[Mangoloid]

Hello again! I am back with another problem lol.
I ran MBAM (updated and all) every day this week, and every time the same problem comes back again, which is the pesky Worm.Conficker in C:\Windows\System32\. They are usually named random numbers and are .tmp files. Attached in the end of this post is my latest log of MBAM.

Another problem I have is that my current browsers, Google Chrome and Firefox, all cannot access certain websites (like Microsoft and Kaspersky), and therefore I cannot download some of the files needed to do a cleanup. Annoying problem that I've had before.

Also, I tried to run GMER, but I got the blue screen of death and am hesitant to run it again.

So far, all I can provide is the MBAM log, which really does not say much. The Worm.Conficker tmp files are still being made and are consistently reoccurring with every MBAM scan.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4199

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

6/15/2010 2:04:09 AM
mbam-log-2010-06-15 (02-04-09).txt

Scan type: Quick scan
Objects scanned: 162660
Time elapsed: 4 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\09143.tmp (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Windows\System32\092F9.tmp (Worm.Conficker) -> Quarantined and deleted successfully.


Thanks for your help and attention.

[Advertisements]

Hello, Mangoloid!



My name is Elster and I will be helping you fix your computer.

Please keep in mind that very rarely will a computer be "dis-infected" on the first sweep. The absence of symptoms does not mean that your computer is clean, so please stick with me until I give you the All Clear!

I recommend that you save and print each of my posts, as there will be times when you will not be able to be online to access them.


Step 1:

ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.


Step 2:

OTL

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Under the Custom Scan box, paste in the following:

  
  netsvcs
  drivers32 /all
  %SYSTEMDRIVE%\*.*
  %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\system32\user32.dll /md5
  %systemroot%\system32\ws2_32.dll /md5

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Step 3:

Reply

Things I need to see in your reply:

• ComboFix log
• OTL log

Thanks!

Elster

[Elliot]

Hello, Mangoloid!



My name is Elster and I will be helping you fix your computer.

Please keep in mind that very rarely will a computer be "dis-infected" on the first sweep. The absence of symptoms does not mean that your computer is clean, so please stick with me until I give you the All Clear!

I recommend that you save and print each of my posts, as there will be times when you will not be able to be online to access them.


Step 1:

ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.


Step 2:

OTL

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Under the Custom Scan box, paste in the following:

  
  netsvcs
  drivers32 /all
  %SYSTEMDRIVE%\*.*
  %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\system32\user32.dll /md5
  %systemroot%\system32\ws2_32.dll /md5

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Step 3:

Reply

Things I need to see in your reply:

• ComboFix log
• OTL log

Thanks!

Elster

[Mangoloid]

Hello Elster,

I successfully ran ComboFix.
However, I downloaded OTL and placed it on my desktop. I get "OTL has stopped working." Should I reboot?
Here is the ComboFix log file.



ComboFix 10-06-15.02 - user 06/15/2010 22:15:26.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.1100 [GMT -4:00]
Running from: c:\users\user\Desktop\ComboFix.exe
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\user\AppData\Local\wmabpt.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))
.

