rabbit

I think it might be best to just let it go. Uninstalled AVG and it was still not working, switched to Avira for AV and Online Armor for firewall, so hopefully any malware will have a harder time getting in. I'm actually about to move, so it would probably be best to let sleeping dogs lie. Thanks for all the help though, I greatly appreciate it.

However, after the successful scan, it's back to freezing. It wasn't working with any combination of settings, then one made it through for unclear reasons, (I unchecked the anonymous reporting to Malware Bytes, and shut down the windows firewall, and it started working). One got through, then I aborted another (having started it to see if the problem were really solved) and all subsequent scans have frozen

Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4173 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 6/6/2010 5:25:27 PM mbam-log-2010-06-06 (17-25-27).txt Scan type: Quick scan Objects scanned: 129845 Time elapsed: 7 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

VirusTotal Scan of iastor.bin File 81A8F62D00532BB84BE6070C4E818100BBBA23ED.sys received on 2010.04.06 13:47:45 (UTC) Current status: finished Result: 0/39 (0.00%) Compact Compact Print results Print results Antivirus Version Last Update Result a-squared 4.5.0.50 2010.04.06 - AhnLab-V3 5.0.0.2 2010.04.05 - AntiVir 7.10.6.29 2010.04.06 - Antiy-AVL 2.0.3.7 2010.04.06 - Authentium 5.2.0.5 2010.04.06 - Avast 4.8.1351.0 2010.04.06 - Avast5 5.0.332.0 2010.04.06 - AVG 9.0.0.787 2010.04.06 - BitDefender 7.2 2010.04.06 - CAT-QuickHeal 10.00 2010.04.06 - ClamAV 0.96.0.3-git 2010.04.06 - Comodo 4516 2010.04.06 - DrWeb 5.0.2.03300 2010.04.06 - eSafe 7.0.17.0 2010.04.01 - eTrust-Vet 35.2.7410 2010.04.06 - F-Prot 4.5.1.85 2010.04.05 - F-Secure 9.0.15370.0 2010.04.06 - Fortinet 4.0.14.0 2010.04.06 - GData 19 2010.04.06 - Ikarus T3.1.1.80.0 2010.04.06 - Jiangmin 13.0.900 2010.04.06 - Kaspersky 7.0.0.125 2010.04.06 - McAfee-GW-Edition 6.8.5 2010.04.06 - Microsoft 1.5605 2010.04.06 - NOD32 5004 2010.04.06 - Norman 6.04.11 2010.04.06 - nProtect 2009.1.8.0 2010.04.06 - Panda 10.0.2.2 2010.04.05 - PCTools 7.0.3.5 2010.04.06 - Prevx 3.0 2010.04.06 - Rising 22.42.01.04 2010.04.06 - Sophos 4.52.0 2010.04.06 - Sunbelt 6143 2010.04.06 - Symantec 20091.2.0.41 2010.04.06 - TheHacker 6.5.2.0.256 2010.04.06 - TrendMicro 9.120.0.1004 2010.04.06 - VBA32 3.12.12.4 2010.04.05 - ViRobot 2010.4.6.2263 2010.04.06 - VirusBuster 5.0.27.0 2010.04.06 - Additional information File size: 477952 bytes MD5 : d7731536e183b4397402ca6f9e1d52f7 SHA1 : 1bb9158a3634e29c3abe1d88707ba0f1b21d9dff SHA256: 32c7fbb2f151faa4f0b4a77fd11bf3098b5691d5dbcf1e3648b932d792174241 PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x3676 timedatestamp.....: 0x40E1B22A (Tue Jun 29 20:17:14 2004) machinetype.......: 0x14C (Intel I386) ( 6 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x300 0x37F3E 0x37F80 6.58 b087a0b6145bab659f8ae9db70ed72ba .rdata 0x38280 0x11A4 0x1200 4.96 dec4ad02df321c919de1d35469dfbfa4 .data 0x39480 0x38574 0x38580 0.11 671f49fab98da90ec610bcef549b3cb1 INIT 0x71A00 0xD2C 0xD80 5.58 b09f4f0968adf979bba0cc6a5a61f374 .rsrc 0x72780 0x448 0x480 3.17 b38228c938a2779e4a9bee57de9af68a .reloc 0x72C00 0x1EBE 0x1F00 5.99 1ed403ca7ea327de46f73c9f99624e43 ( 2 imports ) > hal.dll: ExAcquireFastMutex, ExReleaseFastMutex, KfReleaseSpinLock, KfAcquireSpinLock, KeGetCurrentIrql, READ_PORT_ULONG, WRITE_PORT_ULONG, WRITE_PORT_BUFFER_ULONG, READ_PORT_BUFFER_ULONG, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR, READ_PORT_UCHAR, KeStallExecutionProcessor, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, HalGetInterruptVector > ntoskrnl.exe: memmove, _vsnprintf, KeInsertQueueDpc, MmAllocateNonCachedMemory, KeInitializeSpinLock, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, IoInvalidateDeviceRelations, IoFreeWorkItem, IoRequestDeviceEject, IoQueueWorkItem, IoAllocateWorkItem, ExInterlockedPopEntrySList, ExInterlockedPushEntrySList, IofCompleteRequest, IofCallDriver, IoGetDmaAdapter, RtlAnsiStringToUnicodeString, RtlInitAnsiString, ZwCreateKey, swprintf, KeWaitForSingleObject, KeInitializeEvent, IoDisconnectInterrupt, IoGetConfigurationInformation, IoDeleteDevice, ExDeleteNPagedLookasideList, KeCancelTimer, IoFreeIrp, KeLeaveCriticalRegion, KeEnterCriticalRegion, IoDetachDevice, IoDeleteSymbolicLink, IoConnectInterrupt, IoReleaseRemoveLockAndWaitEx, strstr, strncat, sprintf, IoBuildDeviceIoControlRequest, PoSetPowerState, PoRegisterDeviceForIdleDetection, RtlCompareMemory, KeClearEvent, IoInitializeRemoveLockEx, ObfReferenceObject, KeSetTimer, KeBugCheckEx, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, RtlCopyUnicodeString, IoReleaseRemoveLockEx, KeSetEvent, KeRemoveQueueDpc, ObfDereferenceObject, IoGetAttachedDeviceReference, IoAllocateIrp, IoInvalidateDeviceState, strncpy, strncmp, PoRequestPowerIrp, IoFreeMdl, MmProbeAndLockPages, IoAllocateMdl, _local_unwind2, MmMapLockedPagesSpecifyCache, PsTerminateSystemThread, KeWaitForMultipleObjects, _allmul, KeBugCheck, KeSetPriorityThread, ObReferenceObjectByHandle, PsCreateSystemThread, ExInitializeNPagedLookasideList, KeInitializeDpc, KeInitializeTimer, MmMapIoSpace, IoReportResourceForDetection, MmUnmapIoSpace, RtlCheckRegistryKey, IoAttachDeviceToDeviceStack, IoCreateSymbolicLink, IoCreateDevice, RtlUnicodeStringToInteger, wcsncpy, wcsstr, _wcsupr, IoGetDeviceProperty, ZwCreateDirectoryObject, READ_REGISTER_ULONG, PsGetVersion, _alldiv, PoStartNextPowerIrp, PoCallDriver, ExSystemTimeToLocalTime, KeQuerySystemTime, _purecall, _except_handler3, RtlCreateRegistryKey, DbgPrint, ZwOpenKey, ZwClose, ZwQueryValueKey, RtlWriteRegistryValue, RtlInitUnicodeString, wcslen, ExAllocatePoolWithTag, RtlAppendUnicodeToString, RtlAppendUnicodeStringToString, RtlQueryRegistryValues, ExFreePoolWithTag, KeNumberProcessors, MmGetPhysicalAddress, IoAcquireRemoveLockEx, WRITE_REGISTER_ULONG ( 0 exports ) TrID : File type identification Win32 Executable Generic (68.0%) Generic Win/DOS Executable (15.9%) DOS Executable Generic (15.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) ssdeep: 6144:DzF2q7zhUndlZP4+7ewqZ4Z+1liPqoROGwiSm:lpnhUndc6+1liyuX sigcheck: publisher....: Intel Corporation copyright....: Copyright© Intel Corporation 1994-2004 product......: Intel Application Accelerator driver description..: Intel Application Accelerator driver original name: iaStor.sys internal name: iaStor.sys file version.: 4.5.0.6515 comments.....: signers......: - signing date.: - verified.....: Unsigned PEiD : - RDS : NSRL Reference Data Set ComboFix 10-06-05.03 - John Macdonald 06/06/2010 12:15:24.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2471 [GMT -4:00] Running from: c:\documents and settings\John Macdonald\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\John Macdonald\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FILE :: "c:\docume~1\JOHNMA~1\LOCALS~1\Temp\kbeepm.sys" "c:\windows\system32\BD.tmp" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . F:\AUTORUN.INF . . . . failed to delete . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_KBEEPM -------\Legacy_MEMSWEEP2 -------\Service_kbeepm -------\Service_MEMSWEEP2 ((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 ))))))))))))))))))))))))))))))) . 2010-06-03 12:14 . 2010-06-03 12:14 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys 2010-06-03 12:14 . 2010-06-03 12:14 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys 2010-05-31 18:01 . 2010-05-31 18:01 63488 ----a-w- c:\documents and settings\John Macdonald\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-05-31 18:01 . 2010-05-31 18:01 52224 ----a-w- c:\documents and settings\John Macdonald\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-05-31 18:01 . 2010-05-31 18:01 117760 ----a-w- c:\documents and settings\John Macdonald\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-05-31 18:00 . 2010-05-31 18:00 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\SUPERAntiSpyware.com 2010-05-31 18:00 . 