[ali.B]

hi

Step 1

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Step 2

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.


Step 3

Please download JavaRa to your desktop and unzip it to it's own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Next

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, adware, dialers, and other riskware
  • Archives
  • E-mail databases
• Click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View report... at the bottom.
• Click the Save report... button.
  
  
  
  
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Step 3

Things i would like to see in your reply:

• Malwarebytes Results.
• Kaspersky WebScanner Report
• Update on how your computer is running

[Advertisements]

Hi, I finally managed to get ComboFix to run, though it was with the AVG Resident active in the end (I did some research on how to disable it completely, and re-enabled it while I did so, then forgot to re-disable it) some joy at last, it said it detected rootkit activity and to reboot my computer, which I did, upon startup it said I had virtual disc drives active, and it would disable those (I do, and it did) and rebooted, upon the final boot it performed operations for about 20 mins, then reboot again, after 5 mins on the next startup it produced the following log.

ComboFix 10-06-06.05 - Pete 08/06/2010 18:02:12.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3070.2296 [GMT 1:00]
Running from: c:\users\Pete\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\reloaded.dll
c:\windows\system32\%appdata%

Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-05-08 to 2010-06-08 )))))))))))))))))))))))))))))))
.

2010-06-08 17:09 . 2010-06-08 17:12 -------- d-----w- c:\users\Pete\AppData\Local\temp
2010-06-08 17:09 . 2010-06-08 17:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-07 14:59 . 2010-06-07 14:59 -------- d-----w- C:\_OTL
2010-06-07 13:03 . 2010-06-07 13:03 -------- d-----w- c:\program files\ERUNT
2010-06-06 00:35 . 2010-06-06 00:39 -------- d-----w- c:\users\Pete\SecurityScans
2010-06-06 00:35 . 2010-06-06 00:35 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2
2010-06-06 00:25 . 2010-06-06 00:25 -------- d-----w- c:\program files\Belarc
2010-06-04 01:05 . 2010-06-04 01:05 -------- d-----w- c:\program files\uTorrent
2010-06-04 01:05 . 2010-06-06 00:13 -------- d-----w- c:\users\Pete\AppData\Roaming\uTorrent
2010-06-04 00:06 . 2010-06-04 02:13 -------- d-----w- c:\users\Pete\AppData\Local\qgkqxfqfp
2010-06-03 15:38 . 2010-06-03 15:38 -------- d-----w- c:\users\Pete\AppData\Roaming\Malwarebytes
2010-06-03 15:38 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-03 15:38 . 2010-06-03 15:38 -------- d-----w- c:\programdata\Malwarebytes
2010-06-03 15:38 . 2010-06-03 15:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-03 15:38 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-03 12:35 . 2010-06-03 12:35 -------- d-----w- c:\program files\Trojan Remover
2010-06-03 12:30 . 2006-06-19 11:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-06-03 12:30 . 2006-05-25 13:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-06-03 12:30 . 2005-08-25 23:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-06-03 12:30 . 2003-02-02 18:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-06-03 12:30 . 2002-03-05 23:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-06-03 12:30 . 2010-06-03 12:35 -------- d-----w- c:\users\Pete\AppData\Roaming\Simply Super Software
2010-06-03 12:30 . 2010-06-03 12:30 -------- d-----w- c:\programdata\Simply Super Software
2010-05-28 00:09 . 2010-05-28 00:09 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-05-25 21:33 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-21 12:50 . 2010-06-06 23:52 -------- d-----w- c:\program files\Common Files\Steam
2010-05-21 12:50 . 2010-06-08 16:33 -------- d-----w- c:\program files\Steam
2010-05-21 12:38 . 2009-09-04 16:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-05-21 12:38 . 2009-09-04 16:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2010-05-21 12:38 . 2009-09-04 16:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2010-05-21 12:38 . 2009-09-04 16:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2010-05-21 12:38 . 2009-09-04 16:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-05-21 12:38 . 2008-10-27 09:04 514384 ----a-w- c:\windows\system32\XAudio2_3.dll
2010-05-21 12:38 . 2008-10-27 09:04 235856 ----a-w- c:\windows\system32\xactengine3_3.dll
2010-05-21 12:38 . 2008-10-27 09:04 23376 ----a-w- c:\windows\system32\X3DAudio1_5.dll
2010-05-21 12:38 . 2008-10-27 09:04 70992 ----a-w- c:\windows\system32\XAPOFX1_2.dll
2010-05-21 12:38 . 2008-07-31 09:41 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2010-05-21 12:38 . 2008-07-31 09:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll
2010-05-21 12:38 . 2008-07-31 09:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll
2010-05-12 09:56 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-11 15:59 . 2010-05-11 15:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-08 17:13 . 2009-10-15 14:35 34800 ----a-w- c:\programdata\nvModes.dat
2010-06-08 16:55 . 2009-09-25 10:33 0 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-06-08 16:39 . 2009-02-04 09:48 -------- d-----w- c:\users\Pete\AppData\Roaming\Skype
2010-06-08 16:33 . 2009-02-04 09:49 -------- d-----w- c:\users\Pete\AppData\Roaming\skypePM
2010-06-07 16:01 . 2009-06-26 12:27 -------- d-----w- c:\users\Pete\AppData\Roaming\Xfire
2010-06-03 22:56 . 2009-06-26 12:27 -------- d-----w- c:\program files\Xfire
2010-06-03 11:29 . 2009-10-15 19:23 680 ----a-w- c:\users\Pete\AppData\Local\d3d9caps.dat
2010-06-03 08:13 . 2009-06-26 12:27 -------- d-----w- c:\programdata\Xfire
2010-06-03 00:38 . 2010-06-03 00:38 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-06-03 00:38 . 2010-06-03 00:38 29512 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
2010-06-03 00:38 . 2009-02-03 17:11 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 00:38 . 2008-09-01 20:48 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-02 09:35 . 2008-04-07 11:18 -------- d-----w- c:\programdata\NVIDIA
2010-05-12 13:38 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 13:38 . 2008-04-09 12:44 -------- d-----w- c:\programdata\Microsoft Help
2010-05-11 15:59 . 2010-05-11 15:59 333192 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
2010-05-11 15:59 . 2008-09-01 20:48 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-11 15:53 . 2010-05-11 15:53 1685784 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-05-11 15:53 . 2010-05-11 15:53 1035032 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-05-11 15:53 . 2010-05-11 15:53 813336 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2010-05-11 15:53 . 2010-05-11 15:53 624920 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2010-05-01 17:00 . 2010-05-01 16:59 -------- d-----w- c:\users\Pete\AppData\Roaming\SPORE
2010-05-01 16:56 . 2010-05-01 16:56 -------- d--h--r- c:\users\Pete\AppData\Roaming\SecuROM
2010-05-01 16:09 . 2010-05-01 15:48 3076 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-05-01 16:07 . 2010-05-01 14:59 -------- d-----w- c:\program files\Electronic Arts
2010-05-01 15:52 . 2008-04-07 11:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-01 15:48 . 2010-05-01 15:48 -------- d-----w- c:\programdata\Electronic Arts
2010-04-27 13:45 . 2010-04-27 13:45 72856 ----a-w- c:\windows\system32\xliveinstallhost.exe
2010-04-27 13:45 . 2010-04-27 13:45 187544 ----a-w- c:\windows\system32\xliveinstall.dll
2010-04-13 18:17 . 2010-04-05 20:09 -------- d-----w- c:\programdata\POPWWPROFILES
2010-04-05 16:15 . 2010-01-28 16:27 1 ----a-w- c:\users\Pete\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-02 16:17 . 2010-04-02 16:17 15426200 ----a-w- c:\windows\system32\xlive.dll
2010-04-02 16:17 . 2010-04-02 16:17 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-03-12 18:41 . 2010-03-12 18:41 101232 ----a-w- c:\windows\VX1000.dll
2010-03-12 18:41 . 2010-03-12 18:41 677232 ----a-w- c:\windows\system32\LCCoin32.dll
2010-03-12 18:41 . 2010-03-12 18:41 1961072 ----a-w- c:\windows\system32\drivers\VX1000.sys
2010-03-12 18:41 . 2010-03-12 18:41 175472 ----a-w- c:\windows\system32\cVX1000.dll
2010-03-12 18:41 . 2009-06-26 17:21 762736 ----a-w- c:\windows\vVX1000.exe
2010-03-12 18:41 . 2009-06-26 17:21 227696 ----a-w- c:\windows\vVX1000.dll
2008-10-01 07:51 . 2008-10-01 07:51 1999 ----a-w- c:\program files\Nokia Software Updater.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-15 202024]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-08-21 4608]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-22 2772992]
"Steam"="c:\program files\Steam\Steam.exe" [2010-05-21 1238352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"RtHDVCpl"="RtHDVCpl.exe" [2008-02-13 4915200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"VX1000"="c:\windows\vVX1000.exe" [2010-03-12 762736]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-03-12 119152]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-02-27 1165192]

c:\users\Pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
Xfire.lnk.disabled [2009-6-26 800]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2009-7-29 49220]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" -autorun
"swg"=c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AVG9_TRAY"=c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):14,4d,8a,26,9e,67,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2417632954-1718349010-1960286903-1000]
"EnableNotificationsRef"=dword:00000001

