Inactive Brower hijack

[Jaggs]

Thanks Bobbye for taking a look at this for me.

I was being redirected in IE and Firefox I. I have up to date Avast... Adaware... Spybot S&D... Spy Blaster.

I ran full system scan using all the above..
then tried Malwarebytes Anti-Malware.. Quick Heal.. Super Anti Spyware

Found I was infected with the following...
slirsredirect ...trojan Agent ATV ... Win 32..adware Vapsup.5 w32.zmist...w97m.class D.
Removed all but ...Still had the slirsredirect problem.

I did all this before I came to this forum..

Upon reading the 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

I downloaded TFC and ran that...and then Ran MBAM again... (Log Posted below)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4680

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

9/24/2010 7:23:24 PM
mbam-log-2010-09-24 (19-23-24).txt

Scan type: Quick scan
Objects scanned: 155506
Time elapsed: 6 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I quarantined the registry above and the problem was resloved... No more redirect

computer is running good again... re ran all the about programs.. No problems found..
Do I need to run GMER?
Thanks again... You people are super...Jaggs

 

[Bobbye]

Give me a change to go over this and your prior post. I'm not real sure what you're asking.

 

[Bobbye]

Jaggs, did you want to continue with this? One malware problem can be resolved, but that does not mean all of the malware has been found and removed.

 

[Jaggs]

Hello Bobbye ... I just sent a reply but not sure where it went.. sorry if I did it wrong.

Yes I would like to continue..I'm new at this and thought all was taken care of... Should I start from the begining and do the steps over again and post the results?

Thanks Jaggs

 

[Bobbye]

I quarantined the registry above and the problem was resloved... No more redirect
computer is running good again... re ran all the about programs.. No problems found..

I need description of current problem: getting redirected to site you haven't chosen? Unfortunately, sometimes one problem gets resolved, but it does not mean all of the malware is gone and the files are fixed.

We need to start at the beginning. Apparently you ran the programs yourself, but didn't leave logs for review and thought malware was gone.
Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, paste the logs for review in your next reply . You can use multiple posts for the logs if needed.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[Jaggs]

Hello Bobbye
Thank you for sticking with me... I was having trouble using FireFox also IE... when I tried to search it would be redirected to a different site that had nothing to do with what I was searching for.. it gave me a "slirsredirect"...I tried super Anti Spyware Quick Heal (free ver.) updated Malwarebytes Adaware Avast Spybot and Spy blaster... during that process if found several trojans and removed them...after using TFC and Malwarebytes Anti-Malware, it found a registry key called HKEYCurrent_UserSoftware\Policies\Microsoft\Internet\Explorer\ControlPanel\Homepage.....
Malwarebytes Anti-Malware removed the key... all was working well with the computer so I did not continue the eight steps...( Shame on Me)..
So now as requested here are the Logs. I hope I have done them correct... Thanks again for all your help..Jaggs

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4772

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

10/7/2010 9:22:23 PM
mbam-log-2010-10-07 (21-22-23).txt

Scan type: Quick scan
Objects scanned: 155302
Time elapsed: 7 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---------------------------------------------------------------------------------------------------------


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-10-07 21:35:42
Windows 5.1.2600 Service Pack 2
Running: 12r8sqrl.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxlyifog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xF38E2BAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xF38E29D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xF38E2B0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

more to follow

 

[Jaggs]

Here are the rest of the logs

 

[Bobbye]

The logs look pretty good Jaggs- just a few entries to remove. I'd like you to run this following to make sure we've checked everything:

Question first: You have Comodo 'Group' installed and in the installed programs list, I see Comodo System- Cleaner What is that? Okay to have Comodo firewall, but not AV since you have Avast.

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
===================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please paste the logs in the next reply. Okay to use multiple posts if needed.

 

[Jaggs]

The comodo is a cleaning program.. It cleans like the disk clean up on XP...I think only better.. Should I get rid of it...
Will do combofix and report logs.. Thanks again.. Jaggs

 

[Jaggs]

Hello Bobbye

I am sending the following logs for ComboFix and Eset Online . Thanks Jaggs

 

[Bobbye]

Please paste the logs in the next reply. Okay to use multiple posts if needed.