2010-05-31 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-05-31 18:00 . 2010-05-31 18:00 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-05-30 15:13 . 2010-05-30 15:13 -------- d-----w- c:\documents and settings\John Macdonald\DoctorWeb 2010-05-28 19:52 . 2010-05-28 19:52 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\NVIDIA 2010-05-27 06:08 . 2010-05-27 06:08 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\VistaCodecs 2010-05-27 06:08 . 2010-05-27 06:08 -------- d-----w- c:\program files\VistaCodecPack 2010-05-27 06:06 . 2010-05-27 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\VistaCodecs 2010-05-27 06:02 . 2010-05-27 06:02 -------- d-----w- c:\program files\MPC Homecinema 2010-05-27 05:57 . 2010-06-06 06:30 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\Media Player Classic 2010-05-27 04:10 . 2010-04-03 22:55 61440 ----a-w- c:\windows\system32\OpenCL.dll 2010-05-27 04:10 . 2010-04-03 22:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll 2010-05-25 22:20 . 2010-05-25 22:20 -------- d-----w- c:\program files\Trend Micro 2010-05-25 16:29 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-25 16:29 . 2010-05-29 15:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-25 16:29 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-24 02:05 . 2010-05-24 02:06 -------- d-----w- c:\program files\iTunes 2010-05-24 02:05 . 2010-05-24 02:05 -------- d-----w- c:\program files\Apple Software Update 2010-05-22 06:16 . 2010-05-22 06:16 -------- d-sh--w- c:\documents and settings\John Macdonald\IECompatCache 2010-05-21 06:39 . 2010-05-25 16:29 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\Malwarebytes 2010-05-21 06:39 . 2010-05-25 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-05-18 21:58 . 2010-05-18 21:58 1085440 ----a-w- c:\windows\system32\VSFilter.dll 2010-05-18 05:47 . 2010-05-18 05:47 108032 ----a-w- c:\windows\system32\ff_vfw.dll 2010-05-17 00:33 . 2010-05-17 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage 2010-05-17 00:33 . 2010-05-17 00:33 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\Office Genuine Advantage 2010-05-16 18:32 . 2010-05-16 21:26 -------- d--h--w- c:\windows\Icons 2010-05-09 04:46 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-06 06:26 . 2008-01-20 23:00 -------- d-----w- c:\program files\CCleaner 2010-06-03 21:12 . 2005-05-26 22:30 40714 -c--a-w- c:\documents and settings\John Macdonald\Application Data\wklnhst.dat 2010-06-03 12:14 . 2009-01-30 06:21 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-06-03 12:14 . 2009-01-30 06:21 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-05-30 07:17 . 2006-12-17 04:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-05-29 18:41 . 2005-05-27 01:56 -------- d-----w- c:\program files\Common Files\Adobe 2010-05-27 06:50 . 2005-12-08 00:39 -------- d-----w- c:\program files\DivX 2010-05-27 06:50 . 2006-02-02 05:31 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\Petroglyph 2010-05-27 04:13 . 2009-09-30 00:48 -------- d-----w- c:\program files\NVIDIA Corporation 2010-05-27 04:12 . 2008-11-23 17:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-05-26 20:39 . 2005-05-20 01:50 -------- d-----w- c:\program files\Java 2010-05-24 02:05 . 2005-05-27 17:59 -------- d-----w- c:\program files\iPod 2010-05-24 02:05 . 2007-07-26 02:30 -------- d-----w- c:\program files\Common Files\Apple 2010-05-16 04:19 . 2005-05-29 15:29 -------- d-----w- c:\program files\World of Warcraft 2010-05-16 04:06 . 2005-05-20 01:51 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-05-07 03:43 . 2005-05-27 18:00 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\Apple Computer 2010-05-07 03:43 . 2010-05-07 03:43 -------- d-----w- c:\program files\Bonjour 2010-04-29 06:40 . 2005-08-08 04:09 76648 -c--a-w- c:\documents and settings\John Macdonald\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-29 05:57 . 2010-04-13 23:46 -------- d-----w- c:\program files\HRBlock2009 2010-04-29 05:52 . 2010-04-13 23:46 -------- d-----w- c:\program files\PDF995 2010-04-28 19:45 . 2010-04-28 19:45 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe 2010-04-28 01:29 . 2010-04-28 01:29 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\TuneUp Software 2010-04-28 01:29 . 2010-04-28 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software 2010-04-28 01:29 . 2010-04-28 01:29 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC} 2010-04-15 01:21 . 2010-04-15 01:21 -------- d-----w- c:\program files\StreamTransport 2010-04-15 00:41 . 2010-04-13 23:47 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\TaxCut 2010-04-15 00:41 . 2010-04-14 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995 2010-04-14 02:04 . 2010-04-14 02:04 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\pdf995 2010-04-14 02:00 . 2010-04-14 02:00 51716 ----a-w- c:\windows\system32\pdf995mon.dll 2010-04-14 02:00 . 2010-04-14 02:00 249856 ----a-w- c:\windows\system32\pdfmona.dll 2010-04-14 00:34 . 2010-04-14 00:34 3116520 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockCT.exe 2010-04-13 23:48 . 2010-04-13 23:47 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe 2010-04-13 23:45 . 2010-04-13 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-04-13 03:00 . 2010-04-01 23:22 -------- d-----w- c:\program files\Activision 2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-04-04 02:26 . 2010-04-04 02:25 8 ----a-w- c:\windows\crpf.bin 2010-04-04 02:25 . 2010-04-04 02:25 4 ----a-w- c:\windows\crpf_sdum.bin 2010-04-03 23:23 . 2010-04-03 23:23 278120 ----a-w- c:\windows\system32\nvmccs.dll 2010-04-03 23:23 . 2010-04-03 23:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe 2010-04-03 23:23 . 2010-04-03 23:23 145000 ----a-w- c:\windows\system32\nvcolor.exe 2010-04-03 23:23 . 2010-04-03 23:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll 2010-04-03 23:23 . 2010-04-03 23:23 110696 ----a-w- c:\windows\system32\nvmctray.dll 2010-04-03 23:22 . 2010-04-03 23:22 81920 ----a-w- c:\windows\system32\nvwddi.dll 2010-04-03 22:55 . 2009-09-30 05:38 600680 -c--a-w- c:\windows\system32\nvudisp.exe 2010-04-03 22:55 . 2009-06-10 10:03 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll 2010-04-03 22:55 . 2009-06-10 10:03 2183470 ----a-w- c:\windows\system32\nvdata.bin 2010-04-03 22:55 . 2009-06-10 10:03 2030184 ----a-w- c:\windows\system32\nvcuvid.dll 2010-04-03 22:55 . 2008-12-25 16:08 4075520 ----a-w- c:\windows\system32\nvcuda.dll 2010-04-03 22:55 . 2008-12-25 16:08 227944 ----a-w- c:\windows\system32\nvcodins.dll 2010-04-03 22:55 . 2008-12-25 16:08 227944 ----a-w- c:\windows\system32\nvcod.dll 2010-04-03 22:55 . 2008-12-25 16:08 14757888 ----a-w- c:\windows\system32\nvoglnt.dll 2010-04-03 22:55 . 2008-12-25 16:08 1097728 ----a-w- c:\windows\system32\nvapi.dll 2010-04-03 22:55 . 2006-09-04 16:24 6432128 ----a-w- c:\windows\system32\nv4_disp.dll 2010-04-03 22:55 . 1980-01-01 05:00 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys 2010-04-03 06:19 . 2010-04-03 06:19 503808 ----a-w- c:\documents and settings\John Macdonald\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1624d392-n\msvcp71.dll 2010-04-03 06:19 . 2010-04-03 06:19 499712 ----a-w- c:\documents and settings\John Macdonald\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1624d392-n\jmc.dll 2010-04-03 06:19 . 2010-04-03 06:19 348160 ----a-w- c:\documents and settings\John Macdonald\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1624d392-n\msvcr71.dll 2010-04-03 06:19 . 2010-04-03 06:19 61440 ----a-w- c:\documents and settings\John Macdonald\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b4d2e3f-n\decora-sse.dll 2010-04-03 06:19 . 2010-04-03 06:19 12800 ----a-w- c:\documents and settings\John Macdonald\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b4d2e3f-n\decora-d3d.dll 2010-04-02 22:31 . 2010-04-02 22:31 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll 2010-04-02 22:31 . 2010-04-02 22:31 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll 2010-04-02 22:31 . 2010-04-02 22:31 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll 2010-04-02 22:31 . 