All processes killed
========== FILES ==========
File/Folder H:\WINDOWS\system32\k.dll not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: All Users.WINDOWS

User: Deb
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 8662114 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 73838537 bytes
->Flash cache emptied: 934 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Steve
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
Session Manager Temp folder emptied: 1167358 bytes
Session Manager Tmp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 44607 bytes

Total Files Cleaned = 80.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 03022011_145837

Files moved on Reboot...

Registry entries deleted on Reboot...

================================================================

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-02 15:08:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:6a0d5e22
"s1"=dword:9d5ec1f0
"s2"=dword:03819763
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="H:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:08,28,0e,1b,5e,e9,b7,f8,8a,3b,8a,3c,e8,02,88,32,16,4f,a7,58,63,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c1,e3,27,43,7e,8c,b9,85,71,3f,ae,c6,1f,b7,36,3d,07,..
"khjeh"=hex:02,dc,6f,47,0a,3e,6f,f3,4f,a5,1a,80,eb,cd,57,bb,b2,a2,0b,f3,1f,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:29,a1,21,25,de,e3,35,30,f1,b8,09,e0,81,26,9c,3f,3d,b2,11,91,04,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:2a,af,75,01,e8,55,4c,d1,67,d0,a7,71,96,7a,df,49,e7,ca,70,7d,f4,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="H:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:08,28,0e,1b,5e,e9,b7,f8,8a,3b,8a,3c,e8,02,88,32,16,4f,a7,58,63,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c1,e3,27,43,7e,8c,b9,85,71,3f,ae,c6,1f,b7,36,3d,07,..
"khjeh"=hex:02,dc,6f,47,0a,3e,6f,f3,4f,a5,1a,80,eb,cd,57,bb,b2,a2,0b,f3,1f,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:aa,8f,ac,06,1c,5b,fd,db,b0,0d,bd,9a,b3,09,ac,9c,3c,ba,67,5d,e8,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="H:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:08,28,0e,1b,5e,e9,b7,f8,8a,3b,8a,3c,e8,02,88,32,16,4f,a7,58,63,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c1,e3,27,43,7e,8c,b9,85,71,3f,ae,c6,1f,b7,36,3d,07,..
"khjeh"=hex:02,dc,6f,47,0a,3e,6f,f3,4f,a5,1a,80,eb,cd,57,bb,b2,a2,0b,f3,1f,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:29,a1,21,25,de,e3,35,30,f1,b8,09,e0,81,26,9c,3f,3d,b2,11,91,04,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:2a,af,75,01,e8,55,4c,d1,67,d0,a7,71,96,7a,df,49,e7,ca,70,7d,f4,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Per http://www.techspot.com/vb/post1011027-15.html, "Redirects are NOT occurring anymore, and page loads following link clicks are VERY responsive (since they're not looking for a different server! - and Avast shields are still disabled)."

Do you still wish me to execute the steps pertaining to DeFogger?

There have be no adverse changes to the system since my referenced link. Comments concerning slow page loads were exclusively associated with redirects. Since redirects have stopped, browser navigation is very brisk with few exceptions.

Thanks again for all your help thus far.

Combofix uninstalled.

OTCleanIt ran, and it required a reboot. Rebooted without incident.

Upon attempting to create a restore point, I was informed that I needed to turn it on. I did not turn it off at any point during this entire process. Is this normal?

I turned it on and created a restore point. When I did so, there were no other restore points available.

Nonetheless, I executed the disk clean up instructions and emptied the recycle bin per your recommendation.

Last question: What turned off my system restore?

That brings up another concern that we went back-and-forth on. I can assure you that system restore was enabled, and you even posted the listed restore points here:

http://www.techspot.com/vb/post1011061-16.html

This begs the question, what turned it off? I can promise you that I didn't. Either one of your recommended tools did, or some other process did so. This leads me to believe that something might still be amiss. I have created a new restore point per your recommendation, and I have confirmed it is still there at this very moment. My computer appears to be operating properly, but this system restore issue gives me pause. If you're confident all is well, I offer my deepest gratitude and appreciate all your efforts!!!!