Also, when you open Notepad again for a log, please clixk on Format> Uncheck Word Wrap
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\program files\temp01
c:\program files\Firefox Setup 3.0.1.exe
c:\program files\spybotsd160.exe
c:\windows\system32\drivers\CFRMD.sys 

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"3c1807pd"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"=-
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Driver::
CFRMD

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
I strongly suggest you remove this program: TweakNow RegCleaner. Most of us don't recommend using a registry cleaner.

P2P File Sharing Warning:
Are you aware of the Windows Peer-to-Peer Grouping and Peer Name Resolution Protocol (PNRP) being given access through the GloballyOpenPort?
Note: Even if you are using a "safe" P2P program, it is only the program that is safe.

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
=================================
We'll finish with this: Download the HijackThis Installer and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[Jaggs]

Hello Bobbye, Below is the "pasted" comboFix Txt... sorry . The TweakNow Reg Cleaner was installed to try and correct the problem with the redirect.. when it didn't work I uninstalled it ( with control panel) before starting the 8 step Virus removal . I checked and it isn't in control panel... is there something I need to do to remove it?? How do I stop the P2P? I don't share! I had Bearshare installed but haven't used it in a very long time... but it's not in Control panel... as far as I know that the only program... Thanks Jaggs


ComboFix 10-10-08.01 - Owner 10/10/2010 11:43:04.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.580 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\program files\Firefox Setup 3.0.1.exe"
"c:\program files\spybotsd160.exe"
"c:\program files\temp01"
"c:\windows\system32\drivers\CFRMD.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Firefox Setup 3.0.1.exe
c:\program files\spybotsd160.exe
c:\program files\temp01

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_CFRMD


((((((((((((((((((((((((( Files Created from 2010-09-10 to 2010-10-10 )))))))))))))))))))))))))))))))
.

2010-10-09 16:17 . 2010-10-09 16:17 -------- d-----w- c:\program files\ESET
2010-10-07 17:45 . 2010-09-17 14:40 421888 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
2010-10-01 17:05 . 2010-10-01 17:11 -------- d-----w- c:\program files\Mystery in London
2010-09-25 00:06 . 2010-05-23 21:50 73216 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
2010-09-25 00:06 . 2010-04-18 18:33 307200 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
2010-09-25 00:06 . 2010-04-18 18:33 172032 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
2010-09-23 05:35 . 2010-09-23 05:35 -------- d-----w- c:\documents and settings\Owner\Application DataComodoGroup
2010-09-23 05:33 . 2010-09-23 05:33 -------- d-----w- c:\documents and settings\Owner\Application Data\ComodoGroup
2010-09-23 05:32 . 2010-09-23 05:32 -------- d-----w- c:\program files\COMODO
2010-09-23 03:33 . 2010-09-24 02:39 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-23 03:33 . 2010-09-23 03:33 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-23 03:32 . 2010-09-24 02:39 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-23 03:32 . 2010-09-23 03:32 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-09-23 03:32 . 2010-09-23 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-23 03:32 . 2010-09-30 22:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-23 02:43 . 2010-09-23 02:43 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\msvcp71.dll
2010-09-23 02:43 . 2010-09-23 02:43 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\jmc.dll
2010-09-23 02:43 . 2010-09-23 02:43 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\msvcr71.dll
2010-09-23 02:42 . 2010-09-23 02:42 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7fe31b41-n\decora-sse.dll
2010-09-23 02:42 . 2010-09-23 02:42 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7fe31b41-n\decora-d3d.dll
2010-09-23 02:42 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-20 02:06 . 2010-09-20 02:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Eurotalk
2010-09-19 18:40 . 2010-09-19 18:40 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PlayPond

