Inactive DNS Hijacking: Attempted and Failed

Status
Not open for further replies.

groweedallday

Posts: 22   +0
I am having the exact same problem as this user posted on 7-14-2010. Basically every time I go to something awful dot com. The URL at the bottom of the screen flashes to google-analytics.com, at which point that tab will hang. It is rare for other sites to do this; however it has happened where I try to access a site and get the 404 - Not found

I am running win7 32bit
I prefer firefox but it also happens in IE.
I have run numerous Trojan removers, but some malicious code is always getting loaded in. No matter how many tools I use or problems that are found I can never get to my favorite site.

here is the other "closed thread" https://www.techspot.com/vb/topic149973.html

I also have the issue where I am required to load explorer.exe in task manager to start windows. should I fix this problem first and then move on to my malicious code injection?

8-step attached - I appreciate any help and thank you all for your time~
 

Attachments

  • Attach.txt
    16.3 KB · Views: 2
  • DDS.txt
    23.4 KB · Views: 1
  • GMER.log
    10.1 KB · Views: 3
Could you clarify this 'exact same problem pleas Right now you refer to DNS hijack, google analytics and redirects. Unfortunately, I don't see a log for Malwarebytes which would help me sort it out.

I don't see your homepage set as the same on the other 'Google analytics' thread. And I don't see the DNS hijack.

Please clarify this:
I also have the issue where I am required to load explorer.exe in task manager to start windows

You do have evidence of a rootkit, so please run the following:

Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

Paste the Combofix log in next reply. Okay to use more than one post if needed. Include the Mbam log also.
 
ComboFix will not run no matter what I do, I have installed, uninstalled, restarted, installed, turned off all programs... even screen saver.

I am unable to get malwarebytes to run as well, thus no report.

answer to your question:
I need to use the task manager to start my OS (explorer.exe)
when windows boots it will start and I see my user profile for a quick sec. then everything goes blank and all I can see is my pointer. Then ALT + Ctrl + DEL and click task manager. then click run, and type explorer. hit enter and everything starts to load as normal, personal settings, startup programs and the like!
 
Last night I was a busy little boy.
I got combofix to work by hitting (F2) added a dot exe then ran as admin. Next I got Malwarebytes to work; the report is now included. Combofix solved the problem I was having when booting into windows, runs great.
Life would be Trojan free if the rootkit was gone for good. Thanks for all the time and help you put forth; while still continuing to prevent malware from thriving on so many hard drives. please let me know if you see something else odd in my reports.

combofix.txt: from last night / early morning
mbam-log 2010-10-06: last night/ early morning
MBAM-log 10-6-10: 10am this morning

*edit* Sorry I must not have skipped over your last sentence that clearly instructed me to post my combofix instead of attaching the file. Coming right up is the posted results from combofix and my last Malwarebytes
 

