Virtumonde Removal

Status
Not open for further replies.
I disabled the AVG add-on in Firefox, and that seems to have fixed that 'JavaScript Application' problem. I also cleared out any residual Norton's AVG software left after uninstalling the program with the Norton Removal Tool.

I ran TDSSKiller, and here is the log it produced:

00:01:29:968 2876 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
00:01:29:968 2876 ================================================================================
00:01:29:968 2876 SystemInfo:

00:01:29:968 2876 OS Version: 5.1.2600 ServicePack: 3.0
00:01:29:968 2876 Product type: Workstation
00:01:29:968 2876 ComputerName: STEVE
00:01:29:968 2876 UserName: Steven
00:01:29:968 2876 Windows directory: C:\WINDOWS
00:01:29:968 2876 Processor architecture: Intel x86
00:01:29:968 2876 Number of processors: 1
00:01:29:968 2876 Page size: 0x1000
00:01:29:968 2876 Boot type: Normal boot
00:01:29:968 2876 ================================================================================
00:01:29:968 2876 UnloadDriverW: NtUnloadDriver error 1
00:01:29:968 2876 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
00:01:29:984 2876 LoadDriverW: Driver already loaded
00:01:29:984 2876 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
00:01:29:984 2876 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:01:29:984 2876 wfopen_ex: Trying to KLMD file open
00:01:29:984 2876 wfopen_ex: File opened ok (Flags 2)
00:01:29:984 2876 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
00:01:29:984 2876 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:01:29:984 2876 wfopen_ex: Trying to KLMD file open
00:01:29:984 2876 wfopen_ex: File opened ok (Flags 2)
00:01:29:984 2876 Initialize success
00:01:29:984 2876
00:01:29:984 2876 Scanning Services ...
00:01:30:437 2876 Raw services enum returned 352 services
00:01:30:453 2876
00:01:30:453 2876 Scanning Kernel memory ...
00:01:30:453 2876 Devices to scan: 5
00:01:30:453 2876
00:01:30:453 2876 Driver Name: Disk
00:01:30:453 2876 IRP_MJ_CREATE : F87FCBB0
00:01:30:453 2876 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
00:01:30:453 2876 IRP_MJ_CLOSE : F87FCBB0
00:01:30:453 2876 IRP_MJ_READ : F87F6D1F
00:01:30:453 2876 IRP_MJ_WRITE : F87F6D1F
00:01:30:453 2876 IRP_MJ_QUERY_INFORMATION : 804F9759
00:01:30:453 2876 IRP_MJ_SET_INFORMATION : 804F9759
00:01:30:453 2876 IRP_MJ_QUERY_EA : 804F9759
00:01:30:453 2876 IRP_MJ_SET_EA : 804F9759
00:01:30:453 2876 IRP_MJ_FLUSH_BUFFERS : F87F72E2
00:01:30:453 2876 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
00:01:30:453 2876 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
00:01:30:453 2876 IRP_MJ_DIRECTORY_CONTROL : 804F9759
00:01:30:453 2876 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
00:01:30:453 2876 IRP_MJ_DEVICE_CONTROL : F87F73BB
00:01:30:453 2876 IRP_MJ_INTERNAL_DEVICE_CONTROL : F87FAF28
00:01:30:453 2876 IRP_MJ_SHUTDOWN : F87F72E2
00:01:30:453 2876 IRP_MJ_LOCK_CONTROL : 804F9759
00:01:30:453 2876 IRP_MJ_CLEANUP : 804F9759
00:01:30:453 2876 IRP_MJ_CREATE_MAILSLOT : 804F9759
00:01:30:453 2876 IRP_MJ_QUERY_SECURITY : 804F9759
00:01:30:453 2876 IRP_MJ_SET_SECURITY : 804F9759
00:01:30:453 2876 IRP_MJ_POWER : F87F8C82
00:01:30:453 2876 IRP_MJ_SYSTEM_CONTROL : F87FD99E
00:01:30:453 2876 IRP_MJ_DEVICE_CHANGE : 804F9759
00:01:30:453 2876 IRP_MJ_QUERY_QUOTA : 804F9759
00:01:30:453 2876 IRP_MJ_SET_QUOTA : 804F9759
00:01:30:468 2876 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
00:01:30:468 2876
00:01:30:468 2876 Driver Name: Disk
00:01:30:468 2876 IRP_MJ_CREATE : F87FCBB0
00:01:30:468 2876 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
00:01:30:468 2876 IRP_MJ_CLOSE : F87FCBB0
00:01:30:468 2876 IRP_MJ_READ : F87F6D1F
00:01:30:468 2876 IRP_MJ_WRITE : F87F6D1F
00:01:30:468 2876 IRP_MJ_QUERY_INFORMATION : 804F9759
00:01:30:468 2876 IRP_MJ_SET_INFORMATION : 804F9759
00:01:30:468 2876 IRP_MJ_QUERY_EA : 804F9759
00:01:30:468 2876 IRP_MJ_SET_EA : 804F9759
00:01:30:468 2876 IRP_MJ_FLUSH_BUFFERS : F87F72E2
00:01:30:468 2876 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
00:01:30:468 2876 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
00:01:30:468 2876 IRP_MJ_DIRECTORY_CONTROL : 804F9759
00:01:30:468 2876 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
00:01:30:468 2876 IRP_MJ_DEVICE_CONTROL : F87F73BB
00:01:30:468 2876 IRP_MJ_INTERNAL_DEVICE_CONTROL : F87FAF28
00:01:30:468 2876 IRP_MJ_SHUTDOWN : F87F72E2
00:01:30:468 2876 IRP_MJ_LOCK_CONTROL : 804F9759
00:01:30:468 2876 IRP_MJ_CLEANUP : 804F9759
00:01:30:468 2876 IRP_MJ_CREATE_MAILSLOT : 804F9759
00:01:30:468 2876 IRP_MJ_QUERY_SECURITY : 804F9759
00:01:30:468 2876 IRP_MJ_SET_SECURITY : 804F9759
00:01:30:468 2876 IRP_MJ_POWER : F87F8C82
00:01:30:468 2876 IRP_MJ_SYSTEM_CONTROL : F87FD99E
00:01:30:468 2876 IRP_MJ_DEVICE_CHANGE : 804F9759
00:01:30:468 2876 IRP_MJ_QUERY_QUOTA : 804F9759
00:01:30:468 2876 IRP_MJ_SET_QUOTA : 804F9759
00:01:30:468 2876 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
00:01:30:468 2876
00:01:30:468 2876 Driver Name: Disk