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-10 15:36 . 2008-04-13 02:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-10-09 16:12 . 2008-04-13 02:50 -------- d-----w- c:\program files\SpywareBlaster
2010-10-06 19:50 . 2006-08-02 14:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-24 23:59 . 2008-02-15 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-23 03:45 . 2008-07-01 03:52 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-23 02:54 . 2009-07-09 01:12 0 ----a-w- c:\windows\system32\drivers\crpf.sys
2010-09-23 02:46 . 2007-09-21 03:22 -------- d-----w- c:\program files\Java
2010-09-23 02:46 . 2007-09-21 03:21 -------- d-----w- c:\program files\Common Files\Java
2010-09-23 02:28 . 2010-02-02 04:49 -------- d-----w- c:\documents and settings\Owner\Application Data\TweakNow RegCleaner
2010-09-23 02:27 . 2008-02-16 19:41 -------- d-----w- c:\program files\Common Files\Intuit
2010-09-22 01:43 . 2010-08-15 18:39 -------- d-----w- c:\program files\Common Files\Sandlot Shared
2010-09-22 01:42 . 2009-04-20 05:19 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-09-13 03:49 . 2009-01-20 03:27 58 ---h--w- c:\windows\popcreg.dat
2010-09-13 03:49 . 2009-01-20 03:27 20 ----a-w- c:\windows\popcinfot.dat
2010-09-07 15:12 . 2010-08-09 21:07 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2008-06-29 04:43 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2008-06-29 04:43 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2008-06-29 04:43 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2008-06-29 04:43 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2008-06-29 04:43 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2008-06-29 04:43 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2008-06-29 04:43 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2008-06-29 04:43 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-08-30 21:11 . 2010-08-30 20:57 -------- d-----w- c:\documents and settings\Owner\Application Data\OurPictures
2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-25 04:24 . 2010-08-15 18:41 -------- d-----w- c:\program files\Mystery Case Files - Madame Fate
2010-08-25 01:30 . 2010-08-25 01:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Go-Go Gourmet Chef of the Year
2010-08-21 05:26 . 2008-01-13 21:34 -------- d-----w- c:\documents and settings\Owner\Application Data\NeroDCTemplates
2010-08-16 02:58 . 2010-08-16 02:58 -------- d-----w- c:\documents and settings\Owner\Application Data\DVDVideoSoftIEHelpers
2010-08-16 02:41 . 2010-01-20 05:08 -------- d-----w- c:\program files\DVDVideoSoft
2010-08-15 18:43 . 2010-08-15 18:43 -------- d-----w- c:\program files\Best Buy Games
2010-08-15 18:39 . 2009-01-20 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2010-08-15 18:39 . 2010-08-15 18:38 -------- d-----w- c:\program files\Glyph
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-03 5244216]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-30 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"nwiz"="nwiz.exe" [2008-05-03 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"HostManager"="c:\program files\Common Files\AOL\1190762739\ee\AOLSoftware.exe" [2008-06-24 41824]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALi5289]
2005-03-10 06:56 405504 -c--a-w- c:\program files\ULI5289\ALi5289.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2007-06-06 16:04 50736 ----a-w- c:\program files\AOL 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1190762739\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-03-03 17:32 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-07-23 04:50 26112 -c--a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-12-22 09:09 77824 -c--a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
2006-07-21 21:19 129536 ----a-w- c:\progra~1\Yahoo!\browser\ybrwicon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1190762739\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDPeer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/28/2010 1:14 AM 64288]
R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [7/22/2006 3:51 PM 51840]
R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [7/22/2006 3:51 PM 45056]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/29/2008 12:43 AM 165584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 ALIEHCD;ULi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [7/24/2006 5:02 PM 84159]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/29/2008 12:43 AM 17744]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/23/2001 8:00 AM 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 4:55 AM 1357464]
R3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [7/24/2006 5:02 PM 5318]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/11/2010 11:36 AM 15008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 16:24]

2010-09-24 c:\windows\Tasks\COMODO System Cleaner Update.job
- c:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-03-09 19:41]
.
.
---

 

[Jaggs]

Here is the rest of the scan... Thanks Jaggs

---- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: &Yahoo! Search
IE: Free YouTube Download
IE: Free YouTube to Mp3 Converter
IE: Yahoo! &Dictionary
IE: Yahoo! &Maps
IE: Yahoo! &SMS
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-73586283-1284227242-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1080)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\windows\wanmpsvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-10-10 12:04:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-10 16:03
ComboFix2.txt 2010-10-09 16:07