Attachments

  • Combofix.txt
    26.3 KB · Views: 2
  • mbam-log-2010-10-06 (06-13-05).txt
    1.3 KB · Views: 0
  • MBAM-log 10-6-10.txt
    880 bytes · Views: 1
ComboFix 10-10-05.01 - Nate 10/06/2010 0:44.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1242 [GMT -5:00]
Running from: c:\users\Nate\Desktop\ComboFix.exe.exe
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Nate\AppData\Roaming\cglogs.dat
c:\users\Nate\AppData\Roaming\data.dat
c:\users\Nate\AppData\Roaming\explorer.exe
c:\users\Nate\AppData\Roaming\install\server.exe
c:\users\Nate\AppData\Roaming\SQLite3.dll
c:\users\Nate\AppData\Roaming\WindowsExplorer.log
c:\users\Nate\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\windows\pthreadGC2.dll
c:\windows\run_setup.exe
c:\windows\system32\NSREG.DLL
.
((((((((((((((((((((((((( Files Created from 2010-09-06 to 2010-10-06 )))))))))))))))))))))))))))))))
.
2010-10-06 05:55 . 2010-10-06 05:55 -------- d-----w- c:\users\Nate\AppData\Local\temp
2010-10-06 05:55 . 2010-10-06 05:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-06 04:49 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-06 04:49 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-04 21:48 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-04 18:58 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-10-04 18:58 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-10-04 18:58 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-10-04 18:58 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\program files\Trojan Remover
2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\users\Nate\AppData\Roaming\Simply Super Software
2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\programdata\Simply Super Software
2010-10-04 18:58 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-10-04 00:44 . 2010-10-04 00:46 -------- d-----w- c:\program files\SpywareBlaster
2010-10-03 18:39 . 2010-10-06 05:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-03 06:25 . 2010-10-03 20:07 -------- dc----w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-10-03 06:24 . 2010-10-03 06:24 -------- d-----w- c:\program files\Lavasoft
2010-10-01 20:13 . 2010-10-03 20:07 -------- d-----w- c:\program files\PDF Creator
2010-09-27 18:00 . 2010-10-05 15:08 -------- d-----w- C:\N8
2010-09-24 00:54 . 2010-09-24 00:54 -------- d-----w- c:\program files\AirPort
2010-09-24 00:49 . 2010-09-24 00:49 -------- d-----w- c:\windows\Downloaded Installations
2010-09-21 19:35 . 2010-09-21 19:35 -------- d-----w- c:\program files\Drug Wars
2010-09-15 23:04 . 2010-09-15 23:05 -------- d-----w- c:\program files\QuickTime
2010-09-15 08:06 . 2010-09-15 08:06 -------- d-----w- c:\windows\PCHEALTH
2010-09-15 06:55 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-14 02:17 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-09-14 02:17 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-09-14 02:15 . 2010-09-14 02:15 -------- d-----w- c:\program files\iPod
2010-09-14 02:15 . 2010-09-14 02:17 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-14 02:15 . 2010-09-14 02:17 -------- d-----w- c:\program files\iTunes
2010-09-14 02:14 . 2010-09-14 02:14 -------- d-----w- c:\program files\Apple Software Update
2010-09-14 02:07 . 2010-09-14 02:07 -------- d-----w- c:\program files\Bonjour
2010-09-13 23:00 . 2010-09-14 01:44 -------- d-----w- c:\users\Nate\.bh_gui
2010-09-13 12:20 . 2010-07-25 02:24 344064 ----a-w- c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
2010-09-09 15:32 . 2010-09-09 15:32 -------- d-----w- c:\programdata\SRI
2010-09-09 15:27 . 2010-09-09 15:28 -------- d-----w- c:\program files\WinPcap
2010-09-09 14:34 . 2010-09-14 02:15 -------- d-----w- c:\program files\Common Files\Apple
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-06 05:54 . 2010-07-23 13:22 -------- d-----w- c:\users\Nate\AppData\Roaming\install
2010-10-06 05:36 . 2010-07-09 18:50 -------- d-----w- c:\program files\LogMeIn
2010-10-06 04:52 . 2010-01-21 12:20 -------- d-----w- c:\users\Nate\AppData\Roaming\Tor
2010-10-06 04:41 . 2010-01-21 12:20 -------- d-----w- c:\users\Nate\AppData\Roaming\Vidalia
2010-10-03 20:07 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-10-03 20:07 . 2010-03-03 05:45 -------- d-----w- c:\users\Nate\AppData\Roaming\Winamp
2010-10-03 20:07 . 2010-02-02 03:20 -------- d-----w- c:\users\Nate\AppData\Roaming\uTorrent
2010-10-03 06:24 . 2010-01-22 02:10 -------- d-----w- c:\programdata\Lavasoft
2010-09-29 00:46 . 2009-10-30 13:16 -------- d-----w- c:\users\Nate\AppData\Roaming\.purple
2010-09-28 18:50 . 2009-10-27 15:28 -------- d-----w- c:\users\Nate\AppData\Roaming\gtk-2.0
2010-09-28 16:20 . 2009-10-03 15:29 -------- d-----w- c:\users\Nate\AppData\Roaming\GrabIt
2010-09-28 14:36 . 2009-09-24 23:27 -------- d-----w- c:\programdata\Microsoft Help
2010-09-24 00:58 . 2010-03-27 23:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-24 00:49 . 2010-08-25 22:48 -------- d-----w- c:\program files\Common Files\InstallShield
2010-09-23 19:26 . 2009-10-01 04:30 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-09-18 23:19 . 2009-11-06 06:44 -------- d-----w- c:\program files\Winamp
2010-09-17 12:46 . 2010-03-24 01:57 -------- d-----w- c:\users\Nate\AppData\Roaming\vlc
2010-09-16 23:23 . 2009-09-24 23:29 -------- d-----w- c:\program files\Microsoft.NET
2010-09-15 03:27 . 2009-10-04 20:37 -------- d-----w- c:\users\Nate\AppData\Roaming\Apple Computer
2010-09-09 14:32 . 2009-10-04 20:36 -------- d-----w- c:\programdata\Apple Computer
2010-09-01 14:12 . 2010-09-01 14:12 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-08-26 12:55 . 2010-08-26 12:55 -------- d-----w- c:\users\Nate\AppData\Roaming\GeoVid
2010-08-25 22:43 . 2010-08-25 22:43 -------- d-----w- c:\program files\Common Files\PctelEapPeer Authentication
2010-08-25 22:42 . 2010-08-25 22:42 -------- d-----w- c:\program files\Common Files\Research in Motion
2010-08-25 22:42 . 2010-08-25 22:42 -------- d-----w- c:\programdata\AT&T
2010-08-25 22:42 . 2010-08-25 22:42 -------- d-----w- c:\program files\AT&T
2010-08-25 22:40 . 2010-08-25 22:40 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-08-25 22:39 . 2010-08-25 22:39 -------- d-----w- c:\program files\Option
2010-08-25 22:38 . 2010-08-25 22:45 26504 ----a-w- c:\windows\system32\drivers\swmsflt.sys
2010-08-25 22:38 . 2010-08-25 22:38 -------- d-----w- c:\users\Nate\AppData\Roaming\Sierra Wireless
2010-08-25 22:38 . 2010-08-25 22:38 -------- d-----w- c:\program files\Sierra Wireless Inc
2010-08-24 11:35 . 2010-06-27 02:58 -------- d-----w- c:\users\Nate\AppData\Roaming\DVD Flick
2010-08-11 02:14 . 2010-08-11 02:14 -------- d-----w- c:\programdata\GeoVid
2010-08-11 02:14 . 2010-08-11 02:14 -------- d-----w- c:\program files\Common Files\GeoVid
2010-08-11 02:14 . 2010-08-11 02:14 -------- d-----w- c:\program files\GeoVid
2010-08-10 22:55 . 2010-08-10 22:55 -------- d-----w- c:\program files\Wondershare
2010-08-10 22:20 . 2010-08-10 22:20 -------- d-----w- c:\users\Nate\AppData\Roaming\U3
2010-08-10 21:56 . 2010-08-10 21:56 -------- d-----w- c:\program files\MagicISO
2010-08-10 17:03 . 2010-08-10 17:03 -------- d-----w- c:\program files\Microsoft
2010-08-08 04:27 . 2009-09-21 11:24 -------- d-----w- c:\users\Nate\AppData\Roaming\Media Player Classic
2010-08-07 16:41 . 2009-09-20 17:00 -------- d-----w- c:\program files\Songbird
2010-07-29 06:30 . 2010-08-12 22:21 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-12 22:21 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-27 23:44 . 2010-07-27 23:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 23:44 . 2010-07-27 23:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-27 23:44 . 2010-07-27 23:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-24 05:01 . 2010-07-24 05:01 890900 ----a-w- c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E5AE8A78\p1v2USWoW_Installer.exe
2010-07-23 17:10 . 2005-04-08 02:16 8148 ---ha-w- c:\users\Nate\AppData\Roaming\Natelog.dat
2010-07-22 19:23 . 2010-07-22 19:23 160928 ----a-w- c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E5AE8A78\World of WarCraft Trial.exe
2010-07-14 08:00 . 2010-07-26 20:40 108032 ----a-w- c:\windows\system32\ff_vfw.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 20:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2009-11-20 5262834]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-09-15 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-08-02 1167808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BumpTop.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BumpTop.lnk
backup=c:\windows\pss\BumpTop.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SABnzbd.lnk]
backup=c:\windows\pss\SABnzbd.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SABnzbd.lnk