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
R3 kbeepm;kbeepm;c:\users\Pete\AppData\Local\Temp\kbeepm.sys [x]
R3 qcusbmdm6k;WP-S1 Proprietary USB Driver;c:\windows\system32\DRIVERS\qcusbmdm6k.sys [2007-10-03 65024]
R3 qcusbnmea;WP-S1 NMEA Port;c:\windows\system32\DRIVERS\qcusbnmea.sys [2007-10-03 65024]
R3 qcusbpcsync;WP-S1 PCSYNC Port;c:\windows\system32\DRIVERS\qcusbpcsync.sys [2007-10-03 65024]
R3 qcusbser6k;WP-S1 Diagnostic Port;c:\windows\system32\DRIVERS\qcusbser6k.sys [2007-10-03 65024]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-01-31 691696]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-05-11 216200]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-06-03 242896]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-05-11 916760]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-05-11 308064]
S3 INQ1usbser;INQ1 USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\INQ1usbser.sys [2008-03-19 103680]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-08-21 66592]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: adobe.com\get
Trusted Zone: depositfiles.com
Trusted Zone: download.com\www
Trusted Zone: kingdomofloathing.com\www2
Trusted Zone: kingdomofloathing.com\www5
Trusted Zone: kingdomofloathing.com\www6
Trusted Zone: kingdomofloathing.com\www7
Trusted Zone: savefile.com\www
TCP: {D1526BCC-DED6-401D-B17C-A7AD9351D418} = 141.1.1.1 195.27.1.1
FF - ProfilePath - c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\4j46tnui.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\4j46tnui.default\extensions\[email protected]\plugins\NPYYGInstantPlay.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-toolbar_eula_launcher - c:\program files\GoogleEULA\EULALauncher.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2417632954-1718349010-1960286903-1000\Software\SecuROM\License information*]
"datasecu"=hex:cd,61,ae,6f,f6,f0,69,50,b3,88,89,73,d3,07,01,5e,65,59,42,31,09,
90,ee,e1,a1,d8,14,6b,43,43,e3,37,35,89,f0,52,83,36,cc,04,0c,18,e8,25,65,d9,\
"rkeysecu"=hex:cc,22,f1,c0,8d,ad,26,db,4e,75,ef,60,60,95,c9,67

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5752)
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\RtHDVCpl.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-06-08 18:20:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-08 17:20

Pre-Run: 711,858,114,560 bytes free
Post-Run: 711,796,518,912 bytes free

- - End Of File - - DBE605A818A5B67C244F528C0E2DE419

It also mentioned not being able to find a file with the word "white" in the filename, but I can't remember any more than that. It jumbled a few things around too, some of my shortcuts didn't work correctly, or were moved, easy to fix though. Finally it played with my mobile phone internet conneection, I tried connecting and it said it was an illegal operation performed on a registry key marked for deletion, a restart later I was able to connect. I shall follow your instructions in your last post and reply again. Thankyou, at last, I think the end may be in sight

Edit: One last question, the log says "restored from file: Kitty had a snack " but I don't recall ever having such a file, could you offer an explanation please?

Edited by SilverNightwing, 08 June 2010 - 11:35 AM.

[SilverNightwing]

Hi, I finally managed to get ComboFix to run, though it was with the AVG Resident active in the end (I did some research on how to disable it completely, and re-enabled it while I did so, then forgot to re-disable it) some joy at last, it said it detected rootkit activity and to reboot my computer, which I did, upon startup it said I had virtual disc drives active, and it would disable those (I do, and it did) and rebooted, upon the final boot it performed operations for about 20 mins, then reboot again, after 5 mins on the next startup it produced the following log.

ComboFix 10-06-06.05 - Pete 08/06/2010 18:02:12.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3070.2296 [GMT 1:00]
Running from: c:\users\Pete\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\reloaded.dll
c:\windows\system32\%appdata%

Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-05-08 to 2010-06-08 )))))))))))))))))))))))))))))))
.