Pre-Run: 46,815,977,472 bytes free
Post-Run: 46,754,963,456 bytes free

- - End Of File - - 8AA0E48193524CF185539E13E6CEAE75

 

[Jaggs]

I will do the Hijack This and send it on. Thanks Jaggs

 

[Jaggs]

Hello Bobbye As requested HJT Thanks again Jaggs

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:54:32 PM, on 10/10/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1190762739\ee\AOLSoftware.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1190762739\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154796310779
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6279 bytes

 

[Bobbye]

Please eun this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KillAll::
File::
c:\windows\popcreg.dat
c:\windows\popcinfot.dat

Folder::
c:\documents and settings\Owner\Application Data\TweakNow RegCleaner

Regnull:
[HKEY_USERS\S-1-5-21-73586283-1284227242-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]


Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3587:TCP"=- 
"3540:UDP"=- 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Icmp Settings]
"AllowInboundEchoRequest"=- 

DDS::
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
IE: &Yahoo! Search
IE: Free YouTube Download
IE: Free YouTube to Mp3 Converter
IE: Yahoo! &Dictionary
IE: Yahoo! &Maps
IE: Yahoo! &SMS
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.

 

[Jaggs]

Hello Bobbye Here it is... Thanks Jaggs

ComboFix 10-10-08.01 - Owner 10/12/2010 11:35:35.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.585 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\New Folder (2)\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point

FILE ::
"c:\windows\popcinfot.dat"
"c:\windows\popcreg.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\TweakNow RegCleaner
c:\documents and settings\Owner\Application Data\TweakNow RegCleaner\Backup\DiskCleaner_2%a1%a2010_11%b56%b27_P.zip
c:\documents and settings\Owner\Application Data\TweakNow RegCleaner\Backup\DiskCleaner_8%a27%a2010_3%b31%b49_P.zip
c:\documents and settings\Owner\Application Data\TweakNow RegCleaner\Backup\RegCleaner_2%a1%a2010_11%b51%b47_P.dat
c:\windows\popcinfot.dat
c:\windows\popcreg.dat

.
((((((((((((((((((((((((( Files Created from 2010-09-12 to 2010-10-12 )))))))))))))))))))))))))))))))
.