2010-06-16 02:22 . 2010-06-16 02:22 -------- d-----w- c:\users\user\AppData\Local\temp
2010-06-15 05:30 . 2010-06-15 05:30 -------- d-----w- c:\program files\ERUNT
2010-06-15 05:12 . 2010-06-15 05:12 -------- d-----w- c:\program files\AMD
2010-06-15 05:11 . 2010-06-15 05:11 -------- d-----w- c:\users\user\AppData\Local\Downloaded Installations
2010-06-15 05:05 . 2010-06-15 05:07 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-15 05:04 . 2010-04-03 22:55 11573800 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2010-06-15 05:04 . 2010-04-03 22:55 56424 ----a-w- c:\windows\system32\OpenCL.dll
2010-06-15 05:04 . 2010-04-03 22:55 4503144 ----a-w- c:\windows\system32\nvwgf2um.dll
2010-06-15 05:04 . 2010-04-03 22:55 4029544 ----a-w- c:\windows\system32\nvcuda.dll
2010-06-15 05:04 . 2010-04-03 22:55 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-06-15 05:04 . 2010-04-03 22:55 2009704 ----a-w- c:\windows\system32\nvcuvid.dll
2010-06-15 05:04 . 2010-04-03 22:55 15227496 ----a-w- c:\windows\system32\nvoglv32.dll
2010-06-15 05:04 . 2010-04-03 22:55 227944 ----a-w- c:\windows\system32\nvcod1914.dll
2010-06-15 05:04 . 2010-04-03 22:55 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-06-15 05:04 . 2010-04-03 22:55 1296488 ----a-w- c:\windows\system32\nvapi.dll
2010-06-15 05:04 . 2010-04-03 22:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-06-14 02:08 . 2010-06-14 02:08 595 ----a-w- c:\windows\eReg.dat
2010-06-14 02:06 . 2010-06-14 02:06 -------- d-----w- c:\program files\Maxis
2010-06-08 09:49 . 2010-06-08 09:49 -------- d-----w- c:\programdata\WindowsSearch
2010-06-03 03:14 . 2010-06-03 03:14 1498960 ----a-w- c:\windows\system32\msvcr100d.dll
2010-06-03 03:14 . 2010-06-03 03:14 761152 ----a-w- c:\windows\system32\msvcr100.dll
2010-05-27 23:54 . 2010-06-10 05:26 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-27 06:41 . 2010-05-27 06:41 -------- d-----w- C:\GMouse20
2010-05-22 01:59 . 2010-05-22 01:59 -------- d-----w- c:\program files\Common Files\Skype
2010-05-21 20:03 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-05-21 20:03 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-05-21 20:02 . 2010-05-21 20:02 -------- d-----w- c:\program files\iPod
2010-05-21 20:01 . 2010-05-21 20:03 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-21 20:01 . 2010-05-21 20:03 -------- d-----w- c:\program files\iTunes
2010-05-21 19:59 . 2010-05-21 19:59 -------- d-----w- c:\program files\Apple Software Update
2010-05-21 19:57 . 2010-05-21 19:57 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-16 02:12 . 2010-06-16 02:12 4096 ----a-w- c:\windows\system32\0882B.tmp
2010-06-16 02:12 . 2007-06-04 22:30 -------- d-----w- c:\programdata\NVIDIA
2010-06-16 02:10 . 2010-06-16 02:10 4096 ----a-w- c:\windows\system32\0A1DD.tmp
2010-06-16 02:03 . 2010-06-16 02:03 4096 ----a-w- c:\windows\system32\085AA.tmp
2010-06-15 09:04 . 2010-06-15 05:17 34805 ----a-w- c:\programdata\nvModes.dat
2010-06-15 09:04 . 2010-06-15 09:04 4096 ----a-w- c:\windows\system32\094FC.tmp
2010-06-15 05:28 . 2010-01-08 09:16 -------- d-----w- c:\users\user\AppData\Roaming\uTorrent
2010-06-14 06:09 . 2010-01-08 09:16 -------- d-----w- c:\program files\uTorrent
2010-05-30 20:42 . 2009-08-15 18:41 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-30 03:55 . 2009-09-03 02:48 -------- d-----w- c:\users\user\AppData\Roaming\Skype
2010-05-30 02:47 . 2009-09-03 02:50 -------- d-----w- c:\users\user\AppData\Roaming\skypePM
2010-05-27 23:54 . 2007-06-22 19:29 -------- d-----w- c:\program files\Common Files\Java
2010-05-27 23:54 . 2007-06-22 19:30 -------- d-----w- c:\program files\Java
2010-05-22 01:59 . 2009-09-03 02:47 -------- d-----r- c:\program files\Skype
2010-05-21 20:02 . 2009-12-11 14:29 -------- d-----w- c:\program files\Common Files\Apple
2010-05-21 20:00 . 2009-03-01 23:27 -------- d-----w- c:\program files\QuickTime
2010-05-21 20:00 . 2009-12-11 14:33 -------- d-----w- c:\programdata\Apple Computer
2010-05-11 22:31 . 2010-05-11 22:31 -------- d-----w- c:\programdata\Alwil Software
2010-05-11 22:21 . 2010-05-11 22:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-03 05:36 . 2007-11-12 23:43 -------- d-----w- c:\program files\DOSBox-0.72
2010-05-03 04:49 . 2010-05-03 04:48 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-05-03 04:49 . 2009-02-10 05:43 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-02 02:15 . 2007-06-04 17:25 107872 ----a-w- c:\users\user\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-30 15:33 . 2010-01-25 19:11 -------- d-----w- c:\program files\Little Big Adventure 2
2010-04-29 19:39 . 2010-05-11 22:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-05-11 22:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 00:33 . 2010-02-13 07:21 -------- d-----w- c:\users\user\AppData\Roaming\Hamachi
2010-04-23 04:20 . 2010-04-23 04:20 -------- d-----w- c:\program files\Trend Micro
2010-04-22 01:06 . 2008-02-08 22:59 -------- d-----w- c:\users\user\AppData\Roaming\Anvil Studio
2010-04-22 01:06 . 2008-12-04 11:07 -------- d-----w- c:\program files\Ultra MP4 Video Converter
2010-04-03 22:55 . 2007-11-07 00:00 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-03 22:55 . 2007-04-26 20:17 9386600 ----a-w- c:\windows\system32\nvd3dum.dll
2010-04-03 22:27 . 2010-04-03 22:27 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 22:27 . 2010-04-03 22:27 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-04-03 22:27 . 2010-04-03 22:27 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 22:27 . 2010-04-03 22:27 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 22:27 . 2010-04-03 22:27 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-02 20:54 . 2007-11-07 00:00 600680 ----a-w- c:\windows\system32\nvuninst.exe
2010-03-26 05:48 . 2010-03-26 05:48 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2009-02-13 08:49 . 2009-04-16 23:52 164746 --sha-r- c:\windows\System32\vslrs.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe [2008-8-23 30138368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0sasnative32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders credssp.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-09-08 01:59 133104 ----atw- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 20:12 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-06-14 01:44 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