2010-06-08 17:09 . 2010-06-08 17:12 -------- d-----w- c:\users\Pete\AppData\Local\temp
2010-06-08 17:09 . 2010-06-08 17:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-07 14:59 . 2010-06-07 14:59 -------- d-----w- C:\_OTL
2010-06-07 13:03 . 2010-06-07 13:03 -------- d-----w- c:\program files\ERUNT
2010-06-06 00:35 . 2010-06-06 00:39 -------- d-----w- c:\users\Pete\SecurityScans
2010-06-06 00:35 . 2010-06-06 00:35 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2
2010-06-06 00:25 . 2010-06-06 00:25 -------- d-----w- c:\program files\Belarc
2010-06-04 01:05 . 2010-06-04 01:05 -------- d-----w- c:\program files\uTorrent
2010-06-04 01:05 . 2010-06-06 00:13 -------- d-----w- c:\users\Pete\AppData\Roaming\uTorrent
2010-06-04 00:06 . 2010-06-04 02:13 -------- d-----w- c:\users\Pete\AppData\Local\qgkqxfqfp
2010-06-03 15:38 . 2010-06-03 15:38 -------- d-----w- c:\users\Pete\AppData\Roaming\Malwarebytes
2010-06-03 15:38 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-03 15:38 . 2010-06-03 15:38 -------- d-----w- c:\programdata\Malwarebytes
2010-06-03 15:38 . 2010-06-03 15:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-03 15:38 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-03 12:35 . 2010-06-03 12:35 -------- d-----w- c:\program files\Trojan Remover
2010-06-03 12:30 . 2006-06-19 11:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-06-03 12:30 . 2006-05-25 13:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-06-03 12:30 . 2005-08-25 23:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-06-03 12:30 . 2003-02-02 18:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-06-03 12:30 . 2002-03-05 23:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-06-03 12:30 . 2010-06-03 12:35 -------- d-----w- c:\users\Pete\AppData\Roaming\Simply Super Software
2010-06-03 12:30 . 2010-06-03 12:30 -------- d-----w- c:\programdata\Simply Super Software
2010-05-28 00:09 . 2010-05-28 00:09 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-05-25 21:33 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-21 12:50 . 2010-06-06 23:52 -------- d-----w- c:\program files\Common Files\Steam
2010-05-21 12:50 . 2010-06-08 16:33 -------- d-----w- c:\program files\Steam
2010-05-21 12:38 . 2009-09-04 16:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-05-21 12:38 . 2009-09-04 16:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2010-05-21 12:38 . 2009-09-04 16:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2010-05-21 12:38 . 2009-09-04 16:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2010-05-21 12:38 . 2009-09-04 16:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-05-21 12:38 . 2008-10-27 09:04 514384 ----a-w- c:\windows\system32\XAudio2_3.dll
2010-05-21 12:38 . 2008-10-27 09:04 235856 ----a-w- c:\windows\system32\xactengine3_3.dll
2010-05-21 12:38 . 2008-10-27 09:04 23376 ----a-w- c:\windows\system32\X3DAudio1_5.dll
2010-05-21 12:38 . 2008-10-27 09:04 70992 ----a-w- c:\windows\system32\XAPOFX1_2.dll
2010-05-21 12:38 . 2008-07-31 09:41 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2010-05-21 12:38 . 2008-07-31 09:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll
2010-05-21 12:38 . 2008-07-31 09:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll
2010-05-12 09:56 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-11 15:59 . 2010-05-11 15:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-08 17:13 . 2009-10-15 14:35 34800 ----a-w- c:\programdata\nvModes.dat
2010-06-08 16:55 . 2009-09-25 10:33 0 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-06-08 16:39 . 2009-02-04 09:48 -------- d-----w- c:\users\Pete\AppData\Roaming\Skype
2010-06-08 16:33 . 2009-02-04 09:49 -------- d-----w- c:\users\Pete\AppData\Roaming\skypePM
2010-06-07 16:01 . 2009-06-26 12:27 -------- d-----w- c:\users\Pete\AppData\Roaming\Xfire
2010-06-03 22:56 . 2009-06-26 12:27 -------- d-----w- c:\program files\Xfire
2010-06-03 11:29 . 2009-10-15 19:23 680 ----a-w- c:\users\Pete\AppData\Local\d3d9caps.dat
2010-06-03 08:13 . 2009-06-26 12:27 -------- d-----w- c:\programdata\Xfire
2010-06-03 00:38 . 2010-06-03 00:38 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-06-03 00:38 . 2010-06-03 00:38 29512 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
2010-06-03 00:38 . 2009-02-03 17:11 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 00:38 . 2008-09-01 20:48 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-02 09:35 . 2008-04-07 11:18 -------- d-----w- c:\programdata\NVIDIA
2010-05-12 13:38 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 13:38 . 2008-04-09 12:44 -------- d-----w- c:\programdata\Microsoft Help
2010-05-11 15:59 . 2010-05-11 15:59 333192 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
2010-05-11 15:59 . 2008-09-01 20:48 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-11 15:53 . 2010-05-11 15:53 1685784 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-05-11 15:53 . 2010-05-11 15:53 1035032 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-05-11 15:53 . 2010-05-11 15:53 813336 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2010-05-11 15:53 . 2010-05-11 15:53 624920 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2010-05-01 17:00 . 2010-05-01 16:59 -------- d-----w- c:\users\Pete\AppData\Roaming\SPORE
2010-05-01 16:56 . 2010-05-01 16:56 -------- d--h--r- c:\users\Pete\AppData\Roaming\SecuROM
2010-05-01 16:09 . 2010-05-01 15:48 3076 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-05-01 16:07 . 2010-05-01 14:59 -------- d-----w- c:\program files\Electronic Arts
2010-05-01 15:52 . 2008-04-07 11:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-01 15:48 . 2010-05-01 15:48 -------- d-----w- c:\programdata\Electronic Arts
2010-04-27 13:45 . 2010-04-27 13:45 72856 ----a-w- c:\windows\system32\xliveinstallhost.exe
2010-04-27 13:45 . 2010-04-27 13:45 187544 ----a-w- c:\windows\system32\xliveinstall.dll
2010-04-13 18:17 . 2010-04-05 20:09 -------- d-----w- c:\programdata\POPWWPROFILES
2010-04-05 16:15 . 2010-01-28 16:27 1 ----a-w- c:\users\Pete\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-02 16:17 . 2010-04-02 16:17 15426200 ----a-w- c:\windows\system32\xlive.dll
2010-04-02 16:17 . 2010-04-02 16:17 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-03-12 18:41 . 2010-03-12 18:41 101232 ----a-w- c:\windows\VX1000.dll
2010-03-12 18:41 . 2010-03-12 18:41 677232 ----a-w- c:\windows\system32\LCCoin32.dll
2010-03-12 18:41 . 2010-03-12 18:41 1961072 ----a-w- c:\windows\system32\drivers\VX1000.sys
2010-03-12 18:41 . 2010-03-12 18:41 175472 ----a-w- c:\windows\system32\cVX1000.dll
2010-03-12 18:41 . 2009-06-26 17:21 762736 ----a-w- c:\windows\vVX1000.exe
2010-03-12 18:41 . 2009-06-26 17:21 227696 ----a-w- c:\windows\vVX1000.dll
2008-10-01 07:51 . 2008-10-01 07:51 1999 ----a-w- c:\program files\Nokia Software Updater.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-15 202024]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-08-21 4608]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-22 2772992]
"Steam"="c:\program files\Steam\Steam.exe" [2010-05-21 1238352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"RtHDVCpl"="RtHDVCpl.exe" [2008-02-13 4915200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"VX1000"="c:\windows\vVX1000.exe" [2010-03-12 762736]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-03-12 119152]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-02-27 1165192]