2010-10-10 16:53 . 2010-10-10 16:53 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-07 17:45 . 2010-09-17 14:40 421888 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
2010-09-25 00:06 . 2010-05-23 21:50 73216 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
2010-09-25 00:06 . 2010-04-18 18:33 307200 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
2010-09-25 00:06 . 2010-04-18 18:33 172032 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
2010-09-23 05:33 . 2010-09-23 05:33 -------- d-----w- c:\documents and settings\Owner\Application Data\ComodoGroup
2010-09-23 03:33 . 2010-09-24 02:39 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-23 03:33 . 2010-09-23 03:33 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-23 03:32 . 2010-09-24 02:39 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-23 03:32 . 2010-09-23 03:32 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-09-23 03:32 . 2010-09-23 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-23 02:43 . 2010-09-23 02:43 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\msvcp71.dll
2010-09-23 02:43 . 2010-09-23 02:43 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\jmc.dll
2010-09-23 02:43 . 2010-09-23 02:43 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\msvcr71.dll
2010-09-23 02:42 . 2010-09-23 02:42 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7fe31b41-n\decora-sse.dll
2010-09-23 02:42 . 2010-09-23 02:42 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7fe31b41-n\decora-d3d.dll
2010-09-20 02:06 . 2010-09-20 02:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Eurotalk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-10 16:53 . 2010-10-10 16:53 -------- d-----w- c:\program files\Trend Micro
2010-10-10 15:36 . 2008-04-13 02:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-10-09 16:17 . 2010-10-09 16:17 -------- d-----w- c:\program files\ESET
2010-10-09 16:12 . 2008-04-13 02:50 -------- d-----w- c:\program files\SpywareBlaster
2010-10-06 19:50 . 2006-08-02 14:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-01 17:11 . 2010-10-01 17:05 -------- d-----w- c:\program files\Mystery in London
2010-09-30 22:41 . 2010-09-23 03:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-24 23:59 . 2008-02-15 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-23 05:32 . 2010-09-23 05:32 -------- d-----w- c:\program files\COMODO
2010-09-23 03:45 . 2008-07-01 03:52 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-23 02:54 . 2009-07-09 01:12 0 ----a-w- c:\windows\system32\drivers\crpf.sys
2010-09-23 02:46 . 2007-09-21 03:22 -------- d-----w- c:\program files\Java
2010-09-23 02:46 . 2007-09-21 03:21 -------- d-----w- c:\program files\Common Files\Java
2010-09-23 02:27 . 2008-02-16 19:41 -------- d-----w- c:\program files\Common Files\Intuit
2010-09-22 01:43 . 2010-08-15 18:39 -------- d-----w- c:\program files\Common Files\Sandlot Shared
2010-09-22 01:42 . 2009-04-20 05:19 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-09-07 15:12 . 2010-08-09 21:07 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2008-06-29 04:43 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2008-06-29 04:43 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2008-06-29 04:43 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2008-06-29 04:43 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2008-06-29 04:43 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2008-06-29 04:43 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2008-06-29 04:43 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2008-06-29 04:43 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-08-30 21:11 . 2010-08-30 20:57 -------- d-----w- c:\documents and settings\Owner\Application Data\OurPictures
2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-25 04:24 . 2010-08-15 18:41 -------- d-----w- c:\program files\Mystery Case Files - Madame Fate
2010-08-25 01:30 . 2010-08-25 01:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Go-Go Gourmet Chef of the Year
2010-08-21 05:26 . 2008-01-13 21:34 -------- d-----w- c:\documents and settings\Owner\Application Data\NeroDCTemplates
2010-08-16 02:58 . 2010-08-16 02:58 -------- d-----w- c:\documents and settings\Owner\Application Data\DVDVideoSoftIEHelpers
2010-08-16 02:41 . 2010-01-20 05:08 -------- d-----w- c:\program files\DVDVideoSoft
2010-08-15 18:43 . 2010-08-15 18:43 -------- d-----w- c:\program files\Best Buy Games
2010-08-15 18:39 . 2009-01-20 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2010-08-15 18:39 . 2010-08-15 18:38 -------- d-----w- c:\program files\Glyph
2010-07-17 09:00 . 2010-09-23 02:42 423656 ----a-w- c:\windows\system32\deployJava1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-03 5244216]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-30 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"nwiz"="nwiz.exe" [2008-05-03 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"HostManager"="c:\program files\Common Files\AOL\1190762739\ee\AOLSoftware.exe" [2008-06-24 41824]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALi5289]
2005-03-10 06:56 405504 -c--a-w- c:\program files\ULI5289\ALi5289.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2007-06-06 16:04 50736 ----a-w- c:\program files\AOL 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1190762739\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-03-03 17:32 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-07-23 04:50 26112 -c--a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-12-22 09:09 77824 -c--a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
2006-07-21 21:19 129536 ----a-w- c:\progra~1\Yahoo!\browser\ybrwicon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1190762739\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDPeer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/28/2010 1:14 AM 64288]
R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [7/22/2006 3:51 PM 51840]
R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [7/22/2006 3:51 PM 45056]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/29/2008 12:43 AM 165584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 ALIEHCD;ULi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [7/24/2006 5:02 PM 84159]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/29/2008 12:43 AM 17744]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/23/2001 8:00 AM 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 4:55 AM 1357464]
R3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [7/24/2006 5:02 PM 5318]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/11/2010 11:36 AM 15008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 16:24]

2010-09-24 c:\windows\Tasks\COMODO System Cleaner Update.job
- c:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-03-09 19:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: &Yahoo! Search
IE: Free YouTube Download
IE: Free YouTube to Mp3 Converter
IE: Yahoo! &Dictionary
IE: Yahoo! &Maps
IE: Yahoo! &SMS
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-73586283-1284227242-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(252)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\windows\wanmpsvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-10-12 11:58:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-12 15:58
ComboFix2.txt 2010-10-10 16:04
ComboFix3.txt 2010-10-09 16:07

Pre-Run: 46,558,072,832 bytes free
Post-Run: 46,536,761,344 bytes free

- - End Of File - - 469BEF762135915223D7D21950704B4A

 

[Bobbye]

Did you copy all of the script in Reply 16? Some of the entries I had are still showing in Combofix.