R2 byfwu;Server Helper;c:\windows\system32\svchost.exe [2008-01-19 21504]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 ICDUSB3;ICDUSB3;c:\windows\system32\Drivers\ICDUSB3.sys [2008-08-18 11264]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-05-03 691696]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-26 64160]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-04-03 240232]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
byfwu
.
Contents of the 'Scheduled Tasks' folder

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3110586319-1905995605-3078229087-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2009-09-08 01:59]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3110586319-1905995605-3078229087-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2009-09-08 01:59]

2010-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3110586319-1905995605-3078229087-1004Core.job
- c:\users\Workstation\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-30 03:38]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3110586319-1905995605-3078229087-1004UA.job
- c:\users\Workstation\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-30 03:38]

2010-06-16 c:\windows\Tasks\User_Feed_Synchronization-{B78BB026-69A0-474E-BDCA-3E7EF24E5077}.job
- c:\windows\system32\msfeedssync.exe [2008-03-21 07:33]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jgbotwi0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\users\user\AppData\Local\Google\Update\1.2.183.27\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-15 22:22
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll nvstor32.sys >>UNKNOWN [0x8E3988C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x887a9322
\Driver\ACPI -> acpi.sys @ 0x80616d4c
\Driver\atapi -> ataport.SYS @ 0x807259a8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\byfwu]
"ServiceDll"="c:\windows\system32\vslrs.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3110586319-1905995605-3078229087-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3E3390C3-0750-3FF5-43DA-E7B0FA6F8276}*]
@Allowed: (Read) (RestrictedCode)
"oalcldfnjacbdieoldokgckcgedchj"=hex:64,61,69,61,61,6f,61,68,00,41
"oapmlcaabpieanoonbhiljdhimedbm"=hex:6a,61,69,61,6d,6f,6e,68,69,6a,63,69,61,6d,
6e,67,6e,70,6d,62,00,fa
"nafnfpdpenkbdjjbhegholhahcfg"=hex:6b,61,6c,61,70,6f,68,61,63,6f,6b,6f,66,6f,
6d,6e,6c,63,6e,63,6b,65,00,00

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-06-15 22:24:20
ComboFix-quarantined-files.txt 2010-06-16 02:24

Pre-Run: 149,700,972,544 bytes free
Post-Run: 149,748,760,576 bytes free

- - End Of File - - C2B2FE911AA7204365EDFFD00319BB00

[Elliot]

Hello Mangoloid!

Yes, please reboot and try to run it again.

Thanks!

Elster

[Mangoloid]

I rebooted and tried running OTL again. Same error, didn't work. I redownloaded it too, but same error, didn't work. It is on my desktop. Any ideas?

[Elliot]

Okay, let's try this:


Step 1:

ComboFix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\0882B.tmp
c:\windows\system32\0A1DD.tmp
c:\windows\system32\085AA.tmp
c:\windows\system32\094FC.tmp
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\vslrs.dll

Driver::
byfwu

NetSvc::
byfwu

RegNull::
[HKEY_USERS\S-1-5-21-3110586319-1905995605-3078229087-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3E3390C3-0750-3FF5-43DA-E7B0FA6F8276}*]

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Step 2:

AVP Tool

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
• Reboot your computer into SafeMode.
  

  You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
  Use your up arrow key to highlight SafeMode then hit enter.

• Double click the setup file to run it.
• Click Next to continue.
• It will by default install it to your desktop folder.Click Next.
• Hit ok at the prompt for scanning in Safe Mode.
• It will then open a box There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.

• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

• Then click on Scan at the to right hand Corner.
• It will automatically Neutralize any objects found.
• If some objects are left un-neutralized then click the button that says Neutralize all
• If it says it cannot be Neutralized then chooose The delete option when prompted.
• After that is done click on the reports button at the bottom and save it to file name it Kas.
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
  
  

  Note: This tool will self uninstall when you close it so please save the log before closing it.

Step 3:

Reply

Things I need to see in your reply:

• ComboFix log
• AVP log

Thanks!

Elster

[Mangoloid]

When I tried running the fix on ComboFix, I got the blue screen of death in the middle of the process!!! I rebooted the computer and am now trying the fix again. Using my netbook for this reply as I await the results on my desktop.

[Mangoloid]

Whew! Both worked successfully
Here are the log files.