[HKLM\~\startupfolder\C:^Users^Nate^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup
path=c:\users\Nate\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-09-08 22:31 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
2008-06-10 03:27 33280 ----a-w- c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2010-07-05 00:13 95576 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 13:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-01-27 17:22 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-09-02 20:27 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-02-22 00:14 1183744 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-06-08 23:05 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-09-24 721904]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-05-23 106496]
R3 CAATT;AT&T Con App Svc;c:\program files\AT&T\Communication Manager\ConAppsSvc.exe [2008-05-23 118784]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 ssecbus;Samsung Mobile Modem Device driver (WDM);c:\windows\system32\DRIVERS\ssecbus.sys [2010-04-27 86528]
R3 ssecmdfl;Samsung Mobile Modem Device 2 Filter;c:\windows\system32\DRIVERS\ssecmdfl.sys [2010-04-27 14976]
R3 ssecmdm;Samsung Mobile Modem Device 2 Driver;c:\windows\system32\DRIVERS\ssecmdm.sys [2010-04-27 114304]
R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [2008-01-10 165248]
R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [2008-01-10 142976]
R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2009-09-23 12800]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-25 1343400]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-07-05 238952]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-04-10 520704]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-06-14 36608]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-10-03 6000640]
S3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\DRIVERS\rismc32.sys [2006-10-03 47488]
S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\DRIVERS\SMSCirda.sys [2007-04-25 31232]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - FSUSBEXDISK

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
(Next Post)
 
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: hilton.com\rms
Trusted Zone: marriott.com\extranet
FF - ProfilePath - c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL -
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);- - - - ORPHANS REMOVED - - - -

HKCU-Run-fsm - (no file)
HKCU-Run-HKCU_icqsetup - c:\users\Nate\AppData\Roaming\install\server.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
HKLM-Run-NPSStartup - (no file)
HKLM-Run-HKLM_icqsetup - c:\users\Nate\AppData\Roaming\install\server.exe
MSConfigStartUp-black - c:\users\Nate\AppData\Roaming\server.exe
MSConfigStartUp-FixCamera - c:\windows\FixCamera.exe
MSConfigStartUp-Google Update - c:\users\Nate\AppData\Local\Google\Update\GoogleUpdate.exe
MSConfigStartUp-HKCU_icqsetup - c:\users\Nate\AppData\Roaming\install\server.exe
MSConfigStartUp-HKCU_MSSYSTEMS - c:\users\Nate\AppData\Roaming\install\server.exe
MSConfigStartUp-HKLM_icqsetup - c:\users\Nate\AppData\Roaming\install\server.exe
MSConfigStartUp-tsnpstd3 - c:\windows\tsnpstd3.exe
MSConfigStartUp-Windows File Explorer - c:\users\Nate\AppData\Roaming\Explorer.EXE
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-21_Searsburg - c:\program files\Samsung\USB Drivers\21_Searsburg\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x82E4B000]<< >>UNKNOWN [0x89592000]<< >>UNKNOWN [0x89581000]<< >>UNKNOWN [0x85F97EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x84ec2418
QueryNameProcedure -> 0x84ec25a8
user & kernel MBR OK

**************************************************************************
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

Pre-Run: 12,281,815,040 bytes free
Post-Run: 12,234,620,928 bytes free

- - End Of File - - 99160FF2C025AC930878C3BAB8FE8772
 
Malwarebytes is showing up clean as well...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4754

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/6/2010 10:07:11 AM
mbam-log-2010-10-06 (10-07-11).txt

Scan type: Quick scan
Objects scanned: 150045
Time elapsed: 6 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Good for you! I was busy setting up ways for you to get around the problem! I'm setting up some script for you to run through Combofx now(it will include replacing a suspicious rootkit file.)

Here is information about a program you have running:
BumpTop has been acquired by Google. It is no longer being supported or updated. The free copy will no longer be available after second week in May, 2010. You have several registry entries for this> Would you like for me to include them in the script for removal? Let me know.
==================================
Please download MBR Rootkit Detector and save it on your desktop.
  • Pause/Stop all antivirus/spyware active protection.
  • Then double click on mbr.exe to run it.
  • Select Run when you receive a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe
  • Copy and paste the contents of mbr.log on your next reply.
============================
Follow with download of HijackThis Installer and save to the desktop:
  1. Double-click on HJTInstall.exe to run the program.
  2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Accept the license agreement by clicking the "I Accept" button.
  4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  5. Click "Save log" to save the log file and then the log will open in notepad.
  6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Need to make sure the DNS Changer is gone.

Edit: I notice you removed/uninstalled many programs and drivers. You might want to run TFC again. then empty the Recycle Bin
 
Hello again Bobbye,
Here are the two reports you requested. These were run pre-TFC and I went ahead with removing bump top with its uninstaller. So yes please if you would be so kind as to include the Bump Top registry removal in the combofix script you are creating for me. I am somewhat sure DNS Changer is removed.

MBR
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

HiJackThis:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:51:57 PM, on 10/6/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://khmr.hilton.com/activex/ScriptX/smsx.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: AT&T Con App Svc (CAATT) - PCTEL - C:\Program Files\AT&T\Communication Manager\ConAppsSvc.exe
O23 - Service: FsUsbExService - Teruten - C:\Windows\system32\FsUsbExService.Exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5809 bytes
 
Please run this Custom CFScript


  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E 5AE8A78\World of WarCraft Trial.exe
c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E 5AE8A78\p1v2USWoW_Installer.exe

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=- 
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=- 
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BumpTop.lnk]
path=-
backup=-
backupExtension=-

DirLook::
C:\N8
Driver::
aswSP
FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
 
ComboFix 10-10-07.02 - Nate 10/08/2010 22:44:52.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1196 [GMT -5:00]
Running from: c:\users\Nate\Desktop\ComboFix.exe.exe
Command switches used :: c:\users\Nate\Desktop\CFScript.txt

FILE ::
"c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E 5AE8A78\p1v2USWoW_Installer.exe"
"c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E 5AE8A78\World of WarCraft Trial.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\rdprefmp.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASWSP
-------\Service_aswSP


((((((((((((((((((((((((( Files Created from 2010-09-09 to 2010-10-09 )))))))))))))))))))))))))))))))
.