2010-04-02 22:31 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll 2010-04-02 22:31 . 2010-04-02 22:31 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll 2010-04-02 22:31 . 2010-04-02 22:31 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll 2010-04-02 22:31 . 2010-04-02 22:31 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll 2010-04-02 22:31 . 2010-04-02 22:31 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll 2010-04-02 22:31 . 2010-04-02 22:31 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll 2010-04-02 22:30 . 2004-09-16 17:29 499712 ----a-w- c:\windows\system32\msvcp71.dll 2010-04-02 22:30 . 2004-09-16 17:29 348160 ----a-w- c:\windows\system32\msvcr71.dll 2010-04-02 20:54 . 2009-09-30 05:34 600680 -c--a-w- c:\windows\system32\NVUNINST.EXE 2010-03-17 18:54 . 2010-03-17 18:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-03-17 18:53 . 2009-01-30 06:21 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-03-10 06:15 . 2004-08-04 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll 2008-08-10 17:59 . 2008-08-10 21:58 262144 -c--a-w- c:\program files\Uninstall Spy Blocker.dll 2009-07-09 14:23 . 2009-07-09 14:17 577568 -csha-w- c:\windows\SYSTEM32\DRIVERS\fidbox.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-02 202256] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HWDN1 Wireless Utility.lnk - c:\program files\Hawking\Common\RaUI.exe [2009-9-25 704512] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-03-17 18:54 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless USB 2.0 WLAN Card Utility.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless USB 2.0 WLAN Card Utility.lnk backup=c:\windows\pss\Wireless USB 2.0 WLAN Card Utility.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core] 2009-04-29 17:55 3338240 -c--a-w- c:\program files\Electronic Arts\EADM\Core.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2009-03-26 15:55 133104 -c--atw- c:\documents and settings\John Macdonald\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-04-28 19:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2010-04-03 23:23 13670504 ----a-w- c:\windows\SYSTEM32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2010-04-03 23:23 110696 ----a-w- c:\windows\SYSTEM32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] 2010-05-26 21:17 1238352 ----a-w- c:\valve\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2010-04-02 22:30 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] 2004-01-07 06:01 110592 -c--a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "FastUserSwitchingCompatibility"=3 (0x3) "PnkBstrA"=2 (0x2) "JavaQuickStarterService"=3 (0x3) "iPod Service"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "UpdReg"=c:\windows\UpdReg.EXE "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" "CTSysVol"=c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit "nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /install "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Valve\\Steam\\Steam.exe"= "c:\\WINDOWS\\SYSTEM32\\MQSVC.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"= "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"= "c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"= "c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"= "c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"= "c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"= "c:\\Program Files\\Games\\Mass Effect\\Binaries\\MassEffect.exe"= "c:\\Program Files\\Games\\Mass Effect\\MassEffectLauncher.exe"= "c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\Games\\Dragon Age\\bin_ship\\daorigins.exe"= "c:\\Program Files\\Games\\Dragon Age\\DAOriginsLauncher.exe"= "c:\\Program Files\\Games\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"= "c:\\Program Files\\Games\\Mass Effect 2\\Binaries\\MassEffect2.exe"= "c:\\Program Files\\Games\\Mass Effect 2\\MassEffect2Launcher.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Valve\\Steam\\SteamApps\\agentsmythe\\counter-strike source\\hl2.exe"= "c:\\Valve\\Steam\\SteamApps\\common\\nexus the jupiter incident\\runme.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader "6112:TCP"= 6112:TCP:Blizzard Downloader [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) "AllowInboundTimestampRequest"= 1 (0x1) "AllowInboundMaskRequest"= 1 (0x1) "AllowInboundRouterRequest"= 1 (0x1) "AllowOutboundDestinationUnreachable"= 1 (0x1) "AllowOutboundSourceQuench"= 1 (0x1) "AllowOutboundParameterProblem"= 1 (0x1) "AllowOutboundTimeExceeded"= 1 (0x1) "AllowRedirect"= 1 (0x1) "AllowOutboundPacketTooBig"= 1 (0x1) R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [1/30/2009 2:21 AM 216200] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [1/30/2009 2:21 AM 242896] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/17/2010 2:53 PM 916760] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/17/2010 2:54 PM 308064] R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\SYSTEM32\DRIVERS\COMMONFX.sys [3/4/2009 2:42 PM 99352] R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTAUDFX.sys [3/4/2009 2:42 PM 555032] R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTSBLFX.sys [3/4/2009 2:42 PM 566296] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/28/2009 10:00 AM 133104] S3 COMMONFX;COMMONFX;c:\windows\SYSTEM32\DRIVERS\COMMONFX.sys [3/4/2009 2:42 PM 99352] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [6/22/2009 12:46 AM 79360] S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\DRIVERS\CSVirtA.sys --> c:\windows\system32\DRIVERS\CSVirtA.sys [?] S3 CTAUDFX;CTAUDFX;c:\windows\SYSTEM32\DRIVERS\CTAUDFX.sys [3/4/2009 2:42 PM 555032] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTERFXFX.sys [3/4/2009 2:42 PM 100888] S3 CTERFXFX;CTERFXFX;c:\windows\SYSTEM32\DRIVERS\CTERFXFX.sys [3/4/2009 2:42 PM 100888] S3 CTSBLFX;CTSBLFX;c:\windows\SYSTEM32\DRIVERS\CTSBLFX.sys [3/4/2009 2:42 PM 566296] S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Games\Dragon Age\bin_ship\daupdatersvc.service.exe [11/14/2009 1:54 AM 25832] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [5/25/2010 12:29 PM 38224] S4 PrintSuperVision Assistant;PrintSuperVision Assistant;c:\program files\PrintSuperVision Assistant\PSVSAService.exe --> c:\program files\PrintSuperVision Assistant\PSVSAService.exe [?] S4 PRISMSVC;PRISMSVC;c:\windows\SYSTEM32\PRISMSVC.exe [5/19/2005 9:51 PM 57344] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50] 2010-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-28 14:00] 2010-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-28 14:00] 2010-06-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3365313937-3253272465-2137926639-1005Core.job - c:\documents and settings\John Macdonald\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-26 15:55] 2010-06-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3365313937-3253272465-2137926639-1005UA.job - c:\documents and settings\John Macdonald\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-26 15:55] 2010-06-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3365313937-3253272465-2137926639-1005.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09] 2010-06-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3365313937-3253272465-2137926639-1005.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.dell4me.com/myway uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: &AIM Search IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 FF - ProfilePath - c:\documents and settings\John Macdonald\Application Data\Mozilla\Firefox\Profiles\1oj6u7or.default\ FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll FF - plugin: c:\documents and settings\John Macdonald\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMCult3DP.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\windows\system32\Cult3D\NPMCult3DP.