 

[Jaggs]

Hello Bobbye I thought I did... I'll run it again and post log...Thanks Jaggs

 

[Jaggs]

Hello Bobbye ComboFix has an update which I didn't do yet.. so it is in reduced function but started at stage 49...didn't want to update unless it was ok'd by you to do so... the following is the log using the reduced ComboFix... Thanks Jaggs
ComboFix 10-10-08.01 - Owner 10/15/2010 15:37:30.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.544 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
"c:\windows\popcinfot.dat"
"c:\windows\popcreg.dat"
.

((((((((((((((((((((((((( Files Created from 2010-09-15 to 2010-10-15 )))))))))))))))))))))))))))))))
.

2010-10-10 16:53 . 2010-10-10 16:53 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-10 16:53 . 2010-10-10 16:53 -------- d-----w- c:\program files\Trend Micro
2010-10-09 16:17 . 2010-10-09 16:17 -------- d-----w- c:\program files\ESET
2010-10-07 17:45 . 2010-09-17 14:40 421888 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
2010-10-01 17:05 . 2010-10-01 17:11 -------- d-----w- c:\program files\Mystery in London
2010-09-25 00:06 . 2010-05-23 21:50 73216 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
2010-09-25 00:06 . 2010-04-18 18:33 307200 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
2010-09-25 00:06 . 2010-04-18 18:33 172032 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
2010-09-23 05:35 . 2010-09-23 05:35 -------- d-----w- c:\documents and settings\Owner\Application DataComodoGroup
2010-09-23 05:33 . 2010-09-23 05:33 -------- d-----w- c:\documents and settings\Owner\Application Data\ComodoGroup
2010-09-23 05:32 . 2010-09-23 05:32 -------- d-----w- c:\program files\COMODO
2010-09-23 03:33 . 2010-09-24 02:39 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-23 03:33 . 2010-09-23 03:33 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-23 03:32 . 2010-09-24 02:39 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-23 03:32 . 2010-09-23 03:32 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-09-23 03:32 . 2010-09-23 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-23 03:32 . 2010-09-30 22:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-23 02:43 . 2010-09-23 02:43 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\msvcp71.dll
2010-09-23 02:43 . 2010-09-23 02:43 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\jmc.dll
2010-09-23 02:43 . 2010-09-23 02:43 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\msvcr71.dll
2010-09-23 02:42 . 2010-09-23 02:42 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7fe31b41-n\decora-sse.dll
2010-09-23 02:42 . 2010-09-23 02:42 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7fe31b41-n\decora-d3d.dll
2010-09-23 02:42 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-20 02:06 . 2010-09-20 02:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Eurotalk
2010-09-19 18:40 . 2010-09-19 18:40 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PlayPond