00:01:30:468 2876 IRP_MJ_CREATE : F87FCBB0
00:01:30:468 2876 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
00:01:30:468 2876 IRP_MJ_CLOSE : F87FCBB0
00:01:30:468 2876 IRP_MJ_READ : F87F6D1F
00:01:30:468 2876 IRP_MJ_WRITE : F87F6D1F
00:01:30:468 2876 IRP_MJ_QUERY_INFORMATION : 804F9759
00:01:30:468 2876 IRP_MJ_SET_INFORMATION : 804F9759
00:01:30:468 2876 IRP_MJ_QUERY_EA : 804F9759
00:01:30:468 2876 IRP_MJ_SET_EA : 804F9759
00:01:30:468 2876 IRP_MJ_FLUSH_BUFFERS : F87F72E2
00:01:30:468 2876 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
00:01:30:468 2876 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
00:01:30:468 2876 IRP_MJ_DIRECTORY_CONTROL : 804F9759
00:01:30:468 2876 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
00:01:30:468 2876 IRP_MJ_DEVICE_CONTROL : F87F73BB
00:01:30:468 2876 IRP_MJ_INTERNAL_DEVICE_CONTROL : F87FAF28
00:01:30:468 2876 IRP_MJ_SHUTDOWN : F87F72E2
00:01:30:468 2876 IRP_MJ_LOCK_CONTROL : 804F9759
00:01:30:468 2876 IRP_MJ_CLEANUP : 804F9759
00:01:30:468 2876 IRP_MJ_CREATE_MAILSLOT : 804F9759
00:01:30:468 2876 IRP_MJ_QUERY_SECURITY : 804F9759
00:01:30:468 2876 IRP_MJ_SET_SECURITY : 804F9759
00:01:30:468 2876 IRP_MJ_POWER : F87F8C82
00:01:30:468 2876 IRP_MJ_SYSTEM_CONTROL : F87FD99E
00:01:30:468 2876 IRP_MJ_DEVICE_CHANGE : 804F9759
00:01:30:468 2876 IRP_MJ_QUERY_QUOTA : 804F9759
00:01:30:468 2876 IRP_MJ_SET_QUOTA : 804F9759
00:01:30:468 2876 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
00:01:30:468 2876
00:01:30:468 2876 Driver Name: atapi
00:01:30:468 2876 IRP_MJ_CREATE : F87036F2
00:01:30:468 2876 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
00:01:30:468 2876 IRP_MJ_CLOSE : F87036F2
00:01:30:468 2876 IRP_MJ_READ : 804F9759
00:01:30:468 2876 IRP_MJ_WRITE : 804F9759
00:01:30:468 2876 IRP_MJ_QUERY_INFORMATION : 804F9759
00:01:30:468 2876 IRP_MJ_SET_INFORMATION : 804F9759
00:01:30:468 2876 IRP_MJ_QUERY_EA : 804F9759
00:01:30:468 2876 IRP_MJ_SET_EA : 804F9759
00:01:30:468 2876 IRP_MJ_FLUSH_BUFFERS : 804F9759
00:01:30:468 2876 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
00:01:30:468 2876 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
00:01:30:468 2876 IRP_MJ_DIRECTORY_CONTROL : 804F9759
00:01:30:468 2876 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
00:01:30:468 2876 IRP_MJ_DEVICE_CONTROL : F8703712
00:01:30:468 2876 IRP_MJ_INTERNAL_DEVICE_CONTROL : F86FF852
00:01:30:468 2876 IRP_MJ_SHUTDOWN : 804F9759
00:01:30:468 2876 IRP_MJ_LOCK_CONTROL : 804F9759
00:01:30:468 2876 IRP_MJ_CLEANUP : 804F9759
00:01:30:468 2876 IRP_MJ_CREATE_MAILSLOT : 804F9759
00:01:30:468 2876 IRP_MJ_QUERY_SECURITY : 804F9759
00:01:30:468 2876 IRP_MJ_SET_SECURITY : 804F9759
00:01:30:468 2876 IRP_MJ_POWER : F870373C
00:01:30:468 2876 IRP_MJ_SYSTEM_CONTROL : F870A336
00:01:30:468 2876 IRP_MJ_DEVICE_CHANGE : 804F9759
00:01:30:468 2876 IRP_MJ_QUERY_QUOTA : 804F9759
00:01:30:468 2876 IRP_MJ_SET_QUOTA : 804F9759
00:01:30:468 2876 C:\WINDOWS\system32\drivers\tsk14.tmp - Verdict: 3
00:01:30:468 2876
00:01:30:468 2876 Driver Name: atapi
00:01:30:468 2876 IRP_MJ_CREATE : 82F3EAC8
00:01:30:468 2876 IRP_MJ_CREATE_NAMED_PIPE : 82F3EAC8
00:01:30:468 2876 IRP_MJ_CLOSE : 82F3EAC8
00:01:30:468 2876 IRP_MJ_READ : 82F3EAC8
00:01:30:468 2876 IRP_MJ_WRITE : 82F3EAC8
00:01:30:468 2876 IRP_MJ_QUERY_INFORMATION : 82F3EAC8
00:01:30:468 2876 IRP_MJ_SET_INFORMATION : 82F3EAC8
00:01:30:468 2876 IRP_MJ_QUERY_EA : 82F3EAC8
00:01:30:468 2876 IRP_MJ_SET_EA : 82F3EAC8
00:01:30:468 2876 IRP_MJ_FLUSH_BUFFERS : 82F3EAC8
00:01:30:468 2876 IRP_MJ_QUERY_VOLUME_INFORMATION : 82F3EAC8
00:01:30:468 2876 IRP_MJ_SET_VOLUME_INFORMATION : 82F3EAC8
00:01:30:468 2876 IRP_MJ_DIRECTORY_CONTROL : 82F3EAC8
00:01:30:468 2876 IRP_MJ_FILE_SYSTEM_CONTROL : 82F3EAC8
00:01:30:468 2876 IRP_MJ_DEVICE_CONTROL : 82F3EAC8
00:01:30:468 2876 IRP_MJ_INTERNAL_DEVICE_CONTROL : 82F3EAC8
00:01:30:468 2876 IRP_MJ_SHUTDOWN : 82F3EAC8
00:01:30:468 2876 IRP_MJ_LOCK_CONTROL : 82F3EAC8
00:01:30:468 2876 IRP_MJ_CLEANUP : 82F3EAC8
00:01:30:468 2876 IRP_MJ_CREATE_MAILSLOT : 82F3EAC8
00:01:30:468 2876 IRP_MJ_QUERY_SECURITY : 82F3EAC8
00:01:30:468 2876 IRP_MJ_SET_SECURITY : 82F3EAC8
00:01:30:468 2876 IRP_MJ_POWER : 82F3EAC8
00:01:30:468 2876 IRP_MJ_SYSTEM_CONTROL : 82F3EAC8
00:01:30:468 2876 IRP_MJ_DEVICE_CHANGE : 82F3EAC8
00:01:30:468 2876 IRP_MJ_QUERY_QUOTA : 82F3EAC8
00:01:30:468 2876 IRP_MJ_SET_QUOTA : 82F3EAC8
00:01:30:484 2876 Driver "atapi" infected by TDSS rootkit!
00:01:30:484 2876 C:\WINDOWS\system32\drivers\tsk14.tmp - Verdict: 3
00:01:30:484 2876
00:01:30:484 2876 Completed
00:01:30:484 2876
00:01:30:484 2876 Results:
00:01:30:484 2876 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
00:01:30:484 2876 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
00:01:30:484 2876 File objects infected / cured / cured on reboot: 0 / 0 / 0
00:01:30:484 2876
00:01:30:484 2876 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
00:01:30:484 2876 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
00:01:30:484 2876 UnloadDriverW: NtUnloadDriver error 1
00:01:30:484 2876 KLMD(ARK) unloaded successfully
 