2010-10-09 03:54 . 2010-10-09 03:54 -------- d-----w- c:\users\Nate\AppData\Local\temp
2010-10-09 03:41 . 2010-10-09 03:41 -------- d-----w- C:\Device
2010-10-09 03:12 . 2010-10-09 03:13 -------- d-----w- C:\32788R22FWJFW
2010-10-09 03:03 . 2010-10-09 03:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-08 20:40 . 2010-10-08 20:40 -------- d-----w- c:\program files\MSECache
2010-10-07 11:59 . 2010-10-07 11:59 -------- d-----w- c:\windows\system32\wbem\Logs
2010-10-07 04:49 . 2010-10-07 04:49 388096 ----a-r- c:\users\Nate\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-07 04:49 . 2010-10-07 04:49 -------- d-----w- c:\program files\Trend Micro
2010-10-06 04:49 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-06 04:49 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-04 21:48 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-04 18:58 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-10-04 18:58 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-10-04 18:58 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-10-04 18:58 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\program files\Trojan Remover
2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\users\Nate\AppData\Roaming\Simply Super Software
2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\programdata\Simply Super Software
2010-10-04 18:58 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-10-04 00:44 . 2010-10-08 00:38 -------- d-----w- c:\program files\SpywareBlaster
2010-10-03 18:39 . 2010-10-06 06:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-03 06:25 . 2010-10-03 20:07 -------- dc----w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-10-03 06:24 . 2010-10-03 06:24 -------- d-----w- c:\program files\Lavasoft
2010-10-01 20:13 . 2010-10-03 20:07 -------- d-----w- c:\program files\PDF Creator
2010-09-27 18:00 . 2010-10-08 21:56 -------- d-----w- C:\N8
2010-09-24 00:54 . 2010-09-24 00:54 -------- d-----w- c:\program files\AirPort
2010-09-24 00:49 . 2010-09-24 00:49 -------- d-----w- c:\windows\Downloaded Installations
2010-09-21 19:35 . 2010-09-21 19:35 -------- d-----w- c:\program files\Drug Wars
2010-09-15 23:04 . 2010-09-15 23:05 -------- d-----w- c:\program files\QuickTime
2010-09-15 08:06 . 2010-09-15 08:06 -------- d-----w- c:\windows\PCHEALTH
2010-09-15 06:55 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-14 02:17 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-09-14 02:17 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-09-14 02:15 . 2010-09-14 02:15 -------- d-----w- c:\program files\iPod
2010-09-14 02:15 . 2010-09-14 02:17 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-14 02:15 . 2010-09-14 02:17 -------- d-----w- c:\program files\iTunes
2010-09-14 02:14 . 2010-09-14 02:14 -------- d-----w- c:\program files\Apple Software Update
2010-09-14 02:07 . 2010-09-14 02:07 -------- d-----w- c:\program files\Bonjour
2010-09-13 23:00 . 2010-09-14 01:44 -------- d-----w- c:\users\Nate\.bh_gui
2010-09-13 12:20 . 2010-07-25 02:24 344064 ----a-w- c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
2010-09-09 15:32 . 2010-09-09 15:32 -------- d-----w- c:\programdata\SRI
2010-09-09 15:27 . 2010-09-09 15:28 -------- d-----w- c:\program files\WinPcap
2010-09-09 14:34 . 2010-09-14 02:15 -------- d-----w- c:\program files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-09 03:58 . 2010-01-21 12:20 -------- d-----w- c:\users\Nate\AppData\Roaming\Tor
2010-10-07 22:44 . 2010-01-21 12:20 -------- d-----w- c:\users\Nate\AppData\Roaming\Vidalia
2010-10-07 05:23 . 2010-03-24 01:57 -------- d-----w- c:\users\Nate\AppData\Roaming\vlc
2010-10-06 05:54 . 2010-07-23 13:22 -------- d-----w- c:\users\Nate\AppData\Roaming\install
2010-10-06 05:36 . 2010-07-09 18:50 -------- d-----w- c:\program files\LogMeIn
2010-10-03 20:07 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-10-03 20:07 . 2010-03-03 05:45 -------- d-----w- c:\users\Nate\AppData\Roaming\Winamp
2010-10-03 20:07 . 2010-02-02 03:20 -------- d-----w- c:\users\Nate\AppData\Roaming\uTorrent
2010-10-03 06:24 . 2010-01-22 02:10 -------- d-----w- c:\programdata\Lavasoft
2010-09-29 00:46 . 2009-10-30 13:16 -------- d-----w- c:\users\Nate\AppData\Roaming\.purple
2010-09-28 18:50 . 2009-10-27 15:28 -------- d-----w- c:\users\Nate\AppData\Roaming\gtk-2.0
2010-09-28 16:20 . 2009-10-03 15:29 -------- d-----w- c:\users\Nate\AppData\Roaming\GrabIt
2010-09-28 14:36 . 2009-09-24 23:27 -------- d-----w- c:\programdata\Microsoft Help
2010-09-24 00:58 . 2010-03-27 23:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-24 00:49 . 2010-08-25 22:48 -------- d-----w- c:\program files\Common Files\InstallShield
2010-09-23 19:26 . 2009-10-01 04:30 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-09-18 23:19 . 2009-11-06 06:44 -------- d-----w- c:\program files\Winamp
2010-09-16 23:23 . 2009-09-24 23:29 -------- d-----w- c:\program files\Microsoft.NET
2010-09-15 03:27 . 2009-10-04 20:37 -------- d-----w- c:\users\Nate\AppData\Roaming\Apple Computer
2010-09-09 14:32 . 2009-10-04 20:36 -------- d-----w- c:\programdata\Apple Computer
2010-09-01 14:12 . 2010-09-01 14:12 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-08-26 12:55 . 2010-08-26 12:55 -------- d-----w- c:\users\Nate\AppData\Roaming\GeoVid
2010-08-25 22:43 . 2010-08-25 22:43 -------- d-----w- c:\program files\Common Files\PctelEapPeer Authentication
2010-08-25 22:42 . 2010-08-25 22:42 -------- d-----w- c:\program files\Common Files\Research in Motion
2010-08-25 22:42 . 2010-08-25 22:42 -------- d-----w- c:\programdata\AT&T
2010-08-25 22:42 . 2010-08-25 22:42 -------- d-----w- c:\program files\AT&T
2010-08-25 22:40 . 2010-08-25 22:40 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-08-25 22:39 . 2010-08-25 22:39 -------- d-----w- c:\program files\Option
2010-08-25 22:38 . 2010-08-25 22:45 26504 ----a-w- c:\windows\system32\drivers\swmsflt.sys
2010-08-25 22:38 . 2010-08-25 22:38 -------- d-----w- c:\users\Nate\AppData\Roaming\Sierra Wireless
2010-08-25 22:38 . 2010-08-25 22:38 -------- d-----w- c:\program files\Sierra Wireless Inc
2010-08-24 11:35 . 2010-06-27 02:58 -------- d-----w- c:\users\Nate\AppData\Roaming\DVD Flick
2010-08-11 02:14 . 2010-08-11 02:14 -------- d-----w- c:\programdata\GeoVid
2010-08-11 02:14 . 2010-08-11 02:14 -------- d-----w- c:\program files\Common Files\GeoVid
2010-08-11 02:14 . 2010-08-11 02:14 -------- d-----w- c:\program files\GeoVid
2010-08-10 22:55 . 2010-08-10 22:55 -------- d-----w- c:\program files\Wondershare
2010-08-10 22:20 . 2010-08-10 22:20 -------- d-----w- c:\users\Nate\AppData\Roaming\U3
2010-08-10 21:56 . 2010-08-10 21:56 -------- d-----w- c:\program files\MagicISO
2010-08-10 17:03 . 2010-08-10 17:03 -------- d-----w- c:\program files\Microsoft
2010-07-29 06:30 . 2010-08-12 22:21 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-12 22:21 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-27 23:44 . 2010-07-27 23:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 23:44 . 2010-07-27 23:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-27 23:44 . 2010-07-27 23:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-24 05:01 . 2010-07-24 05:01 890900 ----a-w- c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E5AE8A78\p1v2USWoW_Installer.exe
2010-07-23 17:10 . 2005-04-08 02:16 8148 ---ha-w- c:\users\Nate\AppData\Roaming\Natelog.dat
2010-07-22 19:23 . 2010-07-22 19:23 160928 ----a-w- c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E5AE8A78\World of WarCraft Trial.exe
2010-07-14 08:00 . 2010-07-26 20:40 108032 ----a-w- c:\windows\system32\ff_vfw.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\N8 ----