The only remaining mystery is why my system restore was off. I am 99.9% confident that it was on before the infection, but when I looked to restore once I noticed the infection, system restore was on, but no restore points were listed. Listed restore points you have seen were created AFTER the first sign of infection. The drive is configured to permit 44GB of use by system restore.

As you may recall, from my initial post, "logs supplied are POST restore," so I would expect that my prior efforts were "erased," and you were just dealing with the log "snapshot" moving forward. While it wasn't in your hands, I can assure you that no human being turned off system restore, and from your prior posts, I interpreted your position that malware can't disable system restore. If malware can't disable it, and I haven't turned it off, then I'm just looking for a reason.

Combofix seems to attempt to create its own restore points, so again, I would expect to see evidence unless the /uninstall process removed them.

The system restore point you directed me to make is still present and two additional system checkpoints have been automatically created. There have been several reboots since the user initiated system restore point.

I realize it's not your job to educate me, and I'm really not trying to be a pain. I hate an unsolved mystery, and I hope you don't take any of this as a challenge to your expertise. With the exception of the deactivated system restore, it appears that all issues have been resolved and my PC is performing as expected. I am VERY grateful!

Concerning Limewire, it is not used, and it hasn't been for quite some time (years?). I will uninstall it.

Concerning uTorrent, I understand the risks, and access to the web interface is protected by a reasonably strong password.

I will run Combofix one last time and post the log. If you say it's clean, I'll be on my way singing your praises to all within earshot!

LOL... oh how important grammar and punctuation can be... I should have used a hyphen, i.e., "user-initiated" as I meant to differentiate it separately from the automatic restore points.

To be very clear, this is my personal PC, and with the very rare exception of my wife (because a kid is on hers) and my mother's (because she doesn't have her own printer) occasional usage, it's all mine, and I'm quite protective of it!

Though I can clearly screw it up on my own... :-(

Since my last post, I have uninstalled Limewire. According to add/remove programs, it's last use was in 8/2008.

Combofix ran normally and successfully restarted the computer on its own. All of today's activities have been accomplished successfully via remote desktop (where you can see that from the logs - just realized that)...

Two last questions:
1) Does Combofix change the "hide extensions for known filetypes" option? After Combofix ran and rebooted, my extensions where gone. I have changed the setting, and they are back.
2) Is this a good time to implement MVPS Host file?

Thanks again!

Log attached:

=============================================================

ComboFix 11-03-07.02 - Steve 03/07/2011 13:34:03.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1458 [GMT -7:00]
Running from: h:\documents and settings\Deb\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
h:\windows\system32\LogFiles
h:\windows\system32\LogFiles\HTTPERR\httperr1.log
.
.
((((((((((((((((((((((((( Files Created from 2011-02-07 to 2011-03-07 )))))))))))))))))))))))))))))))
.
.
2099-07-09 05:22 . 2099-07-09 05:22 -------- d-----w- h:\program files\Common Files\Insight Software Solutions
2099-07-09 05:22 . 2008-07-10 03:29 -------- d-----w- h:\program files\Macro Express3
2020-11-03 13:37 . 2010-11-03 13:43 -------- d-----w- h:\program files\SlySoft
2011-03-01 03:39 . 2011-03-01 03:39 -------- d-----w- h:\program files\Common Files\Java
2011-03-01 03:39 . 2011-03-01 03:39 73728 ----a-w- h:\windows\system32\javacpl.cpl
2011-03-01 03:39 . 2011-03-01 03:39 472808 ----a-w- h:\windows\system32\deployJava1.dll
2011-03-01 03:39 . 2011-03-01 03:39 -------- d-----w- h:\program files\Java
2011-02-27 19:19 . 2011-02-27 19:19 33019 ----a-w- h:\windows\system32\CoreAAC-uninstall.exe
2011-02-27 19:18 . 2009-08-12 04:18 497664 ----a-w- h:\windows\system32\ac3filter.acm
2011-02-27 18:32 . 2011-02-27 20:28 -------- d-----w- H:\Temple
2011-02-27 18:29 . 2011-02-27 18:42 -------- d-----w- h:\program files\Avi2Dvd
2011-02-26 19:30 . 2011-02-26 19:30 -------- d-----w- h:\program files\ESET
2011-02-26 16:14 . 2011-02-23 14:56 371544 ----a-w- h:\windows\system32\drivers\aswSnx.sys
2011-02-26 15:52 . 2011-02-26 15:52 -------- d-----w- h:\windows\system32\wbem\Repository
2011-02-25 07:53 . 2011-02-25 07:53 -------- d-----w- h:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2011-02-25 04:37 . 2011-02-25 04:37 -------- d-----w- h:\documents and settings\Deb\Application Data\Malwarebytes
2011-02-25 04:26 . 2010-12-21 01:09 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys
2011-02-25 04:26 . 2011-02-25 04:26 -------- d-----w- h:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-02-25 04:26 . 2011-02-26 16:12 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
2011-02-25 04:26 . 2010-12-21 01:08 20952 ----a-w- h:\windows\system32\drivers\mbam.sys
2011-02-19 13:01 . 2011-02-19 13:01 -------- d-----w- h:\program files\Microsoft.NET
2011-02-18 07:02 . 2011-02-18 07:02 -------- d-----w- H:\AutoCad
2011-02-10 01:10 . 2011-02-10 01:10 1716297 ----a-w- h:\windows\system32\InetClnt.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-23 15:04 . 2010-08-02 15:01 40648 ----a-w- h:\windows\avastSS.scr
2011-02-23 15:04 . 2010-08-02 15:01 190016 ----a-w- h:\windows\system32\aswBoot.exe
2011-02-23 14:56 . 2010-08-02 15:02 301528 ----a-w- h:\windows\system32\drivers\aswSP.sys
2011-02-23 14:55 . 2010-08-02 15:02 49240 ----a-w- h:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2010-08-02 15:02 102232 ----a-w- h:\windows\system32\drivers\aswmon2.sys
2011-02-23 14:55 . 2010-08-02 15:02 96344 ----a-w- h:\windows\system32\drivers\aswmon.sys
2011-02-23 14:55 . 2010-08-02 15:02 25432 ----a-w- h:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:54 . 2010-08-02 15:02 30680 ----a-w- h:\windows\system32\drivers\aavmker4.sys
2011-02-23 14:54 . 2010-08-02 15:02 19544 ----a-w- h:\windows\system32\drivers\aswFsBlk.sys
2011-02-10 01:10 . 2011-02-10 01:10 12 ----a-w- h:\windows\Fonts\wfonts.key
2011-01-21 14:44 . 2008-03-29 04:35 439296 ----a-w- h:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-03-28 09:10 290048 ----a-w- h:\windows\system32\atmfd.dll
2011-01-05 03:34 . 2009-03-16 21:33 5656576 ----a-w- h:\windows\system32\drivers\ati2mtag.sys
2011-01-05 03:13 . 2009-03-16 19:35 57344 ----a-w- h:\windows\system32\aticalrt.dll
2011-01-05 03:12 . 2009-03-16 19:34 53248 ----a-w- h:\windows\system32\aticalcl.dll
2011-01-05 03:11 . 2009-03-16 19:33 4489216 ----a-w- h:\windows\system32\aticaldd.dll
2011-01-05 03:11 . 2009-03-16 20:04 17084416 ----a-w- h:\windows\system32\atioglxx.dll
2011-01-05 03:00 . 2009-03-16 20:27 462848 ----a-w- h:\windows\system32\ATIDEMGX.dll
2011-01-05 02:59 . 2009-03-16 20:26 302080 ----a-w- h:\windows\system32\ati2dvag.dll
2011-01-05 02:53 . 2009-03-16 20:17 311296 ----a-w- h:\windows\system32\atiiiexx.dll
2011-01-05 02:53 . 2009-03-16 20:06 4021984 ----a-w- h:\windows\system32\ati3duag.dll
2011-01-05 02:46 . 2011-01-27 04:52 1112576 ----a-w- h:\windows\system32\ativvamv.dll
2011-01-05 02:39 . 2009-03-16 20:17 212992 ----a-w- h:\windows\system32\atipdlxx.dll
2011-01-05 02:39 . 2009-03-16 20:16 155648 ----a-w- h:\windows\system32\Oemdspif.dll
2011-01-05 02:39 . 2009-03-16 20:16 26112 ----a-w- h:\windows\system32\Ati2mdxx.exe
2011-01-05 02:39 . 2009-03-16 20:16 43520 ----a-w- h:\windows\system32\ati2edxx.dll
2011-01-05 02:39 . 2009-03-16 20:16 188416 ----a-w- h:\windows\system32\ati2evxx.dll
2011-01-05 02:37 . 2009-03-16 20:15 638976 ----a-w- h:\windows\system32\ati2evxx.exe
2011-01-05 02:36 . 2009-03-16 19:53 2670464 ----a-w- h:\windows\system32\ativvaxx.dll
2011-01-05 02:36 . 2009-03-16 20:13 53248 ----a-w- h:\windows\system32\ATIDDC.DLL
2011-01-05 02:35 . 2010-04-10 04:02 143360 ----a-w- h:\windows\system32\atiapfxx.exe
2011-01-05 02:31 . 2009-03-16 19:36 651264 ----a-w- h:\windows\system32\atikvmag.dll
2011-01-05 02:29 . 2009-03-16 19:35 196608 ----a-w- h:\windows\system32\atiadlxx.dll