The Kaspersky scanner caught some false positives, but I deleted them anyway since I don't hack those games anymore

And by the way, I can see hidden files all over the place now. On my desktop are two 'desktop.ini' files... Wonder what they're doing there? Just have to turn off hidden files and folders huh?


Autoscan: completed 12 minutes ago (events: 357, objects: 704896, time: 05:14:40)
Result: Detected (events: 174)
6/16/2010 1:02:09 AM C:\Documents and Settings\user\Desktop\PerX Injector.rar/PerX.exe
6/16/2010 1:08:21 AM C:\Documents and Settings\user\Desktop\Grand Ol Folder\Digital-Prodigy PUB.exe/data0000.res
6/16/2010 1:25:13 AM C:\Documents and Settings\user\Downloads\gbsetup120.exe/data0000
6/16/2010 1:25:35 AM C:\Documents and Settings\user\Downloads\Hack Pack.zip/Hack Pack/GP+LEVEL Bot.exe
6/16/2010 1:25:45 AM C:\Documents and Settings\user\Downloads\HaRepacker.rar/HaRepacker.exe
6/16/2010 1:26:02 AM C:\Documents and Settings\user\Downloads\NeverBorn's hacks.rar/PerX.exe
6/16/2010 1:53:53 AM C:\Qoobox\Quarantine\C\Windows\system32\085AA.tmp.vir
6/16/2010 1:53:53 AM C:\Qoobox\Quarantine\C\Users\user\AppData\Local\wmabpt.dll.vir
6/16/2010 1:53:53 AM C:\Qoobox\Quarantine\C\Windows\system32\0882B.tmp.vir
6/16/2010 1:53:53 AM C:\Qoobox\Quarantine\C\Windows\system32\_vslrs_.dll.zip/vslrs.dll
6/16/2010 1:54:10 AM C:\Qoobox\Quarantine\C\Windows\system32\094FC.tmp.vir
6/16/2010 1:54:12 AM C:\Qoobox\Quarantine\C\Windows\system32\0A1DD.tmp.vir
6/16/2010 1:54:14 AM C:\Qoobox\Quarantine\C\Windows\system32\vslrs.dll.vir
6/16/2010 1:54:19 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\01556.tmp
6/16/2010 1:54:25 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\017C9.tmp
6/16/2010 1:54:26 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\028FC.tmp
6/16/2010 1:54:26 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0568C.tmp
6/16/2010 1:54:43 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\05812.tmp
6/16/2010 1:54:43 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0590C.tmp
6/16/2010 1:54:44 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\05A06.tmp
6/16/2010 1:54:46 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\05B00.tmp
6/16/2010 1:54:47 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\05BBC.tmp
6/16/2010 1:54:47 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\05C39.tmp
6/16/2010 1:54:50 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\05D14.tmp
6/16/2010 1:54:51 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\05D62.tmp
6/16/2010 1:54:53 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\05DC0.tmp
6/16/2010 1:54:54 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\05DFE.tmp
6/16/2010 1:54:55 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\05E8B.tmp
6/16/2010 1:54:58 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\05F56.tmp
6/16/2010 1:54:58 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\05FC3.tmp
6/16/2010 1:55:00 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\05FD3.tmp
6/16/2010 1:55:02 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\05FF2.tmp
6/16/2010 1:55:03 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0609E.tmp
6/16/2010 1:55:04 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\060FC.tmp
6/16/2010 1:55:05 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\061D6.tmp
6/16/2010 1:55:06 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\061E6.tmp
6/16/2010 1:55:09 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\061F6.tmp
6/16/2010 1:55:09 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06253.tmp
6/16/2010 1:55:10 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06263.tmp
6/16/2010 1:55:11 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06282.tmp
6/16/2010 1:55:15 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\062B1.tmp
6/16/2010 1:55:15 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\062B2.tmp
6/16/2010 1:55:15 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0631F.tmp
6/16/2010 1:55:20 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0638C.tmp
6/16/2010 1:55:20 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\063AB.tmp
6/16/2010 1:55:20 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\063DA.tmp
6/16/2010 1:55:20 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\063EA.tmp
6/16/2010 1:55:20 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06409.tmp
6/16/2010 1:55:21 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06419.tmp
6/16/2010 1:55:21 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06447.tmp
6/16/2010 1:55:21 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06448.tmp
6/16/2010 1:55:21 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06486.tmp
6/16/2010 1:55:22 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\064C4.tmp
6/16/2010 1:55:22 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\064D4.tmp
6/16/2010 1:55:22 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\064E4.tmp
6/16/2010 1:55:23 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06522.tmp
6/16/2010 1:55:23 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06561.tmp
6/16/2010 1:55:23 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06580.tmp
6/16/2010 1:55:23 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0659F.tmp
6/16/2010 1:55:23 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\065AF.tmp
6/16/2010 1:55:24 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0661C.tmp
6/16/2010 1:55:24 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0663B.tmp
6/16/2010 1:55:25 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0664B.tmp
6/16/2010 1:55:25 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0666A.tmp
6/16/2010 1:55:26 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\066D8.tmp
6/16/2010 1:55:27 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06716.tmp
6/16/2010 1:55:27 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06793.tmp
6/16/2010 1:55:28 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\068BC.tmp
6/16/2010 1:55:28 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\068CC.tmp
6/16/2010 1:55:28 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06929.tmp
6/16/2010 1:55:29 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06968.tmp
6/16/2010 1:55:29 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\069A6.tmp
6/16/2010 1:55:29 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\069A7.tmp
6/16/2010 1:55:30 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\069A8.tmp
6/16/2010 1:55:30 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\069B6.tmp
6/16/2010 1:55:31 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\069B7.tmp
6/16/2010 1:55:31 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06A43.tmp
6/16/2010 1:55:31 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06A44.tmp
6/16/2010 1:55:31 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06A45.tmp
6/16/2010 1:55:32 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06A91.tmp
6/16/2010 1:55:32 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06ADF.tmp
6/16/2010 1:55:33 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06AE0.tmp
6/16/2010 1:55:34 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06AFE.tmp
6/16/2010 1:55:34 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06B1D.tmp
6/16/2010 1:55:34 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06B6C.tmp