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: nglayout.initialpaint.delay - 600 FF - user.js: content.notify.interval - 600000 FF - user.js: content.max.tokenizing.time - 1800000 FF - user.js: content.switch.threshold - 600000 c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-Zone Labs Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-06 12:22 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3365313937-3253272465-2137926639-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:b4,5a,22,4d,78,ad,e2,77,fb,9c,7a,8e,19,66,6c,90,a7,f6,f7,f1,d0,04,39, 58,83,2e,d3,7f,ba,3e,d5,99,97,c1,3f,e1,32,93,b8,2a,a4,8b,57,89,17,79,a9,91,\ "??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49 [HKEY_USERS\S-1-5-21-3365313937-3253272465-2137926639-1005\Software\SecuROM\License information*] "datasecu"=hex:9a,77,b6,be,5e,8c,d7,a3,2b,04,2c,6b,a0,84,3b,15,fd,88,c7,a5,e6, 4b,c4,2b,7b,30,18,d6,79,7f,03,e5,1d,8e,e0,69,9a,85,73,53,39,24,68,bd,a5,82,\ "rkeysecu"=hex:f8,49,c5,73,b7,f6,49,8f,af,66,2d,82,39,e1,af,63 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1284) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\WININET.dll c:\windows\system32\PRISMAPI.dll - - - - - - - > 'explorer.exe'(3772) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\program files\Creative\Shared Files\CTAudSvc.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\windows\system32\CTsvcCDA.EXE c:\program files\Intel\Intel Application Accelerator\iaantmon.exe c:\windows\system32\msdtc.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\program files\AVG\AVG9\avgnsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\PRISMSVR.EXE c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-06-06 12:27:24 - machine was rebooted ComboFix-quarantined-files.txt 2010-06-06 16:27 ComboFix2.txt 2010-05-29 20:37 ComboFix3.txt 2010-05-29 20:01 Pre-Run: 41,115,119,616 bytes free Post-Run: 40,957,321,216 bytes free - - End Of File - - 4DB91AC177B5D399960699FDC8AD2E58 NTBTLOG Service Pack 3 6 6 2010 12:40:39.375 Loaded driver \WINDOWS\system32\ntkrnlpa.exe Loaded driver \WINDOWS\system32\hal.dll Loaded driver \WINDOWS\system32\KDCOM.DLL Loaded driver \WINDOWS\system32\BOOTVID.dll Loaded driver ACPI.sys Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS Loaded driver pci.sys Loaded driver isapnp.sys Loaded driver sfsync04.sys Loaded driver pciide.sys Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Loaded driver aliide.sys Loaded driver cmdide.sys Loaded driver toside.sys Loaded driver viaide.sys Loaded driver intelide.sys Loaded driver MountMgr.sys Loaded driver ftdisk.sys Loaded driver dmload.sys Loaded driver dmio.sys Loaded driver PartMgr.sys Loaded driver VolSnap.sys Loaded driver cpqarray.sys Loaded driver \WINDOWS\system32\DRIVERS\SCSIPORT.SYS Loaded driver iaStor.sys Loaded driver atapi.sys Loaded driver aha154x.sys Loaded driver sparrow.sys Loaded driver symc810.sys Loaded driver aic78xx.sys Loaded driver dac960nt.sys Loaded driver ql10wnt.sys Loaded driver amsint.sys Loaded driver asc.sys Loaded driver asc3550.sys Loaded driver mraid35x.sys Loaded driver i2omp.sys Loaded driver ini910u.sys Loaded driver ql1240.sys Loaded driver aic78u2.sys Loaded driver symc8xx.sys Loaded driver sym_hi.sys Loaded driver sym_u3.sys Loaded driver ABP480N5.SYS Loaded driver asc3350p.sys Loaded driver cd20xrnt.sys Loaded driver ultra.sys Loaded driver adpu160m.sys Loaded driver dpti2o.sys Loaded driver ql1080.sys Loaded driver ql1280.sys Loaded driver ql12160.sys Loaded driver perc2.sys Loaded driver perc2hib.sys Loaded driver hpn.sys Loaded driver cbidf2k.sys Loaded driver dac2w2k.sys Loaded driver disk.sys Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS Loaded driver fltmgr.sys Loaded driver sr.sys Loaded driver KSecDD.sys Loaded driver Ntfs.sys Loaded driver NDIS.sys Loaded driver sisagp.sys Loaded driver viaagp.sys Loaded driver sfhlp02.sys Loaded driver sfdrv01.sys Loaded driver ohci1394.sys Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS Loaded driver Mup.sys Loaded driver agp440.sys Loaded driver alim1541.sys Loaded driver amdagp.sys Loaded driver agpCPQ.sys Loaded driver \SystemRoot\system32\DRIVERS\nic1394.sys Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys Loaded driver \SystemRoot\system32\DRIVERS\nv4_mini.sys Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys Loaded driver \SystemRoot\system32\drivers\ctoss2k.sys Loaded driver \SystemRoot\system32\drivers\ctprxy2k.sys Loaded driver \SystemRoot\system32\drivers\ctaud2k.sys Loaded driver \SystemRoot\system32\DRIVERS\gameenum.sys Loaded driver \SystemRoot\system32\DRIVERS\fdc.sys Loaded driver \SystemRoot\system32\DRIVERS\parport.sys Loaded driver \SystemRoot\system32\DRIVERS\serial.sys Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys Loaded driver \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys Loaded driver \SystemRoot\System32\Drivers\RootMdm.sys Loaded driver \SystemRoot\System32\Drivers\Modem.SYS Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys Loaded driver \SystemRoot\system32\DRIVERS\psched.sys Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys Loaded driver \SystemRoot\system32\DRIVERS\update.sys Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys Loaded driver \SystemRoot\system32\DRIVERS\omci.sys Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys Loaded driver \SystemRoot\system32\drivers\hap16v2k.sys Loaded driver \SystemRoot\system32\drivers\ha10kx2k.sys Loaded driver \SystemRoot\system32\drivers\emupia2k.sys Loaded driver \SystemRoot\system32\drivers\ctsfm2k.sys Loaded driver \SystemRoot\system32\drivers\ctac32k.sys Loaded driver \SystemRoot\System32\drivers\COMMONFX.SYS Loaded driver \SystemRoot\System32\drivers\CTAUDFX.SYS Loaded driver \SystemRoot\System32\drivers\CTSBLFX.SYS Loaded driver \SystemRoot\system32\DRIVERS\flpydisk.sys Loaded driver \SystemRoot\system32\DRIVERS\usbccgp.sys Loaded driver \SystemRoot\system32\DRIVERS\USBSTOR.SYS Loaded driver \SystemRoot\system32\DRIVERS\rt2870.sys Loaded driver \SystemRoot\system32\DRIVERS\hidusb.sys Loaded driver \SystemRoot\system32\DRIVERS\mouhid.sys Loaded driver \SystemRoot\system32\DRIVERS\kbdhid.sys Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS Loaded driver \SystemRoot\System32\Drivers\i2omgmt.SYS Did not load driver \SystemRoot\System32\Drivers\Changer.SYS Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS Loaded driver \SystemRoot\System32\Drivers\Null.SYS Loaded driver \SystemRoot\System32\Drivers\Beep.SYS Did not load driver \SystemRoot\system32\DRIVERS\i8042prt.sys Loaded driver \SystemRoot\System32\drivers\vga.sys Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys Loaded driver \SystemRoot\System32\Drivers\avgtdix.sys Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys Loaded driver \SystemRoot\System32\drivers\ws2ifsl.sys Loaded driver \SystemRoot\System32\drivers\afd.sys Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS Loaded driver \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS Loaded driver \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys Loaded driver \SystemRoot\System32\Drivers\Fips.SYS Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys Loaded driver \SystemRoot\System32\drivers\aspi32.sys Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS Loaded driver \SystemRoot\System32\Drivers\Udfs.SYS Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS Loaded driver \SystemRoot\system32\DRIVERS\AegisP.sys Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys Loaded driver \??\C:\WINDOWS\system32\drivers\mqac.sys Loaded driver \SystemRoot\system32\DRIVERS\srv.sys Loaded driver \??\C:\WINDOWS\system32\drivers\RMCast.sys Loaded driver \SystemRoot\system32\DRIVERS\secdrv.sys Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys Loaded driver \SystemRoot\system32\drivers\wdmaud.sys Loaded driver \SystemRoot\system32\drivers\sysaudio.sys Loaded driver \SystemRoot\system32\drivers\splitter.sys Loaded driver \SystemRoot\system32\drivers\aec.sys Loaded driver \SystemRoot\system32\drivers\swmidi.sys Loaded driver \SystemRoot\system32\drivers\DMusic.sys Loaded driver \SystemRoot\system32\drivers\kmixer.sys Loaded driver \SystemRoot\system32\drivers\drmkaud.sys Loaded driver \SystemRoot\System32\Drivers\HTTP.sys SIGVERIF.TXT