2010-10-08 21:56 . 2010-10-08 21:56 165 ---ha-w- c:\n8\~$finance.xlsx
2010-10-08 16:11 . 2010-10-08 16:11 268570 ----a-w- c:\n8\Timothy-Leary-The-Psychedelic-Experience-The-Tibetan-Book-Of-The-Dead.pdf
2010-10-04 00:49 . 2010-10-04 00:49 427799 ----a-w- c:\n8\bookmarks-2010-10-03.json
2010-09-25 20:57 . 2010-10-07 17:23 14785 ----a-w- c:\n8\finance.xlsx


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2009-11-20 5262834]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-08-02 1167808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BumpTop.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BumpTop.lnk
backup=c:\windows\pss\BumpTop.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SABnzbd.lnk]
backup=c:\windows\pss\SABnzbd.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SABnzbd.lnk

[HKLM\~\startupfolder\C:^Users^Nate^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup
path=c:\users\Nate\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-09-08 22:31 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
2008-06-10 03:27 33280 ----a-w- c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2010-07-05 00:13 95576 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 13:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-01-27 17:22 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-09-02 20:27 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-02-22 00:14 1183744 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-06-08 23:05 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-09-24 721904]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-05-23 106496]
R3 CAATT;AT&T Con App Svc;c:\program files\AT&T\Communication Manager\ConAppsSvc.exe [2008-05-23 118784]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 ssecbus;Samsung Mobile Modem Device driver (WDM);c:\windows\system32\DRIVERS\ssecbus.sys [2010-04-27 86528]
R3 ssecmdfl;Samsung Mobile Modem Device 2 Filter;c:\windows\system32\DRIVERS\ssecmdfl.sys [2010-04-27 14976]
R3 ssecmdm;Samsung Mobile Modem Device 2 Driver;c:\windows\system32\DRIVERS\ssecmdm.sys [2010-04-27 114304]
R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [2008-01-10 165248]
R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [2008-01-10 142976]
R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2009-09-23 12800]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-25 1343400]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-07-05 238952]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-04-10 520704]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-06-14 36608]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-10-03 6000640]
S3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\DRIVERS\rismc32.sys [2006-10-03 47488]
S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\DRIVERS\SMSCirda.sys [2007-04-25 31232]
 
--- Other Services/Drivers In Memory ---

*NewlyCreated* - FSUSBEXDISK

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: hilton.com\rms
Trusted Zone: marriott.com\extranet
FF - ProfilePath - c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL -
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService
AddRemove-Octoshape add-in for Adobe Flash Player - c:\users\Nate\AppData\Roaming\Macromedia\Flash Player\


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4184)
c:\windows\System32\NLSData0009.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\AEADISRV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Vidalia Bundle\Tor\tor.exe
c:\windows\system32\conhost.exe
c:\program files\Vidalia Bundle\Polipo\polipo.exe
c:\windows\system32\conhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2010-10-08 23:02:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-09 04:02
ComboFix2.txt 2010-10-06 06:00

Pre-Run: 12,991,705,088 bytes free
Post-Run: 12,952,137,728 bytes free

- - End Of File - - 2BACF89830CD7CC1114B86AB04A8C48B
 
Please run this Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E 5AE8A78\p1v2USWoW_Installer.exe
c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E 5AE8A78\World of WarCraft Trial.exe
c:\windows\pss\BumpTop.lnk

DirLook::
C:\Device
Registry::
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BumpTop.lnk]
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
You will need to do a manual removal for a BumpTop files:
You will need to display hidden files and folders: Using Windows Explorer: Windows key + E>
  • Click on Tools> Folder Options> View tab>
  • Check 'show hidden files and folders'>
  • Uncheck 'hide operating system files (Recommended'>
  • Click on My Computer> Local Drive> Documents & Settings> All Users>
  • Application data> do a right click> Delete on any iWin files or folders to remove>
  • Click on Apply> OK when finished.
Now go back and rehide the files and folders, Close Windows Explorer.
===========================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Are you still noticing ant of the original problem?
 