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-15 19:34 . 2008-04-13 02:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-10-13 01:19 . 2008-04-13 02:50 -------- d-----w- c:\program files\SpywareBlaster
2010-10-06 19:50 . 2006-08-02 14:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-24 23:59 . 2008-02-15 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-23 03:45 . 2008-07-01 03:52 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-23 02:54 . 2009-07-09 01:12 0 ----a-w- c:\windows\system32\drivers\crpf.sys
2010-09-23 02:46 . 2007-09-21 03:22 -------- d-----w- c:\program files\Java
2010-09-23 02:46 . 2007-09-21 03:21 -------- d-----w- c:\program files\Common Files\Java
2010-09-23 02:27 . 2008-02-16 19:41 -------- d-----w- c:\program files\Common Files\Intuit
2010-09-22 01:43 . 2010-08-15 18:39 -------- d-----w- c:\program files\Common Files\Sandlot Shared
2010-09-22 01:42 . 2009-04-20 05:19 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-09-07 15:12 . 2010-08-09 21:07 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2008-06-29 04:43 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2008-06-29 04:43 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2008-06-29 04:43 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2008-06-29 04:43 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2008-06-29 04:43 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2008-06-29 04:43 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2008-06-29 04:43 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2008-06-29 04:43 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-08-30 21:11 . 2010-08-30 20:57 -------- d-----w- c:\documents and settings\Owner\Application Data\OurPictures
2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-25 04:24 . 2010-08-15 18:41 -------- d-----w- c:\program files\Mystery Case Files - Madame Fate
2010-08-25 01:30 . 2010-08-25 01:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Go-Go Gourmet Chef of the Year
2010-08-21 05:26 . 2008-01-13 21:34 -------- d-----w- c:\documents and settings\Owner\Application Data\NeroDCTemplates
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-03 5244216]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-30 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"nwiz"="nwiz.exe" [2008-05-03 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"HostManager"="c:\program files\Common Files\AOL\1190762739\ee\AOLSoftware.exe" [2008-06-24 41824]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALi5289]
2005-03-10 06:56 405504 -c--a-w- c:\program files\ULI5289\ALi5289.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2007-06-06 16:04 50736 ----a-w- c:\program files\AOL 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1190762739\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-03-03 17:32 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-07-23 04:50 26112 -c--a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-12-22 09:09 77824 -c--a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
2006-07-21 21:19 129536 ----a-w- c:\progra~1\Yahoo!\browser\ybrwicon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1190762739\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDPeer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/28/2010 1:14 AM 64288]
R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [7/22/2006 3:51 PM 51840]
R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [7/22/2006 3:51 PM 45056]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/29/2008 12:43 AM 165584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 ALIEHCD;ULi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [7/24/2006 5:02 PM 84159]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/29/2008 12:43 AM 17744]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/23/2001 8:00 AM 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 4:55 AM 1357464]
R3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [7/24/2006 5:02 PM 5318]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/11/2010 11:36 AM 15008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2010-10-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 16:24]

2010-10-14 c:\windows\Tasks\COMODO System Cleaner Update.job
- c:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-03-09 19:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: &Yahoo! Search
IE: Free YouTube Download
IE: Free YouTube to Mp3 Converter
IE: Yahoo! &Dictionary
IE: Yahoo! &Maps
IE: Yahoo! &SMS
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-73586283-1284227242-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3020)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\windows\wanmpsvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-10-15 15:55:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-15 19:55
ComboFix2.txt 2010-10-12 15:58
ComboFix3.txt 2010-10-10 16:04
ComboFix4.txt 2010-10-09 16:07

Pre-Run: 46,144,790,528 bytes free
Post-Run: 46,200,246,272 bytes free

- - End Of File - - FABE807770E291C80A3100556E7EA8DA

 

[Jaggs]

Hello Bobye Haven't heard from you and was wondering if you had time to check out the log that I sent.... and what the next step would be.
Thanks Jaggs

 

[Bobbye]

Sorry- I'm backed up.

When you run Combofix, please observe this:

[6]. If Combofix asks you to update the program, always allow.

Are you having any current malware problems?

 

[Jaggs]

Hello Bobbye Welcome back... and a Happy Belated Birthday... I have had no issues with malware that I know of... however, I have been having an issue with the CPU spiking to 100 % when reading e-mail on AOL... this happened after the Kill all fix... would that be another problem not related the the "redirect" Thanks Jaggs

 

[Bobbye]

Nothing from the KillAll switch would have caused these. The only way to check the CPU is to see what processes are using it. We all have spikes now and then. Best way to to prepare for shutdown but don't shut down. Open the Task Manager> Double click on frame over Processes: at thie point you should only see use in taskmgr, System and System Idle. They should add up to 100% in the CPU. If you have any other processes at that time using more than 1 or 2 in the CPU column, put that process in a Google search and identify it.

As for AOL mail, that's another department.

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Thank you for the good wishes. Am paying for the day off though!

 

[Jaggs]

Hello Bobbye Have done all that you have asked ( with a few "DUHs" on my part )
Computer is working fine..Back to what it was if not better than before all the problems... Have cleaned out and created a new restore point... removed all the previous restore points...

I can never thank you enough for the help... But if I ever do need help again...

Thanks again