-18 21:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-03-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-21 00:50]

2010-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-21 00:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: emusic.com\www
Trusted Zone: taxactonline.com\www
FF - ProfilePath - c:\documents and settings\Rod\Application Data\Mozilla\Firefox\Profiles\2o4pzc8y.default\
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-RegistryMechanic - c:\program files\Registry Mechanic\RegMech.exe



**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-1563985344-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0c,f2,1d,02,a4,cc,fc,da,eb,fd,93,e7,0b,9c,98,1b,0d,65,56,a5,1d,92,b3,
6e,4b,ae,a5,99,6a,fc,df,5f,62,65,28,e4,6b,1c,f9,a5,76,81,c3,70,d7,5b,ad,8e,\
"??"=hex:2b,23,0c,90,3a,d0,bf,8d,46,df,35,83,99,87,98,89

[HKEY_USERS\S-1-5-21-1085031214-1563985344-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:83,7d,57,da,ed,74,95,f6,47,d9,ff,bf,09,15,b4,57,18,1d,d0,17,2a,
8b,f2,e9,02,70,8a,dd,c7,79,27,ee,73,7f,db,cd,4e,85,bc,50,9a,4b,f6,ad,af,9e,\
"rkeysecu"=hex:92,bd,db,51,71,b7,65,85,99,32,57,c9,c3,16,c8,64
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(924)
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(1220)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-30 23:58:28
ComboFix-quarantined-files.txt 2010-03-31 03:58
ComboFix2.txt 2010-03-30 00:34
ComboFix3.txt 2010-03-29 03:00
ComboFix4.txt 2010-03-27 05:12
ComboFix5.txt 2010-03-31 03:50

Pre-Run: 369,170,423,808 bytes free
Post-Run: 369,130,500,096 bytes free

- - End Of File - - 5BBE84F8485214A690368D064B999405



DDS (Ver_10-03-17.01) - NTFSx86
Run by Rod at 0:03:04.29 on Wed 03/31/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3074 [GMT -4:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Rod\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = *.local
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: emusic.com\www
Trusted Zone: taxactonline.com\www
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/Oneclickfix/tgctlsr.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215555590453
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229154001250
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vpn.safelnk.net/dana-cached/setup/JuniperSetupSP1.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rod\applic~1\mozilla\firefox\profiles\2o4pzc8y.default\
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-20 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-20 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-20 40384]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-20 133104]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-20 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-20 40384]

=============== Created Last 30 ================

2010-03-31 03:31:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-29 02:15:01 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-03-29 02:14:19 9046 ----a-w- c:\windows\system32\nvinfo.pb
2010-03-29 02:14:19 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-03-29 02:14:19 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-03-29 02:14:17 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-03-29 02:14:17 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-03-29 02:14:17 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-03-29 02:14:17 215656 ----a-w- c:\windows\system32\nvcodins.dll
2010-03-29 02:14:17 215656 ----a-w- c:\windows\system32\nvcod.dll
2010-03-29 02:14:17 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-03-29 02:14:17 11640832 ----a-w- c:\windows\system32\nvcompiler.dll
2010-03-29 02:14:17 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-03-27 04:31:57 98816 ----a-w- c:\windows\sed.exe
2010-03-27 04:31:57 77312 ----a-w- c:\windows\MBR.exe
2010-03-27 04:31:57 261632 ----a-w- c:\windows\PEV.exe
2010-03-27 04:31:57 161792 ----a-w- c:\windows\SWREG.exe
2010-03-27 04:15:54 0 d-sha-r- C:\cmdcons
2010-03-24 23:00:42 336 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-03-24 22:58:23 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-21 04:09:13 0 d-----w- c:\docume~1\rod\applic~1\Malwarebytes
2010-03-21 04:09:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-21 04:09:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-21 04:09:07 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 04:09:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-21 02:58:37 16384 ---ha-w- C:\SZKGFS.dat
2010-03-21 02:57:57 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-03-21 02:57:31 0 d-----w- c:\program files\common files\iS3
2010-03-21 02:57:31 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-03-21 00:50:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-03-16 07:37:50 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-03-16 07:37:50 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-03-16 07:37:50 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-03-16 07:37:50 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-03-16 07:37:50 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-16 07:37:44 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-03-16 07:37:34 66714 ----a-w- c:\windows\system32\NvwsApps.xml
2010-03-16 07:37:34 276202 ----a-w- c:\windows\system32\NvApps.xml
2010-03-12 00:06:08 3252 ----a-w- c:\windows\system32\wbem\Outlook_01cac177d120e686.mof