2011-01-05 02:28 . 2009-03-16 19:34 17408 ----a-w- h:\windows\system32\atitvo32.dll
2011-01-05 02:28 . 2009-03-16 19:35 471040 ----a-w- h:\windows\system32\atiok3x2.dll
2011-01-05 02:22 . 2009-03-16 19:28 851968 ----a-w- h:\windows\system32\ati2cqag.dll
2011-01-05 02:20 . 2009-03-16 19:40 64512 ----a-w- h:\windows\system32\atimpc32.dll
2011-01-05 02:20 . 2009-03-16 19:40 64512 ----a-w- h:\windows\system32\amdpcom32.dll
2011-01-05 02:19 . 2009-03-16 19:34 53248 ----a-w- h:\windows\system32\drivers\ati2erec.dll
2010-12-31 13:10 . 2008-03-28 09:11 1854976 ----a-w- h:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-03-29 04:36 301568 ----a-w- h:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-03-29 04:35 916480 ----a-w- h:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-03-29 04:36 1469440 ------w- h:\windows\system32\inetcpl.cpl
2010-12-20 23:59 . 2008-03-29 04:36 43520 ----a-w- h:\windows\system32\licmgr10.dll
2010-12-20 17:26 . 2008-03-28 09:10 730112 ----a-w- h:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-03-29 05:44 385024 ----a-w- h:\windows\system32\html.iec
2010-12-09 15:15 . 2008-03-28 09:10 718336 ----a-w- h:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-03-28 09:10 33280 ----a-w- h:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2008-03-28 09:10 2148864 ----a-w- h:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2001-08-17 13:48 2027008 ----a-w- h:\windows\system32\ntkrnlpa.exe
.
.
------- Sigcheck -------
.
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . h:\windows\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . h:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- h:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="h:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
"SUPERAntiSpyware"="h:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-25 2423752]
"Google Update"="h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-09 135664]
"EVEMon"="i:\program files\EVEMon\EVEMon.exe" [2011-02-12 1724928]
"Skype"="h:\program files\Skype\Phone\Skype.exe" [2010-12-03 14944136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VIARaidUtl"="h:\program files\VIA\RAID\raid_tool.exe" [2009-02-19 4918936]
"AMD_Display"="h:\program files\AMD\AMD Power Monitor\AMD_PwrMon.exe" [2008-05-05 1449984]
"StartCCC"="h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-05 98304]
"avast"="h:\program files\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496]
"SunJavaUpdateSched"="h:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
h:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Timex Data Link USB Launcher.lnk - h:\program files\Timex\Data Link USB\DataLinkLauncher.exe [2010-11-19 40960]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "e:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "h:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- h:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\H:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=h:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=h:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2009-06-10 10:57 136472 ----a-w- h:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2009-06-10 11:02 904840 ----a-w- i:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 08:04 39792 ----a-w- h:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 -c----r- h:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
2009-04-06 23:35 247296 ----a-w- h:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2008-07-22 20:53 77824 ----a-w- h:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMD_Display]
2008-05-05 16:37 1449984 ----a-w- h:\program files\AMD\AMD Power Monitor\AMD_PwrMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
2011-02-23 15:04 3451496 ----a-w- h:\progra~1\ALWILS~1\Avast5\AvastUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 15360 ----a-w- h:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2005-12-10 14:57 133016 ----a-w- h:\program files\DAEMON Tools\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVEMon]
2011-02-12 20:26 1724928 ----a-w- i:\program files\EVEMon\EVEMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fomine WinPopup]
2002-09-17 04:39 292352 ----a-w- h:\program files\Fomine WinPopup\WinPopup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-09 03:45 135664 ------w- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2003-09-01 18:52 376912 -c--a-w- h:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2001-08-10 17:23 94208 ----a-w- h:\program files\Common Files\Logitech\QCDriver\LVComS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 19:50 155648 ----a-w- h:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerBlock]
2010-11-07 05:24 1867888 ----a-w- h:\program files\PeerBlock\peerblock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-01 22:57 282624 ----a-w- h:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-02-26 07:03 16125440 ------w- h:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SightSpeed]
2008-11-03 19:02 4789048 ----a-w- h:\program files\SightSpeed\SightSpeed.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 10:04 2879488 ------r- h:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-01-05 04:36 98304 ----a-w- h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMRUBottedTray]