c:\users\Pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
Xfire.lnk.disabled [2009-6-26 800]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2009-7-29 49220]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" -autorun
"swg"=c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AVG9_TRAY"=c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):14,4d,8a,26,9e,67,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2417632954-1718349010-1960286903-1000]
"EnableNotificationsRef"=dword:00000001

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
R3 kbeepm;kbeepm;c:\users\Pete\AppData\Local\Temp\kbeepm.sys [x]
R3 qcusbmdm6k;WP-S1 Proprietary USB Driver;c:\windows\system32\DRIVERS\qcusbmdm6k.sys [2007-10-03 65024]
R3 qcusbnmea;WP-S1 NMEA Port;c:\windows\system32\DRIVERS\qcusbnmea.sys [2007-10-03 65024]
R3 qcusbpcsync;WP-S1 PCSYNC Port;c:\windows\system32\DRIVERS\qcusbpcsync.sys [2007-10-03 65024]
R3 qcusbser6k;WP-S1 Diagnostic Port;c:\windows\system32\DRIVERS\qcusbser6k.sys [2007-10-03 65024]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-01-31 691696]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-05-11 216200]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-06-03 242896]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-05-11 916760]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-05-11 308064]
S3 INQ1usbser;INQ1 USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\INQ1usbser.sys [2008-03-19 103680]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-08-21 66592]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: adobe.com\get
Trusted Zone: depositfiles.com
Trusted Zone: download.com\www
Trusted Zone: kingdomofloathing.com\www2
Trusted Zone: kingdomofloathing.com\www5
Trusted Zone: kingdomofloathing.com\www6
Trusted Zone: kingdomofloathing.com\www7
Trusted Zone: savefile.com\www
TCP: {D1526BCC-DED6-401D-B17C-A7AD9351D418} = 141.1.1.1 195.27.1.1
FF - ProfilePath - c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\4j46tnui.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\4j46tnui.default\extensions\[email protected]\plugins\NPYYGInstantPlay.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-toolbar_eula_launcher - c:\program files\GoogleEULA\EULALauncher.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2417632954-1718349010-1960286903-1000\Software\SecuROM\License information*]
"datasecu"=hex:cd,61,ae,6f,f6,f0,69,50,b3,88,89,73,d3,07,01,5e,65,59,42,31,09,
90,ee,e1,a1,d8,14,6b,43,43,e3,37,35,89,f0,52,83,36,cc,04,0c,18,e8,25,65,d9,\
"rkeysecu"=hex:cc,22,f1,c0,8d,ad,26,db,4e,75,ef,60,60,95,c9,67

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5752)
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\RtHDVCpl.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-06-08 18:20:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-08 17:20

Pre-Run: 711,858,114,560 bytes free
Post-Run: 711,796,518,912 bytes free

- - End Of File - - DBE605A818A5B67C244F528C0E2DE419

It also mentioned not being able to find a file with the word "white" in the filename, but I can't remember any more than that. It jumbled a few things around too, some of my shortcuts didn't work correctly, or were moved, easy to fix though. Finally it played with my mobile phone internet conneection, I tried connecting and it said it was an illegal operation performed on a registry key marked for deletion, a restart later I was able to connect. I shall follow your instructions in your last post and reply again. Thankyou, at last, I think the end may be in sight

Edit: One last question, the log says "restored from file: Kitty had a snack " but I don't recall ever having such a file, could you offer an explanation please?

Edited by SilverNightwing, 08 June 2010 - 11:35 AM.

[ali.B]

hi

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
c:\users\Pete\AppData\Local\Temp\kbeepm.sys

Folder::
c:\users\Pete\AppData\Local\qgkqxfqfp

Driver::
kbeepm

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[SilverNightwing]

Hi, I'm currently in the middle of the downloads for kaspersky, shall I forget that step and do the ComboFix script?