After the loading bar for the Windows Recovery Console, I got a new Blue Screen of Death, warning of viruses, suggesting I remove new hardware, and suggesting that type CHKDSK /F in the command console. Ran Check Disk a few days ago, and it came up with very little. Shall I run CHKDSK again, continue with the rest of the list, or is there some solution to the BSOD? BSOD Technical Data ***Stop:0000007b (0F78D2524, 0xC0000034, 0x00000000, 0x00000000)

Ran complete scans with SuperAntiSpyware and Microsoft's Malicious Software Removal Tool, both of which came up clean. MBAM is still freezing up though, any suggestions?

MBAM.exe was still renamed firefox.com from earlier in these instructions. 2 seconds into the full scan, I got the blue screen of Death described earlier, DRIVER_IRQL_NOT_LESS_OR_EQUAL

Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4157 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 5/30/2010 7:01:44 PM mbam-log-2010-05-30 (19-01-44).txt Scan type: Quick scan Objects scanned: 129045 Time elapsed: 7 minute(s), 23 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) After closing the program and attempting to scan again, it froze once again at 2 seconds.

Replaced on cluster in Company of Heroes; on subsequent reboot, told that "The Volume is Clean"

DrWeb Log gtdownde_110.ocx;C:\WINDOWS\system32;Probably DLOADER.Trojan;Incurable.Deleted.; A0503560.exe/data002\nircmd.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1482\A0503560.exe/data002;Tool.NirCmd.1;; data002;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1482;Archive contains infected objects;; A0503560.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1482;Container contains infected objects;Moved.; A0504520.ocx;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1482;Probably DLOADER.Trojan;Incurable.Moved.; Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:38:28 PM, on 5/30/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Creative\Shared Files\CTAudSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\PRISMSVR.EXE C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Hawking\Common\RaUI.exe C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe C:\Program Files\AVG\AVG9\avgemc.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: HWDN1 Wireless Utility.lnk = C:\Program Files\Hawking\Common\RaUI.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU) O16 - DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} (FixItClient Class) - https://fixit.support.microsoft.com/ActiveX/FixItClient.CAB O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Games\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -- End of file - 7030 bytes

MBAM got past the usual problem point, so I aborted the scan to see if that had solved the problem, but on the second scan attempt, it locked up right on schedule at 2 seconds.