2008-11-06 18:33 288088 ----a-w- h:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2009-06-10 10:55 1326080 ----a-w- i:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- h:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LVPrcSrv"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\AboutTime\\AboutTime.exe"=
"e:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\\eve\\bin\\ExeFile.exe"=
"h:\\Program Files\\DAP\\DAP.exe"=
"h:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"h:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"h:\\Program Files\\uTorrent\\uTorrent.exe"=
"h:\\Program Files\\UGS\\NX 6.0\\UGII\\ugraf.exe"=
"h:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"h:\\Program Files\\Motorola\\RSD Lite\\SDL.exe"=
"h:\\Program Files\\Skype\\Phone\\Skype.exe"=
"h:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"h:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"h:\\WINDOWS\\system32\\dpvsetup.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"8181:TCP"= 8181:TCP:utorrent webui
"8181:UDP"= 8181:UDP:utorrent webui
.
R0 sptd;sptd;h:\windows\system32\drivers\sptd.sys [5/2/2008 8:16 PM 643072]
R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [2/26/2011 9:14 AM 371544]
R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [8/2/2010 8:02 AM 301528]
R1 SASDIFSV;SASDIFSV;h:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;h:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [8/2/2010 8:02 AM 19544]
R2 MotoConnect Service;MotoConnect Service;h:\program files\Motorola\MotoConnectService\MotoConnectService.exe [6/27/2010 6:26 PM 91392]
R2 UGS License Server (ugslmd);UGS License Server (ugslmd);h:\program files\UGS\UGSLicensing\lmgrd.exe [4/22/2008 9:37 AM 1372160]
R3 AmdTools;AMD Special Tools Driver;h:\windows\system32\drivers\AmdTools.sys [5/20/2009 10:15 PM 34304]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;h:\windows\system32\drivers\atl01_xp.sys [5/20/2009 7:19 PM 38656]
R3 TMPassthruMP;TMPassthruMP;h:\windows\system32\drivers\TMPassthru.sys [2/24/2010 6:47 AM 206608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);h:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 6:13 AM 135664]
S2 VRAID Log Service;VRAID Log Service;h:\program files\VIA\RAID\vialogsv.exe [5/20/2009 8:38 PM 52888]
S3 Amazon Download Agent;Amazon Download Agent;h:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [4/12/2009 10:48 PM 319488]
S3 androidusb;ADB Interface Driver;h:\windows\system32\drivers\motoandroid.sys [6/27/2010 6:27 PM 25856]
S3 epmntdrv;epmntdrv;h:\windows\system32\epmntdrv.sys [8/15/2010 3:18 PM 13192]
S3 EuGdiDrv;EuGdiDrv;h:\windows\system32\EuGdiDrv.sys [8/15/2010 3:18 PM 8456]
S3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;h:\windows\system32\drivers\getnd5bv.sys [12/28/2007 12:57 AM 46080]
S3 MotDev;Motorola Inc. USB Device;h:\windows\system32\drivers\motodrv.sys [6/27/2010 6:27 PM 42752]
S3 SUSTUCAU;Susteen USB Cable USB Driver;h:\windows\system32\drivers\sustucau.sys [4/4/2007 9:56 PM 21376]
S3 TMPassthru;Trend Micro Passthru Ndis Service;h:\windows\system32\drivers\TMPassthru.sys [2/24/2010 6:47 AM 206608]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;h:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 RUBotted;Trend Micro RUBotted Service;h:\program files\Trend Micro\RUBotted\TMRUBotted.exe [2/24/2010 6:47 AM 582992]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-07 h:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- h:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 13:13]
.
2011-03-07 h:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- h:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 13:13]
.
2011-03-07 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-725345543-839522115-1003Core.job
- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-09 03:45]
.
2011-03-07 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-725345543-839522115-1003UA.job
- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-09 03:45]
.
2011-03-04 h:\windows\Tasks\{9C117111-5543-41EF-B8BA-B9878B7EE374}_STEVE_Steve.job
- h:\windows\system32\mobsync.exe [2008-03-28 12:42]
.
2011-03-04 h:\windows\Tasks\{B330E9BD-9502-4D89-B3A9-3BB957C35074}_STEVE_Steve.job
- h:\windows\system32\mobsync.exe [2008-03-28 12:42]
.
2011-03-07 h:\windows\Tasks\{BF62BF1F-BB0E-44D1-97CB-094298049FEB}_STEVE_Steve.job
- h:\windows\system32\mobsync.exe [2008-03-28 12:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: intuit.com\ttlc
TCP: {9E94E966-7FDB-457F-B092-7509BD1FA11A} = 68.105.28.11,68.105.29.11
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\DAP\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\DAP\dapie.dll
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-ATI Launchpad - h:\program files\ATI Multimedia\main\launchpd.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-07 13:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1460)
h:\program files\SUPERAntiSpyware\SASWINLO.DLL
h:\windows\system32\WININET.dll
h:\windows\system32\Ati2evxx.dll
h:\windows\system32\atiadlxx.dll
h:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'winlogon.exe'(3008)
h:\program files\SUPERAntiSpyware\SASWINLO.DLL
h:\windows\system32\WININET.dll
h:\windows\system32\Ati2evxx.dll
h:\windows\system32\atiadlxx.dll
h:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2011-03-07 13:52:46
ComboFix-quarantined-files.txt 2011-03-07 20:52
.
Pre-Run: 202,861,846,528 bytes free
Post-Run: 202,855,030,784 bytes free
.
- - End Of File - - DFC9DDF9E9FECBF1D40496707A0554C8