[ali.B]

Continue with kaspersky IF you have already started with the online scanner.

When done do the combofix step.

[SilverNightwing]

Currently downloading database updates, 17% complete, unsure if I can just close the window or not. Will it have any adverse effects? If I have to wait I'll busy myself with something and return soon

[ali.B]

No do not close it.

Relax and get yourself busy because Kaspersy online scanner is pretty slow and takes long time

[SilverNightwing]

Heh, thanks for the warning will do I'll go get some housework done lol. Will update when all is downloaded, in the meantime computer *seems* to be fine, I'll stick with you though, and see it to the end. Including the MBAM log for you to look over if you wish also.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4180

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

08/06/2010 18:48:14
mbam-log-2010-06-08 (18-48-14).txt

Scan type: Quick scan
Objects scanned: 128927
Time elapsed: 4 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[SilverNightwing]

Slight delay, I came in to check and see how things were going and it seems my computer had slowed right down, Kaspersky said it couldn't find the server for the updates (or words to that effect) and nothing I did would close my modem software, the webpage or bring up the security options for task manager. Although this may just be my pc being a pc lol, continuing to download the database updates again now, will post again when scanned

[SilverNightwing]

Hi, it seems this is more than a minor setback. I cannot explain why, but every time I get to about the 40% mark downloading the database updates for kaspersky my computer hangs. First I'm disconnected from the internet and the kaspersky server and then slowly my pc becomes less and less responsive. My INQ Modem software remains open, and informs me that I'm still connected to the internet (even though I'm not) and refuses to close. The security options do not work, so I cannot bring up Task Manager to solve the problem. In the end I have to hard shutdown and boot up again, since it eventually just hangs. Is there any way this can be solved without going through the kaspersky step? I also think it's putting a fair strain on my connection, due to the size of it, and since the amount of data allowance I get is limited (1GB) I think it may run out soon heh. Again, any advice is greatly appreciated, and thankyou for your help.

Silver

[SilverNightwing]

Oh as one last note, I got curious to see if windows update would now work, it does and I've chosen to download 17 important updates and one optional (graphics, not important) my browser also hasn't been hijacked in a while, but since you gave me instructions to use CFScript, I'm assuming there is more work to be done yet.

Edit: Apparently I now have SP2, although I thought I had it before now hehe. Still awaiting instruction, havn't run CFScript yet, and still no luck with Kaspersky

Edited by SilverNightwing, 09 June 2010 - 01:20 AM.

[ali.B]

hi

Go ahead with the CFScript step and post the log it will produce

[SilverNightwing]

ComboFix 10-06-06.05 - Pete 09/06/2010 14:19:58.2.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3070.1632 [GMT 1:00]
Running from: c:\users\Pete\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Pete\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\Pete\AppData\Local\Temp\kbeepm.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Pete\AppData\Local\qgkqxfqfp
c:\windows\system32\%appdata%

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KBEEPM
-------\Service_kbeepm


((((((((((((((((((((((((( Files Created from 2010-05-09 to 2010-06-09 )))))))))))))))))))))))))))))))
.