ComboFix 10-10-11.01 - Nate 10/11/2010 19:15:34.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1211 [GMT -5:00]
Running from: c:\users\Nate\Desktop\ComboFix.exe.exe
Command switches used :: c:\users\Nate\Desktop\CFScript.txt

FILE ::
"c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E 5AE8A78\p1v2USWoW_Installer.exe"
"c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E 5AE8A78\World of WarCraft Trial.exe"
"c:\windows\pss\BumpTop.lnk"
.

((((((((((((((((((((((((( Files Created from 2010-09-12 to 2010-10-12 )))))))))))))))))))))))))))))))
.

2010-10-12 00:26 . 2010-10-12 00:26 -------- d-----w- c:\users\Nate\AppData\Local\temp
2010-10-12 00:26 . 2010-10-12 00:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-12 00:03 . 2010-10-12 00:04 -------- d-----w- C:\32788R22FWJFW
2010-10-09 03:41 . 2010-10-09 03:41 -------- d-----w- C:\Device
2010-10-09 03:03 . 2010-10-09 03:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-08 20:40 . 2010-10-08 20:40 -------- d-----w- c:\program files\MSECache
2010-10-08 09:08 . 2010-09-09 22:52 6084944 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1E06FC56-124C-4AE9-AC77-6992AD12CE53}\mpengine.dll
2010-10-07 11:59 . 2010-10-07 11:59 -------- d-----w- c:\windows\system32\wbem\Logs
2010-10-07 04:49 . 2010-10-07 04:49 388096 ----a-r- c:\users\Nate\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-07 04:49 . 2010-10-07 04:49 -------- d-----w- c:\program files\Trend Micro
2010-10-06 04:49 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-06 04:49 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-04 21:48 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-04 18:58 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-10-04 18:58 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-10-04 18:58 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-10-04 18:58 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\program files\Trojan Remover
2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\users\Nate\AppData\Roaming\Simply Super Software
2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\programdata\Simply Super Software
2010-10-04 18:58 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-10-04 00:44 . 2010-10-08 00:38 -------- d-----w- c:\program files\SpywareBlaster
2010-10-03 18:39 . 2010-10-06 06:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-03 06:25 . 2010-10-03 20:07 -------- dc----w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-10-03 06:24 . 2010-10-03 06:24 -------- d-----w- c:\program files\Lavasoft
2010-10-01 20:13 . 2010-10-03 20:07 -------- d-----w- c:\program files\PDF Creator
2010-09-27 18:00 . 2010-10-11 17:14 -------- d-----w- C:\N8
2010-09-24 00:54 . 2010-09-24 00:54 -------- d-----w- c:\program files\AirPort
2010-09-24 00:49 . 2010-09-24 00:49 -------- d-----w- c:\windows\Downloaded Installations
2010-09-23 23:40 . 2010-09-14 22:59 14808 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2010-09-23 23:40 . 2010-09-14 22:59 718296 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2010-09-22 23:10 . 2010-09-22 23:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-22 23:10 . 2010-09-22 23:10 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2010-09-21 19:35 . 2010-09-21 19:35 -------- d-----w- c:\program files\Drug Wars
2010-09-15 08:06 . 2010-09-15 08:06 -------- d-----w- c:\windows\PCHEALTH
2010-09-15 06:55 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-14 02:17 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-09-14 02:17 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-09-14 02:15 . 2010-09-14 02:15 -------- d-----w- c:\program files\iPod
2010-09-14 02:15 . 2010-09-14 02:17 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-14 02:15 . 2010-09-14 02:17 -------- d-----w- c:\program files\iTunes
2010-09-14 02:14 . 2010-09-14 02:14 -------- d-----w- c:\program files\Apple Software Update
2010-09-14 02:07 . 2010-09-14 02:07 -------- d-----w- c:\program files\Bonjour
2010-09-13 23:00 . 2010-09-14 01:44 -------- d-----w- c:\users\Nate\.bh_gui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\Device ----

2010-10-09 03:55 . 2010-10-09 03:41 32768 ----a-w- c:\device\HarddiskVolume1\Boot\BCD.bak
2010-10-09 03:55 . 2010-10-09 03:55 0 --sha-w- c:\device\HarddiskVolume1\Boot\BCD.tmp.LOG1
2010-10-09 03:55 . 2010-10-09 03:55 0 --sha-w- c:\device\HarddiskVolume1\Boot\BCD.tmp.LOG2
2010-10-09 03:41 . 2010-10-09 03:55 32768 ----a-w- c:\device\HarddiskVolume1\Boot\BCD


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2009-11-20 5262834]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-08-02 1167808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BumpTop.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BumpTop.lnk
backup=c:\windows\pss\BumpTop.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SABnzbd.lnk]
backup=c:\windows\pss\SABnzbd.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SABnzbd.lnk

[HKLM\~\startupfolder\C:^Users^Nate^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup
path=c:\users\Nate\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-09-08 22:31 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
2008-06-10 03:27 33280 ----a-w- c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2010-07-05 00:13 95576 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 13:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-01-27 17:22 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-09-02 20:27 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-02-22 00:14 1183744 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-06-08 23:05 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-09-24 721904]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-05-23 106496]
R3 CAATT;AT&T Con App Svc;c:\program files\AT&T\Communication Manager\ConAppsSvc.exe [2008-05-23 118784]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 ssecbus;Samsung Mobile Modem Device driver (WDM);c:\windows\system32\DRIVERS\ssecbus.sys [2010-04-27 86528]
R3 ssecmdfl;Samsung Mobile Modem Device 2 Filter;c:\windows\system32\DRIVERS\ssecmdfl.sys [2010-04-27 14976]
R3 ssecmdm;Samsung Mobile Modem Device 2 Driver;c:\windows\system32\DRIVERS\ssecmdm.sys [2010-04-27 114304]
R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [2008-01-10 165248]
R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [2008-01-10 142976]
R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2009-09-23 12800]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-25 1343400]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-07-05 238952]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-04-10 520704]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-06-14 36608]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-10-03 6000640]
S3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\DRIVERS\rismc32.sys [2006-10-03 47488]
S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\DRIVERS\SMSCirda.sys [2007-04-25 31232]
 