I should just shut my mouth about this as your attitude is pretty clear. I can guarantee you that no one has physically touched my system within the last two weeks. Period. So I KNOW without a doubt, NO human being sitting at my desk turned off system restore. Maybe someone has compromised my remote access, maybe someone has found a way in through uTorrent webui (even though it's behind the router firewall with no port forwarding - only ports 22 and 3389 are open for the obvious reasons). My file sharing activities are very restricted - AVI files of broadcast TV shows from a limited access site. It seems to me far more likely that one of the pieces of malware or one of the cleaning tools is the culprit. I'm just trying to learn - not be a pain.

Feel free to ignore everything above this comment.

I will install the host files.

I run chkdsk /r about once a month. I will do so again.

I have no idea what you're getting at, but it sounds snarky.

Those date issues were me trying to fool evaluation software with a trial period and then forgetting to clean it up. I no longer use them and will uninstall them. I have used AboutTime for many years. I only run it periodically if I need an immediate update. I have WinXP set to autosync with time.windows.com.

I have used Fomine Winpopup for about 7 years. I would expect that any vulnerabilities would be tied to flaws in the windows messenger service, and I only run it manually when I need it (maybe 0.01% of the time).

I will update the Adobe Reader.

Three last questions (2 new, 1 unanswered)
1) Does Combofix change the "hide extensions for known filetypes" option?
2) Is the Combofix log clean?
3) What intermittent system problems? System restore?

Thanks again!