I think you may be infected with a new variant of this rootkit. Let's try GMER again and see if we can find the culprit. Let me know if you still have problems running it and we'll adjust.
 
GMER still isn't cooperating. I ran it twice, and it froze while scanning "\Device\NTPNP_PC10013" both times. I tried it again, and it seemed to be working, so I walked away to go watch the baseball game, and when I came back, GMER was off, and it looked like the machine rebooted itself (AIM in the toolbar, which I shut off, was back, and the toolbar message saying that AVG was shut off was on the screen). The only thing that might be of some use from GMER is that I noticed it said that C:\Windows\System32\Drivers\Atapi.sys was a "suspicious modification".
 
Yes, I'm pretty sure now it's the new rootkit. It hinders GMER from running and modifies atapi.sys in memory (not the actual file). We need to identify the actual driver that's doing it, and GMER will do that if we can get it to run.

Try running it again. Before scanning this time UNCHECK the box next to files, and only run on the C drive if you have any others there. See if that gets us a log. I'm going to try and do some testing tonight with a sample and see what I can come up with too. Let me know how you make out.
 
UPDATE:

If that is not successful on GMER, try UNCHECKING EVERYTHING except SECTIONS. Run another scan and post the log (hopefully).
 
I unchecked everything except 'Sections'. Here is that log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-12 07:33:31
Windows 5.1.2600 Service Pack 3
Running: r6h6mdo0.exe; Driver: C:\DOCUME~1\Steven\LOCALS~1\Temp\uxtdypob.sys


---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!NtCreateSection 8056DB66 7 Bytes JMP 8314B01C
PAGE ntoskrnl.exe!ZwQueryPerformanceCounter + 39F 8056FA43 7 Bytes JMP 82F20EEC
PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + 317 8057C2C1 7 Bytes JMP 82E22EEC
PAGE ntoskrnl.exe!NtSetInformationFile 8057F4E5 2 Bytes JMP 82E75DD4
PAGE ntoskrnl.exe!NtSetInformationFile + 3 8057F4E8 4 Bytes JMP 90028F68
PAGE ntoskrnl.exe!NtWriteFile 8057F765 7 Bytes JMP 8315801C
PAGE ntoskrnl.exe!NtDuplicateObject 80581216 7 Bytes JMP 8312CA84
PAGE ntoskrnl.exe!ZwSetSystemInformation 805AABC8 5 Bytes JMP 82E189A4
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF843B340, 0xFD75F, 0xF8000020]
.rsrc C:\WINDOWS\System32\Drivers\avgtdix.sys entry point in ".rsrc" section [0xEEE40214]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9D6300, 0x2342C0, 0xF8000020]
PAGE Fastfat.SYS EE0759C8 7 Bytes JMP 82E57EEC

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\Explorer.EXE[1528] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1528] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[1528] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\system32\wuauclt.exe[2696] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\system32\wuauclt.exe[2696] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\system32\wuauclt.exe[2696] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\wuauclt.exe[2696] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\Drivers\avgtdix.sys suspicious modification

---- EOF - GMER 1.0.15 ----
 
File C:\WINDOWS\System32\Drivers\avgtdix.sys suspicious modification
Click to expand...
Very interesting...:confused: That's an AVG driver. I've only seen this infection go after Windows drivers.