--- Other Services/Drivers In Memory ---

*NewlyCreated* - FSUSBEXDISK

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: hilton.com\rms
Trusted Zone: marriott.com\extranet
FF - ProfilePath - c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL -
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x82E49000]<< >>UNKNOWN [0x89585000]<< >>UNKNOWN [0x89618000]<< >>UNKNOWN [0x88F46000]<< >>UNKNOWN [0x82E12000]<< >>UNKNOWN [0x891AE000]<< >>UNKNOWN [0x88F69000]<< >>UNKNOWN [0x830E3F8F]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x84ec2418
QueryNameProcedure -> 0x84ec25a8
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-10-11 19:28:50
ComboFix-quarantined-files.txt 2010-10-12 00:28
ComboFix2.txt 2010-10-09 04:02
ComboFix3.txt 2010-10-06 06:00

Pre-Run: 13,983,944,704 bytes free
Post-Run: 13,928,345,600 bytes free

- - End Of File - - 31AC5434F7C86AB8D88FCF681ED6F9EE
 
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4796

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/11/2010 8:43:52 PM
mbam-log-2010-10-11 (20-43-52).txt

Scan type: Full scan (C:\|)
Objects scanned: 274496
Time elapsed: 1 hour(s), 12 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

==========================
ESET Scanner found these files!!!
==========================
C:\Qoobox\Quarantine\C\Windows\System32\Drivers\RDPREFMP.sys.vir Win32/Olmarik.ZC trojan
C:\Qoobox\Quarantine\C\Windows\System32\Drivers\RDPREFMP.sys.vir_ Win32/Olmarik.ZC trojan
C:\Windows\winsxs\x86_microsoft-windows-t..ion-reflectordriver_31bf3856ad364e35_6.1.7600.16385_none_17fc66573f2afc60\RDPREFMP.sys Win32/Olmarik.ZC trojan
 
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:25:27 PM, on 10/11/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\rundll32.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://khmr.hilton.com/activex/ScriptX/smsx.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: AT&T Con App Svc (CAATT) - PCTEL - C:\Program Files\AT&T\Communication Manager\ConAppsSvc.exe
O23 - Service: FsUsbExService - Teruten - C:\Windows\system32\FsUsbExService.Exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5748 bytes
 
Fixed with Ghostery add-on for firefox. stopped the freeze on some pages while transferring from google-analytic.com. feel free to close the thread, unless you see something malicious.
Thanks again for all your time and help!
 
Sorry for delay. Had flu for 4 days. Couldn't even watch screen scroll for logs!

About this:
Would anyone recommend using ccleaner for cleaning the registry? OR is this something that is better left untouched?
Most of us do not recommend using a Registry cleaner. The benefit is much less than the problems it can cause. So answers are No/Yes

Let's finish up. Only one of the entries in the Eset log is active so we'll remove it. The only reference I find for the combination of RDPRE and FMP.sys is a Japanese porno video site. FMP.sys is for FileMakerPro. The Qoobox entries are from the Combofix quarantine folder and are no longer active. These will be removed when I have you uninstall Combofix.

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes	
    :Files  
    C:\Windows\winsxs\x86_microsoft-windows-t..ion-reflectordriver_31bf3856ad364e35_6.1.7600.16385_none_17fc66573f2afc60\RDPRE FMP.sys 
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=======================================
Need to check these Registry entires:
Custom CFScrip

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
Registry::
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BumpTop.lnk]
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
=====================================
Also, Combofix indicates we need to check the MBR:

Please download MBR Rootkit Detector and save it on your desktop.
  • Pause/Stop all antivirus/spyware active protection.
  • Then double click on mbr.exe to run it.
  • Select Run when you receive a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe
  • Copy and paste the contents of mbr.log on your next reply.
============================
HijackThis is okay, but the above need to be checked before I let you go.
 
Old Time Movit
All processes killed
========== PROCESSES ==========
========== FILES ==========
File/Folder C:\Windows\winsxs\x86_microsoft-windows-t..ion-reflectordriver_31bf3856ad364e35_6.1.7600.16385_none_17fc66573f2afc60\RDPRE FMP.sys not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes

User: Nate
->Temp folder emptied: 1756205 bytes
->Temporary Internet Files folder emptied: 51795613 bytes
->Java cache emptied: 87675992 bytes
->FireFox cache emptied: 102112499 bytes
->Google Chrome cache emptied: 557424 bytes
->Flash cache emptied: 1194 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 82227 bytes
RecycleBin emptied: 2039671 bytes

Total Files Cleaned = 235.00 mb


OTM by OldTimer - Version 3.1.16.1 log created on 10132010_201554

Files moved on Reboot...
File C:\Windows\temp\_avast4_\Webshlock.txt not found!

Registry entries deleted on Reboot...
 
ComboFix 10-10-12.03 - Nate 10/13/2010 20:34:42.4.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1241 [GMT -5:00]
Running from: c:\users\Nate\Desktop\ComboFix.exe.exe
Command switches used :: c:\users\Nate\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-09-14 to 2010-10-14 )))))))))))))))))))))))))))))))
.