==================== Find3M ====================

2010-03-31 03:31:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-16 06:51:59 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-03-16 06:51:59 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-03-16 06:51:59 10232352 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-03-12 15:26:36 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-03-11 21:47:56 280280 ----a-w- c:\windows\sediag.exe
2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2008-07-08 22:44:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070820080709\index.dat

============= FINISH: 0:03:20.79 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\Harddisk0\DP(1)0x7e00-0x74701a8200+1
Install Date: 3/22/2008 2:08:25 AM
System Uptime: 3/30/2010 11:48:05 PM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5N-E SLI
Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2835/473mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 466 GiB total, 343.803 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP562: 12/30/2009 7:23:45 PM - System Checkpoint
RP563: 12/31/2009 8:16:35 PM - System Checkpoint
RP564: 1/1/2010 8:56:08 PM - System Checkpoint
RP565: 1/2/2010 9:29:32 PM - System Checkpoint
RP566: 1/5/2010 6:37:58 PM - System Checkpoint
RP567: 1/6/2010 9:05:18 PM - System Checkpoint
RP568: 1/8/2010 5:04:11 PM - System Checkpoint
RP569: 1/9/2010 5:54:59 PM - System Checkpoint
RP570: 1/13/2010 1:42:41 AM - Software Distribution Service 3.0
RP571: 1/15/2010 10:11:13 PM - System Checkpoint
RP572: 1/16/2010 10:48:31 PM - System Checkpoint
RP573: 1/18/2010 11:03:07 AM - System Checkpoint
RP574: 1/19/2010 11:59:56 AM - System Checkpoint
RP575: 1/20/2010 6:59:36 PM - System Checkpoint
RP576: 1/21/2010 7:54:14 PM - System Checkpoint
RP577: 1/22/2010 12:56:02 AM - Software Distribution Service 3.0
RP578: 1/23/2010 11:28:03 AM - System Checkpoint
RP579: 1/24/2010 12:45:08 PM - System Checkpoint
RP580: 1/25/2010 6:15:52 PM - System Checkpoint
RP581: 1/26/2010 7:43:23 PM - System Checkpoint
RP582: 1/27/2010 8:53:00 PM - System Checkpoint
RP583: 1/30/2010 12:29:19 PM - System Checkpoint
RP584: 1/31/2010 1:11:27 PM - System Checkpoint
RP585: 2/3/2010 10:17:39 PM - System Checkpoint
RP586: 2/6/2010 12:20:55 PM - System Checkpoint
RP587: 2/7/2010 1:49:36 PM - System Checkpoint
RP588: 2/8/2010 10:10:24 PM - System Checkpoint
RP589: 2/9/2010 10:24:09 PM - System Checkpoint
RP590: 2/10/2010 10:19:05 PM - Software Distribution Service 3.0
RP591: 2/12/2010 2:55:05 AM - Installed HP USB Disk Storage Format Tool
RP592: 2/13/2010 3:37:03 AM - System Checkpoint
RP593: 2/14/2010 9:20:39 AM - System Checkpoint
RP594: 2/15/2010 9:40:55 AM - System Checkpoint
RP595: 2/16/2010 6:19:57 PM - System Checkpoint
RP596: 2/17/2010 6:48:21 PM - System Checkpoint
RP597: 2/18/2010 7:19:27 PM - System Checkpoint
RP598: 2/19/2010 10:52:30 PM - System Checkpoint
RP599: 2/20/2010 11:10:12 PM - System Checkpoint
RP600: 2/21/2010 11:26:54 PM - System Checkpoint
RP601: 2/23/2010 10:52:58 AM - System Checkpoint
RP602: 2/25/2010 7:00:03 PM - System Checkpoint
RP603: 2/26/2010 7:24:36 PM - System Checkpoint
RP604: 2/28/2010 9:35:36 AM - System Checkpoint
RP605: 3/1/2010 10:16:21 AM - System Checkpoint
RP606: 3/4/2010 8:28:11 PM - System Checkpoint
RP607: 3/5/2010 9:13:43 PM - System Checkpoint
RP608: 3/6/2010 9:49:35 PM - System Checkpoint
RP609: 3/9/2010 10:46:33 AM - System Checkpoint
RP610: 3/10/2010 11:29:43 AM - System Checkpoint
RP611: 3/11/2010 3:00:21 AM - Software Distribution Service 3.0
RP612: 3/12/2010 5:53:12 PM - System Checkpoint
RP613: 3/13/2010 5:54:08 PM - System Checkpoint
RP614: 3/14/2010 7:43:46 PM - System Checkpoint
RP615: 3/15/2010 8:01:35 PM - System Checkpoint
RP616: 3/17/2010 11:26:37 AM - System Checkpoint
RP617: 3/18/2010 5:20:32 PM - System Checkpoint
RP618: 3/19/2010 6:55:48 PM - System Checkpoint
RP619: 3/20/2010 8:50:30 PM - avast! Free Antivirus Setup
RP620: 3/20/2010 10:57:25 PM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP621: 3/21/2010 1:48:43 PM - Restore Operation
RP622: 3/21/2010 2:54:25 PM - Restore Operation
RP623: 3/23/2010 7:58:40 PM - System Checkpoint
RP624: 3/24/2010 7:03:54 PM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP625: 3/25/2010 7:07:10 PM - System Checkpoint
RP626: 3/27/2010 12:15:41 AM - ComboFix created restore point
RP627: 3/28/2010 12:23:52 AM - System Checkpoint
RP628: 3/29/2010 7:46:07 PM - System Checkpoint
RP629: 3/30/2010 11:23:35 PM - Removed Java(TM) 6 Update 12
RP630: 3/30/2010 11:30:51 PM - Installed Java(TM) 6 Update 19