Let's try this:
Physically disconnect the PC from the internet (meaning unplug cable, turn off wireless, etc...).
From Add or Remove Programs in Control Panel uninstall AVG and reboot.
Then please run GMER again. First try running with all options selected.
 
I ran GMER, but it kept freezing up when it began analyzing 'Devices'. Specifically, it kept freezing when it was analyzing 'Device/00000057'. This happened about three or four times. I unchecked the devices button on GMER, to see if it would continue the can, and it did. Hopefully, the log has relevant information:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-12 17:07:56
Windows 5.1.2600 Service Pack 3
Running: r6h6mdo0.exe; Driver: C:\DOCUME~1\Steven\LOCALS~1\Temp\uxtdypob.sys


---- System - GMER 1.0.15 ----

Code 82DFCAF0 ZwCreateSection
Code 82E8C768 ZwDuplicateObject
Code 82E8C9C8 ZwSetInformationFile
Code 82D8DC98 ZwSetSystemInformation
Code 82DFCC20 ZwWriteFile
Code 82DFCAEF NtCreateSection
Code 82E8C767 NtDuplicateObject
Code 82E8C9C7 NtSetInformationFile
Code 82DFCC1F NtWriteFile

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!NtCreateSection 8056DB66 7 Bytes JMP 82DFCAF4
PAGE ntoskrnl.exe!ZwQueryPerformanceCounter + 39F 8056FA43 7 Bytes JMP 82DFCD54
PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + 317 8057C2C1 7 Bytes JMP 82E534C4
PAGE ntoskrnl.exe!NtSetInformationFile 8057F4E5 7 Bytes JMP 82E8C9CC
PAGE ntoskrnl.exe!NtWriteFile 8057F765 7 Bytes JMP 82DFCC24
PAGE ntoskrnl.exe!NtDuplicateObject 80581216 7 Bytes JMP 82E8C76C
PAGE ntoskrnl.exe!ZwSetSystemInformation 805AABC8 5 Bytes JMP 82D8DC9C
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF843B340, 0xFD75F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9D6300, 0x2342C0, 0xF8000020]
PAGE Fastfat.SYS EE2F39C8 7 Bytes JMP 82E8C89C

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb@imagepath \systemroot\system32\drivers\geyekruxrrohbq.sys
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb\main@aid 10096
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb\modules@geyekrrk.sys \systemroot\system32\drivers\geyekruxrrohbq.sys
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb\modules@geyekrcmd.dll \systemroot\system32\geyekrmftqiwqp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb\modules@geyekrlog.dat \systemroot\system32\geyekrawndvbws.dat
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb\modules@geyekrwsp.dll \systemroot\system32\geyekrbxruohyy.dll
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrxqmuginb\modules@geyekr.dat \systemroot\system32\geyekrvhcpjlvc.dat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\IMAIL
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MSFS
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MSFS@Installed 1

---- EOF - GMER 1.0.15 ----
 
Well...believe it or not I think it's getting better any way. Another somewhat "disabled" rootkit has shown its' face. Do me a favor and run combofix again as instructed before. Allow it to update if needed first. You will need to reconnect to the internet to do so. I would just suggest limiting any internet activity until this is somewhat cleared and you have an AV back in place.
 
Here's that new Combofix log:

ComboFix 10-04-12.01 - Steven 04/12/2010 20:40:35.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.222 [GMT -4:00]
Running from: c:\documents and settings\Steven\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-12 21:27 . 2010-04-13 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-10 17:00 . 2010-04-10 17:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-04-07 18:22 . 2010-04-07 18:22 293376 ----a-w- C:\r6h6mdo0.exe
2010-04-07 15:52 . 2010-04-07 15:52 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-07 15:26 . 2010-04-07 16:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-01 19:15 . 2010-04-01 19:15 -------- d-----w- c:\documents and settings\Steven\Local Settings\Application Data\Real
2010-04-01 19:15 . 2010-04-01 19:15 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-04-01 19:15 . 2010-04-01 19:15 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-04-01 19:15 . 2010-04-01 19:15 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-04-01 19:15 . 2010-04-01 19:15 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-04-01 19:15 . 2010-04-01 19:15 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-04-01 19:14 . 2010-04-01 19:14 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-04-01 19:14 . 2010-04-01 19:14 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-04-01 19:14 . 2010-04-01 19:14 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-04-01 19:14 . 2010-04-01 19:14 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-04-01 19:14 . 2010-04-01 19:14 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-31 19:26 . 2010-03-31 19:26 61440 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-728fe4ff-n\decora-sse.dll
2010-03-31 19:26 . 2010-03-31 19:26 503808 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4ad9e4d3-n\msvcp71.dll
2010-03-31 19:26 . 2010-03-31 19:26 499712 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4ad9e4d3-n\jmc.dll
2010-03-31 19:26 . 2010-03-31 19:26 348160 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4ad9e4d3-n\msvcr71.dll
2010-03-31 19:26 . 2010-03-31 19:26 12800 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-728fe4ff-n\decora-d3d.dll
2010-03-19 21:20 . 2010-03-29 23:00 439816 ----a-w- c:\documents and settings\Steven\Application Data\Real\Update\setup3.10\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 17:00 . 2009-11-22 16:09 0 ----a-w- c:\documents and settings\Steven\Local Settings\Application Data\prvlcl.dat
2010-04-10 16:19 . 2002-06-25 18:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-10 03:51 . 2004-12-05 04:32 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-10 03:51 . 2004-12-05 04:32 -------- d-----w- c:\documents and settings\Steven\Application Data\Symantec
2010-04-05 00:03 . 2004-12-09 04:31 -------- d-----w- c:\documents and settings\Steven\Application Data\AdobeUM
2010-04-03 01:39 . 2009-11-05 21:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 04:43 . 2009-10-09 20:26 117760 ----a-w- c:\documents and settings\Steven\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-01 19:14 . 2004-12-03 15:25 -------- d-----w- c:\program files\Common Files\Real
2010-04-01 19:14 . 2004-12-08 04:12 -------- d-----w- c:\program files\Real
2010-03-31 19:26 . 2005-12-04 07:00 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 19:25 . 2005-12-04 07:00 -------- d-----w- c:\program files\Java
2010-03-29 19:24 . 2009-11-05 21:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 19:24 . 2009-11-05 21:05 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-09 08:28 . 2009-04-25 21:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24 . 2004-01-08 20:23 916480 ------w- c:\windows\system32\wininet.dll
2010-02-22 05:10 . 2010-02-22 05:10 52224 ----a-w- c:\documents and settings\Steven\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2005-05-07 15:45 . 2005-05-07 15:45 26166613 -c--a-w- c:\program files\NAV05ENG.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-06 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-17 4800512]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [BU]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-01 202256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-3-23 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\hp LaserJet 1160_1320 series\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"spkrmon"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\kav\\kav7\\setup.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/11/2008 12:04 AM 24652]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 gkmixern;gkmixern;\??\c:\docume~1\Steven\LOCALS~1\Temp\gkmixern.sys --> c:\docume~1\Steven\LOCALS~1\Temp\gkmixern.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]
S3 Spkrdsvcer;Spkrdsvcer; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-04-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1220945662-796845957-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-04-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1220945662-796845957-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://dslstart.verizon.net/
uInternet Settings,ProxyOverride = *.local
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\mqki6w9i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 20:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0e,8f,d1,0c,da,16,d7,41,97,64,99,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0e,8f,d1,0c,da,16,d7,41,97,64,99,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2900)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-04-12 20:50:13
ComboFix-quarantined-files.txt 2010-04-13 00:49
ComboFix2.txt 2010-04-08 12:33
ComboFix3.txt 2010-04-05 20:56
ComboFix4.txt 2009-11-10 23:12