2010-10-14 01:45 . 2010-10-14 01:45 -------- d-----w- c:\users\Nate\AppData\Local\temp
2010-10-14 01:45 . 2010-10-14 01:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-14 01:25 . 2010-10-14 01:26 -------- d-----w- C:\32788R22FWJFW
2010-10-14 01:15 . 2010-10-14 01:15 -------- d-----w- C:\_OTM
2010-10-13 01:00 . 2010-10-13 01:01 -------- d-----w- c:\program files\iTunes
2010-10-13 01:00 . 2010-10-13 01:00 -------- d-----w- c:\program files\iPod
2010-10-12 11:59 . 2010-09-09 22:52 6084944 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0094B185-FC2F-4B28-B0DC-13FB87956D9C}\mpengine.dll
2010-10-12 01:47 . 2010-10-12 01:47 -------- d-----w- c:\program files\ESET
2010-10-09 03:41 . 2010-10-09 03:41 -------- d-----w- C:\Device
2010-10-09 03:03 . 2010-10-09 03:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-08 20:40 . 2010-10-08 20:40 -------- d-----w- c:\program files\MSECache
2010-10-07 11:59 . 2010-10-07 11:59 -------- d-----w- c:\windows\system32\wbem\Logs
2010-10-07 04:49 . 2010-10-07 04:49 388096 ----a-r- c:\users\Nate\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-07 04:49 . 2010-10-07 04:49 -------- d-----w- c:\program files\Trend Micro
2010-10-06 04:49 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-06 04:49 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-04 21:48 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-04 18:58 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-10-04 18:58 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-10-04 18:58 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-10-04 18:58 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\program files\Trojan Remover
2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\users\Nate\AppData\Roaming\Simply Super Software
2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\programdata\Simply Super Software
2010-10-04 18:58 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-10-04 00:44 . 2010-10-08 00:38 -------- d-----w- c:\program files\SpywareBlaster
2010-10-03 18:39 . 2010-10-06 06:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-03 06:25 . 2010-10-03 20:07 -------- dc----w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-10-03 06:24 . 2010-10-03 06:24 -------- d-----w- c:\program files\Lavasoft
2010-10-01 20:13 . 2010-10-03 20:07 -------- d-----w- c:\program files\PDF Creator
2010-09-27 18:00 . 2010-10-12 03:08 -------- d-----w- C:\N8
2010-09-24 00:54 . 2010-09-24 00:54 -------- d-----w- c:\program files\AirPort
2010-09-24 00:49 . 2010-09-24 00:49 -------- d-----w- c:\windows\Downloaded Installations
2010-09-23 23:40 . 2010-09-14 22:59 14808 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2010-09-23 23:40 . 2010-09-14 22:59 718296 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2010-09-22 23:10 . 2010-09-22 23:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-22 23:10 . 2010-09-22 23:10 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2010-09-21 19:35 . 2010-09-21 19:35 -------- d-----w- c:\program files\Drug Wars
2010-09-15 08:06 . 2010-09-15 08:06 -------- d-----w- c:\windows\PCHEALTH
2010-09-15 06:55 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-14 02:17 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-09-14 02:17 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-09-14 02:15 . 2010-09-14 02:17 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-14 02:14 . 2010-09-14 02:14 -------- d-----w- c:\program files\Apple Software Update
2010-09-14 02:07 . 2010-09-14 02:07 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2009-11-20 5262834]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-08-02 1167808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BumpTop.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BumpTop.lnk
backup=c:\windows\pss\BumpTop.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SABnzbd.lnk]
backup=c:\windows\pss\SABnzbd.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SABnzbd.lnk

[HKLM\~\startupfolder\C:^Users^Nate^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup
path=c:\users\Nate\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-09-08 22:31 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
2008-06-10 03:27 33280 ----a-w- c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2010-07-05 00:13 95576 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 07:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-01-27 17:22 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-09-02 20:27 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-02-22 00:14 1183744 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-06-08 23:05 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-09-24 721904]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-05-23 106496]
R3 CAATT;AT&T Con App Svc;c:\program files\AT&T\Communication Manager\ConAppsSvc.exe [2008-05-23 118784]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 ssecbus;Samsung Mobile Modem Device driver (WDM);c:\windows\system32\DRIVERS\ssecbus.sys [2010-04-27 86528]
R3 ssecmdfl;Samsung Mobile Modem Device 2 Filter;c:\windows\system32\DRIVERS\ssecmdfl.sys [2010-04-27 14976]
R3 ssecmdm;Samsung Mobile Modem Device 2 Driver;c:\windows\system32\DRIVERS\ssecmdm.sys [2010-04-27 114304]
R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [2008-01-10 165248]
R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [2008-01-10 142976]
R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2009-09-23 12800]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-25 1343400]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-07-05 238952]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-04-10 520704]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-06-14 36608]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-10-03 6000640]
S3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\DRIVERS\rismc32.sys [2006-10-03 47488]
S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\DRIVERS\SMSCirda.sys [2007-04-25 31232]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.next post :)
 
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: hilton.com\rms
Trusted Zone: marriott.com\extranet
FF - ProfilePath - c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL -
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x82E40000]<< >>UNKNOWN [0x895AF000]<< >>UNKNOWN [0x8959E000]<< >>UNKNOWN [0x88F24000]<< >>UNKNOWN [0x82E09000]<< >>UNKNOWN [0x891CC000]<< >>UNKNOWN [0x88F47000]<< >>UNKNOWN [0x82EF9FF0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x84ec2418
QueryNameProcedure -> 0x84ec25a8
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-10-13 20:47:24
ComboFix-quarantined-files.txt 2010-10-14 01:47
ComboFix2.txt 2010-10-12 00:28
ComboFix3.txt 2010-10-09 04:02
ComboFix4.txt 2010-10-06 06:00

Pre-Run: 17,822,343,168 bytes free
Post-Run: 17,636,007,936 bytes free

- - End Of File - - 77E9E082FBED2933BE26995870F95456

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
 
Where is this section from the Combofix log? (((((((( Find3M Report ))))))))))))

The scan is still showing signs of possible rootkit. I'd like you to run this: Combofix isn't quite as clean as I'd like it to be.

Download Bootkit Remover and save to your Desktop
  1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  3. You will see a Black screen with some data on it.
  4. Right click on the screen and click Select All.
  5. Press CTRL+C to Copy
  6. Open a Notepad and press CTRL+V to Paste.
  7. Include the report in your next post.
Credits to Broni
 
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows 7 Ultimate Edition (build 7600), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`06500000
Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...
 
Status
Not open for further replies.
Back