6/16/2010 1:55:34 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06B8B.tmp
6/16/2010 1:55:35 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06BAA.tmp
6/16/2010 1:55:35 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06BAB.tmp
6/16/2010 1:55:36 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06BBA.tmp
6/16/2010 1:55:36 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06C08.tmp
6/16/2010 1:55:36 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06C75.tmp
6/16/2010 1:55:36 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06C85.tmp
6/16/2010 1:55:36 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06C94.tmp
6/16/2010 1:55:36 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06D50.tmp
6/16/2010 1:55:36 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06D51.tmp
6/16/2010 1:55:36 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06D8E.tmp
6/16/2010 1:55:37 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06D9E.tmp
6/16/2010 1:55:37 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06DAE.tmp
6/16/2010 1:55:37 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06DBD.tmp
6/16/2010 1:55:38 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06E79.tmp
6/16/2010 1:55:38 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06E88.tmp
6/16/2010 1:55:39 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06F44.tmp
6/16/2010 1:55:39 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06F54.tmp
6/16/2010 1:55:40 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06F55.tmp
6/16/2010 1:55:40 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06F63.tmp
6/16/2010 1:55:40 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06F64.tmp
6/16/2010 1:55:40 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06FA2.tmp
6/16/2010 1:55:40 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06FB1.tmp
6/16/2010 1:55:41 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\06FC1.tmp
6/16/2010 1:55:41 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0700F.tmp
6/16/2010 1:55:41 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07010.tmp
6/16/2010 1:55:42 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0704E.tmp
6/16/2010 1:55:42 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0708C.tmp
6/16/2010 1:55:43 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\070EA.tmp
6/16/2010 1:55:44 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07157.tmp
6/16/2010 1:55:45 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07158.tmp
6/16/2010 1:55:45 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07196.tmp
6/16/2010 1:55:46 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07197.tmp
6/16/2010 1:55:46 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07251.tmp
6/16/2010 1:55:46 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07261.tmp
6/16/2010 1:55:47 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07262.tmp
6/16/2010 1:55:47 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07270.tmp
6/16/2010 1:55:47 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07290.tmp
6/16/2010 1:55:47 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\072AF.tmp
6/16/2010 1:55:48 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\072CE.tmp
6/16/2010 1:55:48 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0730D.tmp
6/16/2010 1:55:49 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0733C.tmp
6/16/2010 1:55:49 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0733D.tmp
6/16/2010 1:55:50 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0736A.tmp
6/16/2010 1:55:50 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0738A.tmp
6/16/2010 1:55:50 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07399.tmp
6/16/2010 1:55:50 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\073A9.tmp
6/16/2010 1:55:50 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\073C8.tmp
6/16/2010 1:55:50 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\073F7.tmp
6/16/2010 1:55:50 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07455.tmp
6/16/2010 1:55:50 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07474.tmp
6/16/2010 1:55:51 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07493.tmp
6/16/2010 1:55:51 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07494.tmp
6/16/2010 1:55:51 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\074B3.tmp
6/16/2010 1:55:51 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07530.tmp
6/16/2010 1:55:51 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07649.tmp
6/16/2010 1:55:52 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07687.tmp
6/16/2010 1:55:52 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07697.tmp
6/16/2010 1:55:52 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\076A7.tmp
6/16/2010 1:55:52 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\076C6.tmp
6/16/2010 1:55:52 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\076D5.tmp
6/16/2010 1:55:52 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\077CF.tmp
6/16/2010 1:55:52 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0784C.tmp
6/16/2010 1:55:52 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\078C9.tmp
6/16/2010 1:55:52 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\078D9.tmp
6/16/2010 1:55:52 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07908.tmp
6/16/2010 1:55:53 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07966.tmp
6/16/2010 1:55:53 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07967.tmp
6/16/2010 1:55:53 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\079A4.tmp
6/16/2010 1:55:53 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\079D3.tmp
6/16/2010 1:55:53 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07C25.tmp
6/16/2010 1:55:53 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07C44.tmp
6/16/2010 1:55:53 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07C83.tmp
6/16/2010 1:55:53 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07C92.tmp
6/16/2010 1:55:54 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07D2E.tmp
6/16/2010 1:55:54 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07F80.tmp
6/16/2010 1:55:54 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\07F90.tmp
6/16/2010 1:55:54 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\080D8.tmp
6/16/2010 1:55:54 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\08107.tmp
6/16/2010 1:55:54 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0B99B.tmp
6/16/2010 1:55:55 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\0BBFD.tmp
6/16/2010 1:55:55 AM C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\vslrs.dll
6/16/2010 2:10:36 AM C:\Users\user\Desktop\PerX Injector.rar/PerX.exe
6/16/2010 2:38:47 AM C:\Windows\System32\08BE4.tmp
6/16/2010 2:38:47 AM C:\Windows\System32\07DDA.tmp
6/16/2010 2:38:47 AM C:\Windows\System32\08ED2.tmp
6/16/2010 2:38:51 AM C:\Windows\System32\0927C.tmp
6/16/2010 2:40:11 AM C:\Windows\System32\drivers\partmgr.sys
6/16/2010 3:06:13 AM C:\Windows\winsxs\x86_microsoft-windows-partitionmanager_31bf3856ad364e35_6.0.6001.18000_none_e19c138bba6f9093\partmgr.sys
Result: Disinfected (events: 2)
Result: Untreated (events: 4)
Result: Deleted (events: 171)
Result: Processing error (events: 2)
Result: Disinfected (events: 2)
Result: Task started (events: 1)
Result: Task completed (events: 1)