Pre-Run: 64,022,335,488 bytes free
Post-Run: 64,403,935,232 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 300321AA26D44C9E21CFFB3191B78A33
 
1. Open Notepad

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
Driver::
gkmixern
Spkrdsvcer


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif



5. After reboot, (in case it asks to reboot), please post the log.
 
Alright, here is that log:

ComboFix 10-04-12.03 - Steven 04/12/2010 23:25:24.8.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.209 [GMT -4:00]
Running from: c:\documents and settings\Steven\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Steven\Desktop\CFScript.txt.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GKMIXERN
-------\Service_gkmixern
-------\Service_Spkrdsvcer


((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-12 21:27 . 2010-04-13 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-10 17:00 . 2010-04-10 17:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-04-07 18:22 . 2010-04-07 18:22 293376 ----a-w- C:\r6h6mdo0.exe
2010-04-07 15:52 . 2010-04-07 15:52 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-07 15:26 . 2010-04-07 16:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-01 19:15 . 2010-04-01 19:15 -------- d-----w- c:\documents and settings\Steven\Local Settings\Application Data\Real
2010-04-01 19:14 . 2010-04-01 19:14 -------- d-----w- c:\program files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-13 01:00 . 2004-12-09 04:31 -------- d-----w- c:\documents and settings\Steven\Application Data\AdobeUM
2010-04-12 17:00 . 2009-11-22 16:09 0 ----a-w- c:\documents and settings\Steven\Local Settings\Application Data\prvlcl.dat
2010-04-10 16:19 . 2002-06-25 18:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-04-10 03:51 . 2004-12-05 04:32 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-10 03:51 . 2004-12-05 04:32 -------- d-----w- c:\documents and settings\Steven\Application Data\Symantec
2010-04-03 01:39 . 2009-11-05 21:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 04:43 . 2009-10-09 20:26 117760 ----a-w- c:\documents and settings\Steven\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-01 19:15 . 2010-04-01 19:15 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-04-01 19:15 . 2010-04-01 19:15 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-04-01 19:15 . 2010-04-01 19:15 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-04-01 19:15 . 2010-04-01 19:15 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-04-01 19:15 . 2010-04-01 19:15 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-04-01 19:14 . 2010-04-01 19:14 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-04-01 19:14 . 2010-04-01 19:14 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-04-01 19:14 . 2010-04-01 19:14 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-04-01 19:14 . 2010-04-01 19:14 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-04-01 19:14 . 2004-12-03 15:25 -------- d-----w- c:\program files\Common Files\Real
2010-04-01 19:14 . 2004-12-08 04:12 -------- d-----w- c:\program files\Real
2010-03-31 19:26 . 2005-12-04 07:00 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 19:26 . 2010-03-31 19:26 61440 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-728fe4ff-n\decora-sse.dll
2010-03-31 19:26 . 2010-03-31 19:26 503808 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4ad9e4d3-n\msvcp71.dll
2010-03-31 19:26 . 2010-03-31 19:26 499712 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4ad9e4d3-n\jmc.dll
2010-03-31 19:26 . 2010-03-31 19:26 348160 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4ad9e4d3-n\msvcr71.dll
2010-03-31 19:26 . 2010-03-31 19:26 12800 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-728fe4ff-n\decora-d3d.dll
2010-03-31 19:25 . 2005-12-04 07:00 -------- d-----w- c:\program files\Java
2010-03-29 23:00 . 2010-03-19 21:20 439816 ----a-w- c:\documents and settings\Steven\Application Data\Real\Update\setup3.10\setup.exe
2010-03-29 19:24 . 2009-11-05 21:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 19:24 . 2009-11-05 21:05 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-09 08:28 . 2009-04-25 21:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24 . 2004-01-08 20:23 916480 ------w- c:\windows\system32\wininet.dll
2010-02-22 05:10 . 2010-02-22 05:10 52224 ----a-w- c:\documents and settings\Steven\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2005-05-07 15:45 . 2005-05-07 15:45 26166613 -c--a-w- c:\program files\NAV05ENG.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-06 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-17 4800512]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [BU]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-01 202256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-3-23 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\hp LaserJet 1160_1320 series\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"spkrmon"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp LaserJet 1160_1320 series\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\kav\\kav7\\setup.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/11/2008 12:04 AM 24652]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2010-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-04-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1220945662-796845957-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-04-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1220945662-796845957-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://dslstart.verizon.net/
uInternet Settings,ProxyOverride = *.local
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\mqki6w9i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 23:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0e,8f,d1,0c,da,16,d7,41,97,64,99,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0e,8f,d1,0c,da,16,d7,41,97,64,99,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1900)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\windows\BCMSMMSG.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
c:\program files\Hewlett-Packard\hp LaserJet 1160_1320 series\Digital Imaging\bin\hpqSTE08.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2010-04-12 23:39:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-13 03:39
ComboFix2.txt 2010-04-13 00:50
ComboFix3.txt 2010-04-08 12:33
ComboFix4.txt 2010-04-05 20:56
ComboFix5.txt 2010-04-13 03:24