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.6
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASUSUpdate
avast! Free Antivirus
AviSynth 2.5
AVS DVD Copy version 3.1
AVS Update Manager 1.0
AVS4YOU Software Navigator 1.3
Belarc Advisor 7.2
Bonjour
Brother MFL-Pro Suite
Burn4Free CD and DVD
Cakewalk Pyro 5
Call of Duty(R) 4 - Modern Warfare(TM)
CCScore
CDBurnerXP
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
DVD-CLONER V7.10 Build 992
DVD Decrypter (Remove Only)
EA Download Manager
EA SPORTS online 2008
ERUNT 1.1j
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSTOOLS
essvatgt
FileZilla Client 3.1.2
GameSpy Arcade
Ghost Recon Advanced Warfighter
Google Chrome
Google Earth
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB945060-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hoyle Card Games 5
HP USB Disk Storage Format Tool
InterVideo WinDVD 4
iTunes
Java Auto Updater
Java(TM) 6 Update 19
JMB36X Raid Configurer
Juniper Networks Cache Cleaner 6.2.0
Juniper Networks Host Checker
Juniper Networks Network Connect 6.2.0
Kodak EasyShare software
L&H TTS3000 Español
Lernout & Hauspie TruVoice American English TTS Engine
LightScribe 1.8.15.1
Logitech Gaming Software 5.02
Logitech SetPoint
Malwarebytes' Anti-Malware
Medal of Honor Airborne
MediaWidget 5.0
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Halo
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.2)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Need For Speed Hot Pursuit 2
Need for Speed™ Undercover
Nero 7 Essentials
neroxml
netbrdg
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
NVIDIA nView Desktop Manager
NVIDIA PhysX
OfotoXMI
OGA Notifier 2.0.0048.0
Panasonic DVC USB Driver
PC Probe II
PE Builder 3.1.10a
PHStat2 version 2.7
PowerTeacher Gradebook
QuickTime
R-Undelete 4.0
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SFR
SHASTA
skin0001
SKINXSDK
Splinter Cell Pandora Tomorrow
Spybot - Search & Destroy
Star Wars Empire at War
staticcr
System Requirements Lab
Tiger Woods PGA TOUR 06
Tiger Woods PGA TOUR 08
Tom Clancy's Ghost Recon Advanced Warfighter® 2
Tom Clancy's Splinter Cell
Ulead VideoStudio 5.0 DV
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Videora iPod Converter 4.07
ViewSonic Monitor Drivers
VPRINTOL
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows XP Service Pack 3
WIRELESS
YouTube Downloader App 1.02

==== Event Viewer Messages From Past Week ========

3/28/2010 10:33:30 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file nv4_mini.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.5673.
3/28/2010 10:33:30 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file nv4_disp.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.5673.
3/27/2010 12:19:21 AM, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
3/25/2010 5:40:28 PM, error: PlugPlayManager [11] - The device Root\LEGACY_APTO6KO\0000 disappeared from the system without first being prepared for removal.
3/25/2010 5:34:08 PM, error: Dhcp [1002] - The IP address lease 192.168.1.6 for the Network Card with network address 001D60CAD9ED has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
3/24/2010 6:58:14 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: JRAID

==== End Of File ===========================

Thanks again for your time km2357! :bow:
km2357
2010-04-01, 20:23
I apologize for the delay in response. I didn't get a notification that you replied and didn't see your response until today.