ComboFix 10-06-15.02 - user 06/15/2010 23:58:55.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.1202 [GMT -4:00]
Running from: c:\users\user\Desktop\ComboFix.exe
Command switches used :: c:\users\user\Desktop\cfscript.txt
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\085AA.tmp"
"c:\windows\system32\0882B.tmp"
"c:\windows\system32\094FC.tmp"
"c:\windows\system32\0A1DD.tmp"
"c:\windows\system32\drivers\lvuvc.hs"
"c:\windows\system32\vslrs.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\085AA.tmp
c:\windows\system32\0882B.tmp
c:\windows\system32\094FC.tmp
c:\windows\system32\0A1DD.tmp
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\vslrs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_byfwu


((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))
.

2010-06-16 04:05 . 2010-06-16 04:05 -------- d-----w- c:\users\Workstation\AppData\Local\temp
2010-06-16 04:05 . 2010-06-16 04:05 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-16 04:05 . 2010-06-16 04:05 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-06-16 04:05 . 2010-06-16 04:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-16 04:05 . 2010-06-16 04:05 -------- d-----w- c:\users\Alexei\AppData\Local\temp
2010-06-16 04:05 . 2010-06-16 04:05 -------- d-----w- c:\users\Admin12\AppData\Local\temp
2010-06-16 02:24 . 2010-06-16 04:07 -------- d-----w- c:\users\user\AppData\Local\temp
2010-06-15 05:30 . 2010-06-15 05:30 -------- d-----w- c:\program files\ERUNT
2010-06-15 05:12 . 2010-06-15 05:12 -------- d-----w- c:\program files\AMD
2010-06-15 05:11 . 2010-06-15 05:11 -------- d-----w- c:\users\user\AppData\Local\Downloaded Installations
2010-06-15 05:05 . 2010-06-15 05:07 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-15 05:04 . 2010-04-03 22:55 11573800 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2010-06-15 05:04 . 2010-04-03 22:55 56424 ----a-w- c:\windows\system32\OpenCL.dll
2010-06-15 05:04 . 2010-04-03 22:55 4503144 ----a-w- c:\windows\system32\nvwgf2um.dll
2010-06-15 05:04 . 2010-04-03 22:55 4029544 ----a-w- c:\windows\system32\nvcuda.dll
2010-06-15 05:04 . 2010-04-03 22:55 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-06-15 05:04 . 2010-04-03 22:55 2009704 ----a-w- c:\windows\system32\nvcuvid.dll
2010-06-15 05:04 . 2010-04-03 22:55 15227496 ----a-w- c:\windows\system32\nvoglv32.dll
2010-06-15 05:04 . 2010-04-03 22:55 227944 ----a-w- c:\windows\system32\nvcod1914.dll
2010-06-15 05:04 . 2010-04-03 22:55 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-06-15 05:04 . 2010-04-03 22:55 1296488 ----a-w- c:\windows\system32\nvapi.dll
2010-06-15 05:04 . 2010-04-03 22:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-06-14 02:08 . 2010-06-14 02:08 595 ----a-w- c:\windows\eReg.dat
2010-06-14 02:06 . 2010-06-14 02:06 -------- d-----w- c:\program files\Maxis
2010-06-08 09:49 . 2010-06-08 09:49 -------- d-----w- c:\programdata\WindowsSearch
2010-06-03 03:14 . 2010-06-03 03:14 1498960 ----a-w- c:\windows\system32\msvcr100d.dll
2010-06-03 03:14 . 2010-06-03 03:14 761152 ----a-w- c:\windows\system32\msvcr100.dll
2010-05-27 23:54 . 2010-06-10 05:26 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-27 06:41 . 2010-05-27 06:41 -------- d-----w- C:\GMouse20
2010-05-22 01:59 . 2010-05-22 01:59 -------- d-----w- c:\program files\Common Files\Skype
2010-05-21 20:03 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-05-21 20:03 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-05-21 20:02 . 2010-05-21 20:02 -------- d-----w- c:\program files\iPod
2010-05-21 20:01 . 2010-05-21 20:03 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-21 20:01 . 2010-05-21 20:03 -------- d-----w- c:\program files\iTunes
2010-05-21 19:59 . 2010-05-21 19:59 -------- d-----w- c:\program files\Apple Software Update
2010-05-21 19:57 . 2010-05-21 19:57 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-16 04:07 . 2010-06-15 05:17 34805 ----a-w- c:\programdata\nvModes.dat