Pre-Run: 64,406,884,352 bytes free
Post-Run: 64,370,769,920 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 34530E583F8825192ED71FC58CDE2CD7
 
Everything seems to be running properly. Is whatever it is gone?

Yeah, I reinstalled AVG; I like the way the program operates, I'm used to it and the options/etc...
 
Please run OTL again and post the log.

Also, have you run MalwareBytes again? If not do so and post that log if anything is found.

And lastly, let's try Kaspersky again. Let me know how you make out.
 
Here is the OTL log:

OTL logfile created on: 4/13/2010 11:19:40 PM - Run 3
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Steven\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 172.00 Mb Available Physical Memory | 34.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 58.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 59.35 Gb Free Space | 79.70% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STEVE
Current User Name: Steven
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/13 22:26:50 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steven\Desktop\OTL.exe
PRC - [2010/04/13 12:55:50 | 002,064,224 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/04/13 12:55:20 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/04/13 00:47:03 | 002,325,816 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgfws9.exe
PRC - [2010/04/13 00:46:32 | 000,617,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/04/13 00:46:30 | 000,508,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/04/13 00:46:26 | 000,710,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/04/13 00:46:25 | 000,836,888 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgam.exe
PRC - [2010/04/13 00:46:22 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/04/13 00:46:07 | 000,596,488 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2010/04/13 00:46:06 | 005,888,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2010/04/02 01:01:53 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/04/01 15:13:49 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/08 16:24:20 | 000,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
PRC - [2007/01/04 17:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PRC - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2005/05/12 00:40:38 | 000,204,800 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\Digital Imaging\bin\hpqste08.exe
PRC - [2005/05/11 23:23:26 | 000,282,624 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\Digital Imaging\bin\hpqtra08.exe
PRC - [2005/05/10 19:28:16 | 000,020,572 | ---- | M] () -- C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
PRC - [2004/02/27 13:29:24 | 000,061,440 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
PRC - [2003/10/24 00:37:56 | 000,217,194 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe


========== Modules (SafeList) ==========

MOD - [2010/04/13 22:26:50 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steven\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/04/13 00:47:03 | 002,325,816 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgfws9.exe -- (avgfws9)
SRV - [2010/04/13 00:46:22 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/04/13 00:46:06 | 005,888,008 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (MSFtpsvc)
SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2003/06/16 19:02:24 | 000,061,440 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe -- (spkrmon)
SRV - [2002/12/24 11:01:22 | 000,065,536 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AIM Search"
FF - prefs.js..browser.search.defaulturl: "http://search.aol.com/aolcom/search?invocationType=tbff50ie7&query="
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query="

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/04/13 00:45:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/04 23:36:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 01:02:04 | 000,000,000 | ---D | M]