2010-06-09 13:24 . 2010-06-09 13:27 -------- d-----w- c:\users\Pete\AppData\Local\temp
2010-06-09 13:24 . 2010-06-09 13:24 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-09 13:24 . 2010-06-09 13:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-09 13:17 . 2010-06-09 13:18 -------- d-----w- C:\32788R22FWJFW
2010-06-08 21:45 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-08 21:44 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-08 21:44 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-08 21:42 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 18:03 . 2010-06-08 18:03 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-07 14:59 . 2010-06-07 14:59 -------- d-----w- C:\_OTL
2010-06-07 13:03 . 2010-06-07 13:03 -------- d-----w- c:\program files\ERUNT
2010-06-06 00:35 . 2010-06-06 00:39 -------- d-----w- c:\users\Pete\SecurityScans
2010-06-06 00:35 . 2010-06-06 00:35 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2
2010-06-06 00:25 . 2010-06-06 00:25 -------- d-----w- c:\program files\Belarc
2010-06-04 01:05 . 2010-06-04 01:05 -------- d-----w- c:\program files\uTorrent
2010-06-04 01:05 . 2010-06-06 00:13 -------- d-----w- c:\users\Pete\AppData\Roaming\uTorrent
2010-06-03 15:38 . 2010-06-03 15:38 -------- d-----w- c:\users\Pete\AppData\Roaming\Malwarebytes
2010-06-03 15:38 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-03 15:38 . 2010-06-03 15:38 -------- d-----w- c:\programdata\Malwarebytes
2010-06-03 15:38 . 2010-06-03 15:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-03 15:38 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-03 12:35 . 2010-06-03 12:35 -------- d-----w- c:\program files\Trojan Remover
2010-06-03 12:30 . 2006-06-19 11:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-06-03 12:30 . 2006-05-25 13:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-06-03 12:30 . 2005-08-25 23:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-06-03 12:30 . 2003-02-02 18:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-06-03 12:30 . 2002-03-05 23:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-06-03 12:30 . 2010-06-03 12:35 -------- d-----w- c:\users\Pete\AppData\Roaming\Simply Super Software
2010-06-03 12:30 . 2010-06-03 12:30 -------- d-----w- c:\programdata\Simply Super Software
2010-05-28 00:09 . 2010-05-28 00:09 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-05-25 21:33 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-21 12:50 . 2010-06-08 19:09 -------- d-----w- c:\program files\Common Files\Steam
2010-05-21 12:50 . 2010-06-09 07:35 -------- d-----w- c:\program files\Steam
2010-05-21 12:38 . 2009-09-04 16:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-05-21 12:38 . 2009-09-04 16:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2010-05-21 12:38 . 2009-09-04 16:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2010-05-21 12:38 . 2009-09-04 16:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2010-05-21 12:38 . 2009-09-04 16:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-05-21 12:38 . 2008-10-27 09:04 514384 ----a-w- c:\windows\system32\XAudio2_3.dll
2010-05-21 12:38 . 2008-10-27 09:04 235856 ----a-w- c:\windows\system32\xactengine3_3.dll
2010-05-21 12:38 . 2008-10-27 09:04 23376 ----a-w- c:\windows\system32\X3DAudio1_5.dll
2010-05-21 12:38 . 2008-10-27 09:04 70992 ----a-w- c:\windows\system32\XAPOFX1_2.dll
2010-05-21 12:38 . 2008-07-31 09:41 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2010-05-21 12:38 . 2008-07-31 09:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll
2010-05-21 12:38 . 2008-07-31 09:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll
2010-05-12 09:56 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-11 15:59 . 2010-05-11 15:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-09 13:29 . 2009-02-04 09:48 -------- d-----w- c:\users\Pete\AppData\Roaming\Skype
2010-06-09 13:29 . 2009-02-04 09:49 -------- d-----w- c:\users\Pete\AppData\Roaming\skypePM
2010-06-09 13:27 . 2009-10-15 14:35 34805 ----a-w- c:\programdata\nvModes.dat
2010-06-08 23:39 . 2008-04-07 12:15 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-08 23:37 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-08 23:36 . 2008-04-09 12:44 -------- d-----w- c:\programdata\Microsoft Help
2010-06-08 23:30 . 2008-04-07 11:18 -------- d-----w- c:\programdata\NVIDIA
2010-06-08 23:30 . 2009-10-15 14:32 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-08 20:13 . 2009-10-15 19:23 680 ----a-w- c:\users\Pete\AppData\Local\d3d9caps.dat
2010-06-08 18:03 . 2008-10-09 13:51 -------- d-----w- c:\program files\Common Files\Java
2010-06-08 16:55 . 2009-09-25 10:33 0 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-06-07 16:01 . 2009-06-26 12:27 -------- d-----w- c:\users\Pete\AppData\Roaming\Xfire
2010-06-03 22:56 . 2009-06-26 12:27 -------- d-----w- c:\program files\Xfire
2010-06-03 08:13 . 2009-06-26 12:27 -------- d-----w- c:\programdata\Xfire
2010-06-03 00:38 . 2010-06-03 00:38 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-06-03 00:38 . 2010-06-03 00:38 29512 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
2010-06-03 00:38 . 2009-02-03 17:11 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 00:38 . 2008-09-01 20:48 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-11 15:59 . 2010-05-11 15:59 333192 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
2010-05-11 15:59 . 2008-09-01 20:48 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-11 15:53 . 2010-05-11 15:53 1685784 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-05-11 15:53 . 2010-05-11 15:53 1035032 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-05-11 15:53 . 2010-05-11 15:53 813336 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2010-05-11 15:53 . 2010-05-11 15:53 624920 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2010-05-04 05:59 . 2010-06-08 22:40 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-08 22:40 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-08 22:40 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-08 22:40 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 17:00 . 2010-05-01 16:59 -------- d-----w- c:\users\Pete\AppData\Roaming\SPORE
2010-05-01 16:56 . 2010-05-01 16:56 -------- d--h--r- c:\users\Pete\AppData\Roaming\SecuROM
2010-05-01 16:09 . 2010-05-01 15:48 3076 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-05-01 16:07 . 2010-05-01 14:59 -------- d-----w- c:\program files\Electronic Arts
2010-05-01 15:52 . 2008-04-07 11:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-01 15:48 . 2010-05-01 15:48 -------- d-----w- c:\programdata\Electronic Arts
2010-04-27 13:45 . 2010-04-27 13:45 72856 ----a-w- c:\windows\system32\xliveinstallhost.exe
2010-04-27 13:45 . 2010-04-27 13:45 187544 ----a-w- c:\windows\system32\xliveinstall.dll
2010-04-13 18:17 . 2010-04-05 20:09 -------- d-----w- c:\programdata\POPWWPROFILES
2010-04-05 16:15 . 2010-01-28 16:27 1 ----a-w- c:\users\Pete\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-03 17:27 . 2010-04-03 17:27 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 17:27 . 2010-04-03 17:27 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 17:27 . 2010-04-03 17:27 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 17:27 . 2010-04-03 17:27 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-02 16:17 . 2010-04-02 16:17 15426200 ----a-w- c:\windows\system32\xlive.dll
2010-04-02 16:17 . 2010-04-02 16:17 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-03-12 18:41 . 2010-03-12 18:41 101232 ----a-w- c:\windows\VX1000.dll
2010-03-12 18:41 . 2010-03-12 18:41 677232 ----a-w- c:\windows\system32\LCCoin32.dll
2010-03-12 18:41 . 2010-03-12 18:41 1961072 ----a-w- c:\windows\system32\drivers\VX1000.sys
2010-03-12 18:41 . 2010-03-12 18:41 175472 ----a-w- c:\windows\system32\cVX1000.dll
2010-03-12 18:41 . 2009-06-26 17:21 762736 ----a-w- c:\windows\vVX1000.exe
2010-03-12 18:41 . 2009-06-26 17:21 227696 ----a-w- c:\windows\vVX1000.dll
2008-10-01 07:51 . 2008-10-01 07:51 1999 ----a-w- c:\program files\Nokia Software Updater.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-15 202024]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-08-21 4608]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-22 2772992]
"Steam"="c:\program files\Steam\Steam.exe" [2010-05-21 1238352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"RtHDVCpl"="RtHDVCpl.exe" [2008-02-13 4915200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"VX1000"="c:\windows\vVX1000.exe" [2010-03-12 762736]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-03-12 119152]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-02-27 1165192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\users\Pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
Xfire.lnk.disabled [2009-6-26 800]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2009-7-29 49220]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" -autorun
"swg"=c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AVG9_TRAY"=c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):14,4d,8a,26,9e,67,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2417632954-1718349010-1960286903-1000]
"EnableNotificationsRef"=dword:00000001