2010-06-16 04:06 . 2007-06-04 22:30 -------- d-----w- c:\programdata\NVIDIA
2010-06-16 03:56 . 2010-06-16 03:56 4096 ----a-w- c:\windows\system32\0927C.tmp
2010-06-16 03:48 . 2010-06-16 03:48 4096 ----a-w- c:\windows\system32\08ED2.tmp
2010-06-16 03:41 . 2010-06-16 03:41 4096 ----a-w- c:\windows\system32\07DDA.tmp
2010-06-16 03:05 . 2010-06-16 03:05 4096 ----a-w- c:\windows\system32\08BE4.tmp
2010-06-15 05:28 . 2010-01-08 09:16 -------- d-----w- c:\users\user\AppData\Roaming\uTorrent
2010-06-14 06:09 . 2010-01-08 09:16 -------- d-----w- c:\program files\uTorrent
2010-05-30 03:55 . 2009-09-03 02:48 -------- d-----w- c:\users\user\AppData\Roaming\Skype
2010-05-30 02:47 . 2009-09-03 02:50 -------- d-----w- c:\users\user\AppData\Roaming\skypePM
2010-05-27 23:54 . 2007-06-22 19:29 -------- d-----w- c:\program files\Common Files\Java
2010-05-27 23:54 . 2007-06-22 19:30 -------- d-----w- c:\program files\Java
2010-05-22 01:59 . 2009-09-03 02:47 -------- d-----r- c:\program files\Skype
2010-05-21 20:02 . 2009-12-11 14:29 -------- d-----w- c:\program files\Common Files\Apple
2010-05-21 20:00 . 2009-03-01 23:27 -------- d-----w- c:\program files\QuickTime
2010-05-21 20:00 . 2009-12-11 14:33 -------- d-----w- c:\programdata\Apple Computer
2010-05-11 22:31 . 2010-05-11 22:31 -------- d-----w- c:\programdata\Alwil Software
2010-05-11 22:21 . 2010-05-11 22:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-03 05:36 . 2007-11-12 23:43 -------- d-----w- c:\program files\DOSBox-0.72
2010-05-03 04:49 . 2010-05-03 04:48 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-05-03 04:49 . 2009-02-10 05:43 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-02 02:15 . 2007-06-04 17:25 107872 ----a-w- c:\users\user\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-30 15:33 . 2010-01-25 19:11 -------- d-----w- c:\program files\Little Big Adventure 2
2010-04-29 19:39 . 2010-05-11 22:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-05-11 22:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 00:33 . 2010-02-13 07:21 -------- d-----w- c:\users\user\AppData\Roaming\Hamachi
2010-04-23 04:20 . 2010-04-23 04:20 -------- d-----w- c:\program files\Trend Micro
2010-04-22 01:06 . 2008-02-08 22:59 -------- d-----w- c:\users\user\AppData\Roaming\Anvil Studio
2010-04-22 01:06 . 2008-12-04 11:07 -------- d-----w- c:\program files\Ultra MP4 Video Converter
2010-04-03 22:55 . 2007-11-07 00:00 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-03 22:55 . 2007-04-26 20:17 9386600 ----a-w- c:\windows\system32\nvd3dum.dll
2010-04-03 22:27 . 2010-04-03 22:27 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 22:27 . 2010-04-03 22:27 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-04-03 22:27 . 2010-04-03 22:27 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 22:27 . 2010-04-03 22:27 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 22:27 . 2010-04-03 22:27 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-02 20:54 . 2007-11-07 00:00 600680 ----a-w- c:\windows\system32\nvuninst.exe
2010-03-26 05:48 . 2010-03-26 05:48 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe [2008-8-23 30138368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0sasnative32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders credssp.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-09-08 01:59 133104 ----atw- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 20:12 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-06-14 01:44 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 ICDUSB3;ICDUSB3;c:\windows\system32\Drivers\ICDUSB3.sys [2008-08-18 11264]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-05-03 691696]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-26 64160]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-04-03 240232]