ESET Log C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent application cleaned by deleting - quarantined C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1475\A0474843.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1482\A0501515.ocx probably a variant of Win32/Adware.Agent application cleaned by deleting - quarantined

Done, but MBAM is still freezing at 2 seconds, while "Enumerating Registry Objects Prior to Scan"

Avenger Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: could not open file "F:\Autorun.inf" Deletion of file "F:\Autorun.inf" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Completed script processing. ******************* Finished! Terminate. Hijack This Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:52:47 PM, on 5/29/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Creative\Shared Files\CTAudSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\PRISMSVR.EXE C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\Program Files\AVG\AVG9\avgemc.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Hawking\Common\RaUI.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - Global Startup: HWDN1 Wireless Utility.lnk = C:\Program Files\Hawking\Common\RaUI.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU) O16 - DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} (FixItClient Class) - https://fixit.support.microsoft.com/ActiveX/FixItClient.CAB O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Games\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -- End of file - 6939 bytes

ComboFix 10-05-29.03 - John Macdonald 05/29/2010 16:21:07.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2538 [GMT -4:00] Running from: c:\documents and settings\John Macdonald\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\John Macdonald\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . F:\Autorun.inf . . . . failed to delete . ((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-29 ))))))))))))))))))))))))))))))) . 2010-05-28 19:52 . 2010-05-28 19:52 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\NVIDIA 2010-05-27 06:08 . 2010-05-27 06:08 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\VistaCodecs 2010-05-27 06:08 . 2010-05-27 06:08 -------- d-----w- c:\program files\VistaCodecPack 2010-05-27 06:06 . 2010-05-27 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\VistaCodecs 2010-05-27 06:02 . 2010-05-27 06:02 -------- d-----w- c:\program files\MPC Homecinema 2010-05-27 05:57 . 2010-05-27 05:57 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\Media Player Classic 2010-05-27 04:10 . 2010-04-03 22:55 61440 ----a-w- c:\windows\system32\OpenCL.dll 2010-05-27 04:10 . 2010-04-03 22:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll 2010-05-25 22:20 . 2010-05-25 22:20 -------- d-----w- c:\program files\Trend Micro 2010-05-25 16:29 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-25 16:29 . 2010-05-29 15:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-25 16:29 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-24 02:05 . 2010-05-24 02:06 -------- d-----w- c:\program files\iTunes 2010-05-24 02:05 . 2010-05-24 02:05 -------- d-----w- c:\program files\Apple Software Update 2010-05-22 06:16 . 2010-05-22 06:16 -------- d-sh--w- c:\documents and settings\John Macdonald\IECompatCache 2010-05-21 06:39 . 2010-05-25 16:29 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\Malwarebytes 2010-05-21 06:39 . 2010-05-25 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-05-18 21:58 . 2010-05-18 21:58 1085440 ----a-w- c:\windows\system32\VSFilter.dll 2010-05-18 05:47 . 2010-05-18 05:47 108032 ----a-w- c:\windows\system32\ff_vfw.dll 2010-05-17 00:33 . 2010-05-17 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage 2010-05-17 00:33 . 2010-05-17 00:33 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\Office Genuine Advantage 2010-05-16 18:32 . 2010-05-16 21:26 -------- d--h--w- c:\windows\Icons 2010-05-09 04:46 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-07 03:43 . 2010-05-07 03:43 -------- d-----w- c:\program files\Bonjour . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-29 20:11 . 2010-05-29 20:13 3106304 ----a-w- c:\windows\Internet Logs\xDB16.tmp 2010-05-29 18:41 . 2005-05-27 01:56 -------- d-----w- c:\program files\Common Files\Adobe 2010-05-29 15:27 . 2010-05-29 15:28 3073536 ----a-w- c:\windows\Internet Logs\xDB15.tmp 2010-05-29 03:41 . 2008-12-18 08:06 3940247 ----a-w- c:\windows\Internet Logs\tvDebug.Zip 2010-05-29 02:42 . 2005-05-26 22:30 40754 -c--a-w- c:\documents and settings\John Macdonald\Application Data\wklnhst.dat 2010-05-29 02:40 . 2006-12-17 04:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-05-27 06:50 . 2005-12-08 00:39 -------- d-----w- c:\program files\DivX 2010-05-27 06:50 . 2006-02-02 05:31 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\Petroglyph 2010-05-27 04:13 . 2009-09-30 00:48 -------- d-----w- c:\program files\NVIDIA Corporation 2010-05-27 04:12 . 2008-11-23 17:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-05-26 20:39 . 2005-05-20 01:50 -------- d-----w- c:\program files\Java 2010-05-25 16:02 . 2010-05-25 16:03 2976256 ----a-w- c:\windows\Internet Logs\xDB14.tmp 2010-05-24 02:05 . 2005-05-27 17:59 -------- d-----w- c:\program files\iPod 2010-05-24 02:05 . 2007-07-26 02:30 -------- d-----w- c:\program files\Common Files\Apple 2010-05-23 04:28 . 2010-05-23 04:29 2972672 ----a-w- c:\windows\Internet Logs\xDB13.tmp 2010-05-20 15:56 . 2010-05-20 15:57 2931200 ----a-w- c:\windows\Internet Logs\xDB12.tmp 2010-05-20 15:14 . 2010-04-28 01:29 -------- d-----w- c:\program files\TuneUp Utilities 2010 2010-05-16 04:19 . 2005-05-29 15:29 -------- d-----w- c:\program files\World of Warcraft 2010-05-16 04:06 . 2005-05-20 01:51 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-05-11 19:24 . 2010-05-11 20:18 3408384 ----a-w- c:\windows\Internet Logs\xDB11.tmp 2010-05-07 16:06 . 2010-04-28 01:30 30536 ----a-w- c:\windows\system32\TURegOpt.exe 2010-05-07 16:01 . 2010-04-28 01:30 30024 ----a-w- c:\windows\system32\uxtuneup.dll 2010-05-07 03:43 . 2005-05-27 18:00 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\Apple Computer 2010-05-05 03:12 . 2008-01-20 23:00 -------- d-----w- c:\program files\CCleaner 2010-04-29 06:40 . 2005-08-08 04:09 76648 -c--a-w- c:\documents and settings\John Macdonald\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-29 05:57 . 2010-04-13 23:46 -------- d-----w- c:\program files\HRBlock2009 2010-04-29 05:52 . 2010-04-13 23:46 -------- d-----w- c:\program files\PDF995 2010-04-28 19:45 . 2010-04-28 19:45 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe 2010-04-28 01:29 . 2010-04-28 01:29 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\TuneUp Software 2010-04-28 01:29 . 2010-04-28 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software 2010-04-28 01:29 . 2010-04-28 01:29 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC} 2010-04-20 20:09 . 2009-01-30 06:21 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-04-15 01:21 . 2010-04-15 01:21 -------- d-----w- c:\program files\StreamTransport 2010-04-15 00:41 . 2010-04-13 23:47 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\TaxCut 2010-04-15 00:41 . 2010-04-14 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995 2010-04-14 02:04 . 2010-04-14 02:04 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\pdf995 2010-04-14 02:00 . 