2. Ran Fix.reg - did not see the warning about lines before and after quote box contents until after running. Hopefully got lucky...

Fix.reg worked. :) The [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:OKOToGate line is not in your latest ComboFix log. :)



Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)


First, go to Add/Remove Programs and uninstall Adobe Reader 8.1.6.
Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

Note: Adobe 9.3.1 is a large program and if you prefer a smaller program you can get Foxit 3.2.0 instead from http://www.foxitsoftware.com/downloads/index.php

If you decide to install Foxit 3.2.0 instead of Adobe, do the following during Foxit's Setup/Installation process:

Uncheck the following boxes:

I accept the License Terms and want to install Foxit Toolbar

Make Ask.com my default search

Create desktop, quick launch and start menu icon to eBay



Step # 2: Run Kaspersky Online Scan

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.


In your next post/reply, I need to see the following:

1. Kaspersky Log
2. How is your computer doing, any problems?
iflyok
2010-04-03, 01:33
There's no need to apologize, I'm fortunate you volunteer your time and appreciate any help I get no matter how long it takes. :angel:

The Kaspersky scanner found a few stray bugs... including that nasty Koobface.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, April 2, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, April 02, 2010 03:35:03
Records in database: 3913724
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 92966
Threats found: 3
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 01:25:00


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\imapioko.sys.vir Infected: Trojan.Win32.Agent.dphp 1
C:\System Volume Information\_restore{53E7EEB2-55FD-4220-97F5-41584F914316}\RP624\A0070895.exe Infected: Net-Worm.Win32.Koobface.fxn 1
C:\System Volume Information\_restore{53E7EEB2-55FD-4220-97F5-41584F914316}\RP624\A0070988.sys Infected: Trojan.Win32.Agent.dphp 1
C:\System Volume Information\_restore{53E7EEB2-55FD-4220-97F5-41584F914316}\RP624\A0070989.dll Infected: Net-Worm.Win32.Koobface.gao 1

Selected area has been scanned.

As far as my computer's processes, there are some quirky issues here and there.

I can't seem to run Windows Disk Defrag or any of the other System Tools. I get an error window titled "mmc.exe - Entry Point Not Found
The error text is: "The procedure entry point ?PickIconDlg@@YGHPAUHWND_@@PAGIPAH@Z could not be located in the dynamic link library mmcbase.DLL

I know there is at least one other weird thing but I can't recall what it is... must not be too important.

I did replace Adobe Reader (uninstall) and replace it with Foxit. Thanks for that and all your help to this point.
iflyok
2010-04-03, 01:38
OH... I see. It found them in quarantine files and restore points. :bigthumb:
km2357
2010-04-03, 02:18
That's correct regarding Kaspersky. :) What it found was a file in the Qoobox folder which is where ComboFix keeps its quarantined files. I'll show you how to remove it and ComboFix in an upcoming post. And the infected System Restore points that were found are harmless where they are and I'll show you how to remove them and set a new, clean one in an upcoming post.

As for your problem with mmc.exe - Entry Point Not Found
The error text is: "The procedure entry point ?PickIconDlg@@YGHPAUHWND_@@PAGIPAH@Z could not be located in the dynamic link library mmcbase.DLL

Reading through the following thread and following the instructions within should solve the problem:

http://www.winforums.com/showthread.php?p=67718
iflyok
2010-04-04, 22:52
Thanks for the link. Everything seems fine now after reloading SP3.
km2357
2010-04-05, 07:21
Then if there are no more problems, you are good to go. :)

You can reenable TeaTimer

You can delete the following off of your computer:

DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
The GMER Log
SystemLook.exe
The SystemLook Log
RegQuery.exe
The Regquery Log
Fix.reg

To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /Uninstall & click OK

Empty your Recycle Bin.

Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point

Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.


Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK

Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.subratam.org/index.php?showtopic=5931)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back (http://spyware-free.us/2006/01/time-to-fight-back.html). Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

If your computer is running slow, click here (http://www.malwareremoval.com/tutorials/runningslowly.php) for instructions on how to help speed up your computer.

Good luck!

Please reply one last time so that I know you have read my post and this thread can be closed.
iflyok
2010-04-07, 00:31
Thank you dearly for your time and patience. I thought for sure I'd have to rebuild my PC and I greatly appreciate the means you provided in avoiding that activity. My PC is running better than ever. Take care km2357, you're my hero! :2thumb:
km2357
2010-04-07, 05:09
You're welcome. I'm glad I was able to help you out. :)

Good luck and safe surfing!