.
Contents of the 'Scheduled Tasks' folder

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3110586319-1905995605-3078229087-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2009-09-08 01:59]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3110586319-1905995605-3078229087-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2009-09-08 01:59]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3110586319-1905995605-3078229087-1004Core.job
- c:\users\Workstation\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-30 03:38]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3110586319-1905995605-3078229087-1004UA.job
- c:\users\Workstation\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-30 03:38]

2010-06-16 c:\windows\Tasks\User_Feed_Synchronization-{B78BB026-69A0-474E-BDCA-3E7EF24E5077}.job
- c:\windows\system32\msfeedssync.exe [2008-03-21 07:33]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jgbotwi0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\users\user\AppData\Local\Google\Update\1.2.183.27\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-16 00:07
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll nvstor32.sys >>UNKNOWN [0x8E8D08C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x887a8322
\Driver\ACPI -> acpi.sys @ 0x80614d4c
\Driver\atapi -> ataport.SYS @ 0x807239a8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-06-16 00:15:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-16 04:15
ComboFix2.txt 2010-06-16 02:24

Pre-Run: 149,031,780,352 bytes free
Post-Run: 149,010,124,800 bytes free

- - End Of File - - 994D0B1B01B38401EAA166CB26326793

[Elliot]

Looks like that cleaned up a few! Let's see what this turns up, now.


Step 1:

TFC

Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• It will close all programs when run, so make sure you have saved all your work before you begin.
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Step 2:

Malwarebytes

Please run another Quick Scan with Malwarebytes and post the log in your reply.


Step 3:

Reply

Things I need to see in your reply:

• MBAM log
• How is your computer running?

Thanks!

Elster

[Mangoloid]

Well, good news and bad news.
Good news is that MBAM didn't detect anything. Clean logs, finally.
Bad news is that I can't give you any log files cause I got myself into an even greater problem.
I was updating Windows Vista, there were maybe 23 important updates that were really outdated that I decided to install. Everything seemed to be working fine until I notice that on reboot there was still more updates. One of these updates included Vista Service Pack II (outdated computer, I know). Upon trying to install this, I left the computer on to do its business. I went downstairs in the garage to practice saxophone and then came up and noticed that my machine is failing to boot. Every time (even in safe mode!) I turn on the computer, I get the blue screen of death when the Vista OS is loading up. I don't know how I will be able to boot up the machine, and I don't know where the Vista CD that came with my machine went.
I guess too much fiddling with my computer for one day made it not like me. Is there anything that I can do? I know this isn't really the right place to ask, but I really have nowhere to go now.

[Elliot]

Hello Mangoloid!

I've seen this happen many times during Windows updates, unfortunately. As you turn you computer on, repeatedly tap the F8 key. Once this brings you to the Windows menu, select "Last known good configuration." This should get you to your desktop. Then click on Start>>Windows Update (you may need to click on "All Programs" to find it). Click "Installed Updates" and you should be able to see which updates were recently installed. Select each of the updates that have yesterday or today's date and uninstall. Let me know if this works, or not. If it does, please don't allow any updates until we are finished and can set a restore point that does not have infected files.

Thanks!

Elster

[Mangoloid]

Hello Elster,

I tried every option on the Advanced boot options, Safe Mode (also with command prompt), Last Known Good Configuration, Disable Driver signature enforcement, all of the options available, and every one ultimately goes to the BSOD. It's unavoidable and happens every time the loading screen with the green thing on the bar shows up.

However, I remember I somehow (when mashing the keyboard) got to the point where I could type stuff in a command prompt, don't know how I did it. I could do the command %systemroot%\system32\restore\rstrui.exe if I find that again, but I honestly don't know how I got to that screen.

Computer's still down. I'm afraid I might have to find a Vista CD.

[Elliot]

What brand/model computer is it?

[Mangoloid]

I made it myself. Didn't buy it from any company, just bought the parts and assembled it.

[Elliot]

Do you know how to access the recovery console? In many machines it is F11, some is CTRL-F11, etc. If you can access this, you should be able to do a system restore back to yesterday. If you don't know how to access, do you know the make/model of your motherboard?