2010-04-14 02:00 51716 ----a-w- c:\windows\system32\pdf995mon.dll 2010-04-14 02:00 . 2010-04-14 02:00 249856 ----a-w- c:\windows\system32\pdfmona.dll 2010-04-14 00:34 . 2010-04-14 00:34 3116520 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockCT.exe 2010-04-13 23:48 . 2010-04-13 23:47 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe 2010-04-13 23:45 . 2010-04-13 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-04-13 03:00 . 2010-04-01 23:22 -------- d-----w- c:\program files\Activision 2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-04-06 17:39 . 2010-04-06 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-04-06 17:37 . 2006-11-17 01:06 -------- d-----w- c:\program files\QuickTime 2010-04-06 04:16 . 2005-06-07 02:15 -------- d-----w- c:\documents and settings\John Macdonald\Application Data\.gaim 2010-04-04 02:26 . 2010-04-04 02:25 8 ----a-w- c:\windows\crpf.bin 2010-04-04 02:25 . 2010-04-04 02:25 4 ----a-w- c:\windows\crpf_sdum.bin 2010-04-03 23:23 . 2010-04-03 23:23 278120 ----a-w- c:\windows\system32\nvmccs.dll 2010-04-03 23:23 . 2010-04-03 23:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe 2010-04-03 23:23 . 2010-04-03 23:23 145000 ----a-w- c:\windows\system32\nvcolor.exe 2010-04-03 23:23 . 2010-04-03 23:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll 2010-04-03 23:23 . 2010-04-03 23:23 110696 ----a-w- c:\windows\system32\nvmctray.dll 2010-04-03 23:22 . 2010-04-03 23:22 81920 ----a-w- c:\windows\system32\nvwddi.dll 2010-04-03 22:55 . 2009-09-30 05:38 600680 -c--a-w- c:\windows\system32\nvudisp.exe 2010-04-03 22:55 . 2009-06-10 10:03 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll 2010-04-03 22:55 . 2009-06-10 10:03 2183470 ----a-w- c:\windows\system32\nvdata.bin 2010-04-03 22:55 . 2009-06-10 10:03 2030184 ----a-w- c:\windows\system32\nvcuvid.dll 2010-04-03 22:55 . 2008-12-25 16:08 4075520 ----a-w- c:\windows\system32\nvcuda.dll 2010-04-03 22:55 . 2008-12-25 16:08 227944 ----a-w- c:\windows\system32\nvcodins.dll 2010-04-03 22:55 . 2008-12-25 16:08 227944 ----a-w- c:\windows\system32\nvcod.dll 2010-04-03 22:55 . 2008-12-25 16:08 14757888 ----a-w- c:\windows\system32\nvoglnt.dll 2010-04-03 22:55 . 2008-12-25 16:08 1097728 ----a-w- c:\windows\system32\nvapi.dll 2010-04-03 22:55 . 2006-09-04 16:24 6432128 ----a-w- c:\windows\system32\nv4_disp.dll 2010-04-03 22:55 . 1980-01-01 05:00 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys 2010-04-03 06:19 . 2010-04-03 06:19 503808 ----a-w- c:\documents and settings\John Macdonald\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1624d392-n\msvcp71.dll 2010-04-03 06:19 . 2010-04-03 06:19 499712 ----a-w- c:\documents and settings\John Macdonald\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1624d392-n\jmc.dll 2010-04-03 06:19 . 2010-04-03 06:19 348160 ----a-w- c:\documents and settings\John Macdonald\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1624d392-n\msvcr71.dll 2010-04-03 06:19 . 2005-05-20 01:50 -------- d-----w- c:\program files\Common Files\Java 2010-04-03 06:19 . 2010-04-03 06:19 61440 ----a-w- c:\documents and settings\John Macdonald\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b4d2e3f-n\decora-sse.dll 2010-04-03 06:19 . 2010-04-03 06:19 12800 ----a-w- c:\documents and settings\John Macdonald\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b4d2e3f-n\decora-d3d.dll 2010-04-02 22:31 . 2010-04-02 22:31 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll 2010-04-02 22:31 . 2010-04-02 22:31 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll 2010-04-02 22:31 . 2010-04-02 22:31 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll 2010-04-02 22:31 . 2010-04-02 22:31 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll 2010-04-02 22:31 . 2010-04-02 22:31 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll 2010-04-02 22:31 . 2010-04-02 22:31 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll 2010-04-02 22:31 . 2010-04-02 22:31 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll 2010-04-02 22:31 . 2010-04-02 22:31 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll 2010-04-02 22:31 . 2010-04-02 22:31 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll 2010-04-02 22:31 . 2005-12-07 20:59 -------- d-----w- c:\program files\Common Files\Real 2010-04-02 22:31 . 2005-12-07 20:59 -------- d-----w- c:\program files\Real 2010-04-02 22:31 . 2010-04-02 22:31 -------- d-----w- c:\program files\Common Files\xing shared 2010-04-02 22:30 . 2004-09-16 17:29 499712 ----a-w- c:\windows\system32\msvcp71.dll 2010-04-02 22:30 . 2004-09-16 17:29 348160 ----a-w- c:\windows\system32\msvcr71.dll 2010-04-02 20:54 . 2009-09-30 05:34 600680 -c--a-w- c:\windows\system32\NVUNINST.EXE 2010-03-17 18:54 . 2010-03-17 18:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-03-17 18:54 . 2009-01-30 06:21 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-03-17 18:53 . 2009-01-30 06:21 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-03-10 06:15 . 2004-08-04 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll 2008-08-10 17:59 . 2008-08-10 21:58 262144 -c--a-w- c:\program files\Uninstall Spy Blocker.dll 2009-07-09 14:23 . 2009-07-09 14:17 577568 -csha-w- c:\windows\SYSTEM32\DRIVERS\fidbox.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsmqIntCert"="mqrt.dll" [2008-04-14 177152] "IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384] "CTHelper"="CTHELPER.EXE" [2009-03-04 19456] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-02 202256] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HWDN1 Wireless Utility.lnk - c:\program files\Hawking\Common\RaUI.exe [2009-9-25 704512] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-03-17 18:54 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless USB 2.0 WLAN Card Utility.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless USB 2.0 WLAN Card Utility.lnk backup=c:\windows\pss\Wireless USB 2.0 WLAN Card Utility.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core] 2009-04-29 17:55 3338240 -c--a-w- c:\program files\Electronic Arts\EADM\Core.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2009-03-26 15:55 133104 -c--atw- c:\documents and settings\John Macdonald\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-04-28 19:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2010-04-03 23:23 13670504 ----a-w- c:\windows\SYSTEM32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2010-04-03 23:23 110696 ----a-w- c:\windows\SYSTEM32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] 2010-05-26 21:17 1238352 ----a-w- c:\valve\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2010-04-02 22:30 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] 2004-01-07 06:01 110592 -c--a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client] 2009-02-16 04:10 981384 ----a-w- c:\program files\Zone Labs\ZoneAlarm\zlclient.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "FastUserSwitchingCompatibility"=3 (0x3) "PnkBstrA"=2 (0x2) "JavaQuickStarterService"=3 (0x3) "iPod Service"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ctfmon.exe"=c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "UpdReg"=c:\windows\UpdReg.EXE "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" "CTSysVol"=c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit "nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Valve\\Steam\\Steam.exe"= "c:\\WINDOWS\\SYSTEM32\\MQSVC.