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
R3 qcusbmdm6k;WP-S1 Proprietary USB Driver;c:\windows\system32\DRIVERS\qcusbmdm6k.sys [2007-10-03 65024]
R3 qcusbnmea;WP-S1 NMEA Port;c:\windows\system32\DRIVERS\qcusbnmea.sys [2007-10-03 65024]
R3 qcusbpcsync;WP-S1 PCSYNC Port;c:\windows\system32\DRIVERS\qcusbpcsync.sys [2007-10-03 65024]
R3 qcusbser6k;WP-S1 Diagnostic Port;c:\windows\system32\DRIVERS\qcusbser6k.sys [2007-10-03 65024]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-01-31 691696]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-05-11 216200]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-06-03 242896]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-05-11 916760]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-05-11 308064]
S3 INQ1usbser;INQ1 USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\INQ1usbser.sys [2008-03-19 103680]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-08-21 66592]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: adobe.com\get
Trusted Zone: depositfiles.com
Trusted Zone: download.com\www
Trusted Zone: kingdomofloathing.com\www2
Trusted Zone: kingdomofloathing.com\www5
Trusted Zone: kingdomofloathing.com\www6
Trusted Zone: kingdomofloathing.com\www7
Trusted Zone: savefile.com\www
FF - ProfilePath - c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\4j46tnui.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\4j46tnui.default\extensions\[email protected]\plugins\NPYYGInstantPlay.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2417632954-1718349010-1960286903-1000\Software\SecuROM\License information*]
"datasecu"=hex:cd,61,ae,6f,f6,f0,69,50,b3,88,89,73,d3,07,01,5e,65,59,42,31,09,
90,ee,e1,a1,d8,14,6b,43,43,e3,37,35,89,f0,52,83,36,cc,04,0c,18,e8,25,65,d9,\
"rkeysecu"=hex:cc,22,f1,c0,8d,ad,26,db,4e,75,ef,60,60,95,c9,67

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4692)
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-06-09 14:33:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-09 13:33
ComboFix2.txt 2010-06-08 17:20

Pre-Run: 709,696,544,768 bytes free
Post-Run: 709,866,512,384 bytes free

- - End Of File - - 5BD90FC4E9E7A5ED9EC74E23C032BDBE


One ComboFix report, as requested are things looking good? I've had no errors since I last mentioned. Any further instructions?

[ali.B]

hi

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

[SilverNightwing]

The ESET log follows

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2ec5650e0c03f64499542089c249ffc7
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-09 03:42:33
# local_time=2010-06-09 04:42:33 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 42238082 42238082 0 0
# compatibility_mode=1024 16777215 100 0 17373888 17373888 0 0
# compatibility_mode=5892 16776574 100 100 17413245 113625272 0 0
# compatibility_mode=8192 67108863 100 0 934 934 0 0
# scanned=153067
# found=2
# cleaned=2
# scan_time=5609
C:\ProgramData\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\ProgramData\Spybot - Search & Destroy\Recovery\WinFraudLoadedt.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Should I delete the quarantined files and uninstall the program? Or do nothing?

Edited by SilverNightwing, 09 June 2010 - 09:50 AM.