[2009/10/04 23:45:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Mozilla\Extensions
[2009/10/04 23:45:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/04/13 18:31:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\mqki6w9i.default\extensions
[2009/09/01 15:45:14 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\mqki6w9i.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/06/11 00:07:59 | 000,001,901 | ---- | M] () -- C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\mqki6w9i.default\searchplugins\aimsearch.xml
[2010/04/13 18:31:10 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/04/16 13:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2010/04/12 23:32:34 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe (Hewlett-Packard)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe (Hewlett-Packard)
O4 - HKLM..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe File not found
O4 - HKCU..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/FacebookPhotoUploader2.cab (Reg Error: Key error.)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} http://www.verizon.net/checkmypc/includes/MotivePreQual.cab (PreQualifier Class)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/12/03 02:31:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (PDBoot.exe) - File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/04/13 22:26:46 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Steven\Desktop\OTL.exe
[2010/04/13 18:21:08 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/13 00:48:43 | 000,052,872 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys
[2010/04/13 00:48:43 | 000,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/04/13 00:48:39 | 000,242,696 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/04/13 00:48:32 | 000,216,200 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/04/13 00:48:29 | 000,029,512 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/04/13 00:48:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2010/04/13 00:46:32 | 000,025,096 | ---- | C] (AVG Technologies CZ, s.r.o. ) -- C:\WINDOWS\System32\drivers\AVGIDSxx.sys
[2010/04/13 00:45:52 | 000,050,968 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgfwdx.dll
[2010/04/13 00:45:52 | 000,030,104 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgfwdx.sys
[2010/04/13 00:41:55 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/04/13 00:41:55 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/04/13 00:41:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/04/12 20:31:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/12 17:27:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/04/10 13:00:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
[2010/04/10 13:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2010/04/07 11:51:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/07 11:23:14 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/04/06 23:45:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/02 01:37:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steven\My Documents\Downloads
[2010/04/01 15:16:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Steven\My Documents\My Videos
[2010/04/01 15:15:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steven\Local Settings\Application Data\Real
[2010/04/01 15:14:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2010/03/31 15:26:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2008/06/27 12:58:00 | 000,382,352 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Steven\jdk-6u6-windows-i586-p-iftw.exe
[2008/02/14 18:45:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2006/06/30 06:42:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Symantec
[2005/02/06 22:56:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec
[83 C:\Documents and Settings\Steven\Desktop\*.tmp files -> C:\Documents and Settings\Steven\Desktop\*.tmp -> ]
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\Documents and Settings\Steven\My Documents\*.tmp files -> C:\Documents and Settings\Steven\My Documents\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/13 22:26:50 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steven\Desktop\OTL.exe
[2010/04/13 22:20:41 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/13 22:19:34 | 000,000,280 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1220945662-796845957-725345543-1003.job
[2010/04/13 22:19:27 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/13 22:19:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/13 21:53:41 | 008,974,336 | ---- | M] () -- C:\Documents and Settings\Steven\ntuser.dat
[2010/04/13 21:53:41 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Steven\ntuser.ini
[2010/04/13 20:58:55 | 058,877,138 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/04/13 17:19:24 | 004,827,830 | -H-- | M] () -- C:\Documents and Settings\Steven\Local Settings\Application Data\IconCache.db
[2010/04/13 12:53:56 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Steven\Local Settings\Application Data\prvlcl.dat
[2010/04/13 00:48:45 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/04/13 00:48:45 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 9.0.lnk
[2010/04/13 00:48:43 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys
[2010/04/13 00:48:42 | 000,242,696 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/04/13 00:48:33 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/04/13 00:48:32 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/04/13 00:48:29 | 000,578,151 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavifw.avm
[2010/04/13 00:48:29 | 000,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/04/13 00:46:32 | 000,025,096 | ---- | M] (AVG Technologies CZ, s.r.o. ) -- C:\WINDOWS\System32\drivers\AVGIDSxx.sys
[2010/04/13 00:45:52 | 000,050,968 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgfwdx.dll
[2010/04/13 00:45:52 | 000,030,104 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgfwdx.sys
[2010/04/12 23:32:54 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/12 23:32:34 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/07 14:22:36 | 000,293,376 | ---- | M] () -- C:\r6h6mdo0.exe
[2010/04/07 12:02:23 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/07 11:50:26 | 000,005,074 | -HS- | M] () -- C:\Documents and Settings\Steven\Local Settings\Application Data\olV3RohQ
[2010/04/07 11:50:26 | 000,005,074 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\olV3RohQ
[2010/04/06 02:12:39 | 000,212,553 | ---- | M] () -- C:\Documents and Settings\Steven\Desktop\Candidate_Resource_Booklet_2005.pdf
[2010/04/02 12:25:33 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\mal.lnk
[2010/04/02 12:17:15 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Steven\Desktop\HijackThis.lnk
[2010/04/02 02:39:53 | 000,011,168 | -H-- | M] () -- C:\WINDOWS\System32\tavuvuho
[2010/04/01 15:18:42 | 000,021,490 | ---- | M] () -- C:\WINDOWS\cdPlayer.ini
[2010/04/01 15:16:41 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1220945662-796845957-725345543-1003.job
[2010/04/01 15:13:53 | 000,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/03/31 19:20:09 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/03/31 15:20:40 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[83 C:\Documents and Settings\Steven\Desktop\*.tmp files -> C:\Documents and Settings\Steven\Desktop\*.tmp -> ]
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\Documents and Settings\Steven\My Documents\*.tmp files -> C:\Documents and Settings\Steven\My Documents\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/13 00:48:45 | 000,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 9.0.lnk
[2010/04/13 00:48:29 | 000,578,151 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavifw.avm
[2010/04/13 00:48:29 | 000,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/04/13 00:48:19 | 058,877,138 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/04/07 14:22:36 | 000,293,376 | ---- | C] () -- C:\r6h6mdo0.exe
[2010/04/07 11:35:41 | 000,005,074 | -HS- | C] () -- C:\Documents and Settings\Steven\Local Settings\Application Data\olV3RohQ
[2010/04/07 11:34:38 | 000,005,078 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\olV3RohQ
[2010/04/07 11:34:38 | 000,005,074 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\olV3RohQ
[2010/04/07 11:26:38 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/07 11:25:37 | 000,000,178 | ---- | C] () -- C:\Documents and Settings\Steven\avgrep.txt
[2010/04/06 02:12:39 | 000,212,553 | ---- | C] () -- C:\Documents and Settings\Steven\Desktop\Candidate_Resource_Booklet_2005.pdf
[2010/04/05 16:33:37 | 008,974,336 | ---- | C] () -- C:\Documents and Settings\Steven\ntuser.dat
[2010/04/02 12:17:15 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Steven\Desktop\HijackThis.lnk
[2010/04/01 15:15:08 | 000,000,280 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1220945662-796845957-725345543-1003.job
[2010/04/01 15:15:06 | 000,000,288 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1220945662-796845957-725345543-1003.job
[2010/03/31 15:20:40 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/11/22 12:09:49 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Steven\Local Settings\Application Data\prvlcl.dat
[2009/06/30 11:42:36 | 000,002,096 | ---- | C] () -- C:\Documents and Settings\Steven\Application Data\HPSU_48BitScanUpdate.log
[2009/06/30 11:42:36 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2009/06/30 11:37:25 | 000,058,988 | ---- | C] () -- C:\Documents and Settings\Steven\Application Data\Update_HP_RedboxHprblog_HPSU.log
[2009/06/30 11:37:24 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2009/04/16 18:32:05 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2009/04/04 20:26:22 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2008/09/15 21:14:43 | 000,306,966 | ---- | C] () -- C:\Documents and Settings\Steven\ErrorLog.txt
[2008/06/11 12:56:41 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/05/25 19:48:41 | 000,000,327 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/04/30 11:57:28 | 000,000,004 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/12/25 07:32:57 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Steven\Local Settings\Application Data\fusioncache.dat
[2007/10/26 16:06:08 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2007/10/19 20:56:16 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/10/19 20:54:28 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2007/10/19 20:54:28 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2007/10/18 05:02:34 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2006/07/31 23:36:06 | 000,046,592 | ---- | C] () -- C:\WINDOWS\System32\shellses.dll
[2006/05/11 10:01:26 | 000,000,060 | ---- | C] () -- C:\Documents and Settings\Steven\.gtk-bookmarks
[2006/05/11 10:00:54 | 000,220,769 | ---- | C] () -- C:\Documents and Settings\Steven\.fonts.cache-1
[2006/05/08 19:14:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2006/04/08 20:54:49 | 000,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2006/04/08 20:45:59 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2006/04/08 20:39:54 | 000,000,782 | R--- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2005/12/31 08:28:23 | 000,005,632 | -HS- | C] () -- C:\Documents and Settings\Steven\Thumbs.db
[2005/12/06 21:34:32 | 000,003,677 | R--- | C] () -- C:\WINDOWS\PlaySnd.INI
[2005/12/06 21:34:31 | 000,006,850 | R--- | C] () -- C:\WINDOWS\Disktool.INI
[2005/12/06 21:34:30 | 000,005,628 | R--- | C] () -- C:\WINDOWS\fwupgrade.ini
[2005/09/14 18:32:22 | 000,262,416 | ---- | C] () -- C:\WINDOWS\System32\ASFV2.DLL
[2005/09/14 18:30:32 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[2005/05/10 19:39:08 | 001,000,020 | ---- | C] () -- C:\Documents and Settings\Steven\ErrorLogStore.txt
[2005/05/10 19:28:59 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\jst.dll
[2005/05/10 19:28:59 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\PMLJNI.dll
[2005/05/10 19:27:05 | 000,008,072 | ---- | C] () -- C:\WINDOWS\hplj1320.ini
[2005/05/10 19:26:39 | 000,000,385 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2005/05/10 19:26:37 | 000,001,020 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2005/05/10 19:26:24 | 000,192,512 | R--- | C] () -- C:\WINDOWS\System32\HPB1320V.DLL
[2005/05/07 11:45:39 | 026,166,613 | ---- | C] () -- C:\Program Files\NAV05ENG.exe
[2005/03/22 02:37:46 | 000,000,045 | ---- | C] () -- C:\WINDOWS\EPSP825.ini
[2005/01/12 22:41:25 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\ntuser.dat
[2005/01/12 22:41:25 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG
[2004/12/29 02:09:47 | 000,021,490 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2004/12/21 23:09:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2004/12/07 23:34:55 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini
[2004/12/06 00:38:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\frontpg.ini
[2004/12/06 00:38:04 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2004/12/06 00:38:03 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2004/12/06 00:37:20 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2004/12/06 00:37:19 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2004/12/06 00:37:06 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2004/12/04 20:54:29 | 000,000,034 | ---- | C] () -- C:\WINDOWS\Sierra.ini
[2004/12/03 19:16:29 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/12/03 14:23:53 | 000,195,584 | ---- | C] () -- C:\Documents and Settings\Steven\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/12/03 02:59:37 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/12/03 02:36:02 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Steven\ntuser.dat.LOG
[2004/12/03 02:36:02 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Steven\ntuser.ini
[2002/12/18 16:10:36 | 000,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.DLL
[2002/03/13 15:46:46 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\zlib.dll
[2001/07/31 06:17:12 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2001/07/06 15:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/01/22 11:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2008/06/11 00:04:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2010/04/13 00:43:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2005/02/02 23:35:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2009/10/23 21:54:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/11/25 09:32:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2008/06/11 00:05:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\acccore
[2007/12/25 07:32:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\GetRightToGo
[2010/01/27 14:47:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Image Zone Express
[2004/12/21 23:04:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Leadertech
[2007/12/25 07:33:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Turbine
[2008/02/09 08:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Viewpoint