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"= "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"= "c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"= "c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"= "c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"= "c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"= "c:\\Program Files\\Games\\Mass Effect\\Binaries\\MassEffect.exe"= "c:\\Program Files\\Games\\Mass Effect\\MassEffectLauncher.exe"= "c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\Games\\Dragon Age\\bin_ship\\daorigins.exe"= "c:\\Program Files\\Games\\Dragon Age\\DAOriginsLauncher.exe"= "c:\\Program Files\\Games\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"= "c:\\Program Files\\Games\\Mass Effect 2\\Binaries\\MassEffect2.exe"= "c:\\Program Files\\Games\\Mass Effect 2\\MassEffect2Launcher.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Valve\\Steam\\SteamApps\\agentsmythe\\counter-strike source\\hl2.exe"= "c:\\Valve\\Steam\\SteamApps\\common\\nexus the jupiter incident\\runme.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader "6112:TCP"= 6112:TCP:Blizzard Downloader [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) "AllowInboundTimestampRequest"= 1 (0x1) "AllowInboundMaskRequest"= 1 (0x1) "AllowInboundRouterRequest"= 1 (0x1) "AllowOutboundDestinationUnreachable"= 1 (0x1) "AllowOutboundSourceQuench"= 1 (0x1) "AllowOutboundParameterProblem"= 1 (0x1) "AllowOutboundTimeExceeded"= 1 (0x1) "AllowRedirect"= 1 (0x1) "AllowOutboundPacketTooBig"= 1 (0x1) R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [1/30/2009 2:21 AM 216200] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [1/30/2009 2:21 AM 242896] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/17/2010 2:53 PM 916760] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/17/2010 2:54 PM 308064] R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [5/7/2010 12:04 PM 1051976] R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\SYSTEM32\DRIVERS\COMMONFX.sys [3/4/2009 2:42 PM 99352] R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTAUDFX.sys [3/4/2009 2:42 PM 555032] R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTSBLFX.sys [3/4/2009 2:42 PM 566296] R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2/25/2010 10:18 AM 10064] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/28/2009 10:00 AM 133104] S3 COMMONFX;COMMONFX;c:\windows\SYSTEM32\DRIVERS\COMMONFX.sys [3/4/2009 2:42 PM 99352] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [6/22/2009 12:46 AM 79360] S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\DRIVERS\CSVirtA.sys --> c:\windows\system32\DRIVERS\CSVirtA.sys [?] S3 CTAUDFX;CTAUDFX;c:\windows\SYSTEM32\DRIVERS\CTAUDFX.sys [3/4/2009 2:42 PM 555032] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTERFXFX.sys [3/4/2009 2:42 PM 100888] S3 CTERFXFX;CTERFXFX;c:\windows\SYSTEM32\DRIVERS\CTERFXFX.sys [3/4/2009 2:42 PM 100888] S3 CTSBLFX;CTSBLFX;c:\windows\SYSTEM32\DRIVERS\CTSBLFX.sys [3/4/2009 2:42 PM 566296] S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Games\Dragon Age\bin_ship\daupdatersvc.service.exe [11/14/2009 1:54 AM 25832] S3 kbeepm;kbeepm;\??\c:\docume~1\JOHNMA~1\LOCALS~1\Temp\kbeepm.sys --> c:\docume~1\JOHNMA~1\LOCALS~1\Temp\kbeepm.sys [?] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [5/25/2010 12:29 PM 38224] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\BD.tmp --> c:\windows\system32\BD.tmp [?] S4 PrintSuperVision Assistant;PrintSuperVision Assistant;c:\program files\PrintSuperVision Assistant\PSVSAService.exe --> c:\program files\PrintSuperVision Assistant\PSVSAService.exe [?] S4 PRISMSVC;PRISMSVC;c:\windows\SYSTEM32\PRISMSVC.exe [5/19/2005 9:51 PM 57344] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp . Contents of the 'Scheduled Tasks' folder 2010-05-26 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50] 2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-28 14:00] 2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-28 14:00] 2010-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3365313937-3253272465-2137926639-1005Core.job - c:\documents and settings\John Macdonald\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-26 15:55] 2010-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3365313937-3253272465-2137926639-1005UA.job - c:\documents and settings\John Macdonald\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-26 15:55] 2010-05-29 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07] 2010-05-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3365313937-3253272465-2137926639-1005.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09] 2010-05-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3365313937-3253272465-2137926639-1005.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.dell4me.com/myway uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: &AIM Search IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 FF - ProfilePath - c:\documents and settings\John Macdonald\Application Data\Mozilla\Firefox\Profiles\1oj6u7or.default\ FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll FF - plugin: c:\documents and settings\John Macdonald\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMCult3DP.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\windows\system32\Cult3D\NPMCult3DP.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: nglayout.initialpaint.delay - 600 FF - user.js: content.notify.interval - 600000 FF - user.js: content.max.tokenizing.time - 1800000 FF - user.js: content.switch.threshold - 600000 c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-29 16:30 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\BD.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3365313937-3253272465-2137926639-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:b4,5a,22,4d,78,ad,e2,77,fb,9c,7a,8e,19,66,6c,90,a7,f6,f7,f1,d0,04,39, 58,83,2e,d3,7f,ba,3e,d5,99,97,c1,3f,e1,32,93,b8,2a,a4,8b,57,89,17,79,a9,91,\ "??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49 [HKEY_USERS\S-1-5-21-3365313937-3253272465-2137926639-1005\Software\SecuROM\License information*] "datasecu"=hex:9a,77,b6,be,5e,8c,d7,a3,2b,04,2c,6b,a0,84,3b,15,fd,88,c7,a5,e6, 4b,c4,2b,7b,30,18,d6,79,7f,03,e5,1d,8e,e0,69,9a,85,73,53,39,24,68,bd,a5,82,\ "rkeysecu"=hex:f8,49,c5,73,b7,f6,49,8f,af,66,2d,82,39,e1,af,63 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1204) c:\windows\system32\PRISMAPI.dll - - - - - - - > 'explorer.exe'(2028) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\program files\Creative\Shared Files\CTAudSvc.exe c:\windows\system32\PRISMSVR.EXE c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTsvcCDA.EXE c:\program files\Intel\Intel Application Accelerator\iaantmon.exe c:\windows\system32\msdtc.exe c:\program files\AVG\AVG9\avgnsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\wscntfy.exe c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe . ************************************************************************** . Completion time: 2010-05-29 16:37:14 - machine was rebooted ComboFix-quarantined-files.txt 2010-05-29 20:37 ComboFix2.txt 2010-05-29 20:01 Pre-Run: 40,865,566,720 bytes free Post-Run: 40,828,129,280 bytes free - - End Of File - - 1C2A39660D3D300C27668523305DA016