========== Purity Check ==========


< End of report >
 
Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/13/2010 11:18:29 PM
mbam-log-2010-04-13 (23-18-29).txt

Scan type: Full scan (C:\|)
Objects scanned: 168838
Time elapsed: 50 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Here is the online Kapersky scan log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, April 13, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, April 13, 2010 19:47:08
Records in database: 3939804
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan statistics:
Objects scanned: 74609
Threats found: 2
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 02:29:51


File name / Threat / Threats count
C:\System Volume Information\_restore{2217A0E5-DE62-42F8-A6F6-331DF4377F5E}\RP929\A0367525.dll Infected: Packed.Win32.Katusha.j 1
C:\System Volume Information\_restore{2217A0E5-DE62-42F8-A6F6-331DF4377F5E}\RP929\A0367530.exe Infected: Packed.Win32.Katusha.j 1
C:\System Volume Information\_restore{2217A0E5-DE62-42F8-A6F6-331DF4377F5E}\RP935\A0385415.sys Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.
 
Just restore points showing as infected. Uninstalling combofix will take care of that.

Uninstall Combofix
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
The above procedure will:
  • Delete the following: ComboFix and its associated files and folders.
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

+++++++++++++++++++

We should also clean up and remove the other tools we've used.

Run OTL and click on the Cleanup button.

How's it running now?

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
 
Here is that log:

Results of screen317's Security Check version 0.99.3
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
AVG 9.0
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 19
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 6
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Reader 7.0.9
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

I probably should download the newest versions of Adobe Reader and Java, huh?

All in all, the machine seems to be working properly. No pop-ups, no strange messages, no nothing so far.
 
Status
Not open for further replies.
Back
Top