Here's the combofix log, and after that there was something pretty interesting:
ComboFix 10-05-29.05 - Russell Alexander 05/30/2010 17:06:11.4.3 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.1780 [GMT -4:00]
Running from: c:\documents and settings\Russell Alexander\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Russell Alexander\Desktop\cfscript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_PQV2I
-------\Service_c2scsi
-------\Service_PQV2i
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.
2010-05-29 13:18 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-29 01:14 . 2010-05-29 01:14 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-05-28 21:05 . 2010-05-29 02:42 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-28 21:05 . 2010-05-28 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-28 21:05 . 2010-05-28 21:05 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-28 14:14 . 2010-05-28 14:14 -------- d-----w- c:\program files\PortReporter
2010-05-28 14:13 . 2010-05-28 14:13 -------- d-----w- c:\temp\port reporter
2010-05-28 01:02 . 2010-05-28 01:02 -------- d-----w- C:\Backreg
2010-05-26 14:00 . 2010-05-26 14:02 -------- dc-h--w- c:\windows\ie8
2010-05-25 22:44 . 2010-05-25 22:53 -------- d-----w- C:\Lop SD
2010-05-25 04:11 . 2010-05-25 04:11 -------- d-----w- c:\windows\RestoreSafeDeleted
2010-05-25 03:59 . 2010-05-28 01:53 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-05-25 03:17 . 2010-05-25 03:17 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-05-25 03:17 . 2010-05-25 03:17 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-05-25 03:16 . 2010-05-25 03:16 2 --shatr- c:\windows\winstart.bat
2010-05-24 23:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-24 23:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-24 23:59 . 2010-05-25 00:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 16:02 . 2010-05-23 16:02 -------- d-----w- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Painkiller Overdose
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 21:16 . 2009-05-24 13:33 16608 ----a-w- c:\windows\gdrv.sys
2010-05-30 21:13 . 2004-11-20 07:09 -------- d-----w- c:\documents and settings\Russell Alexander\Application Data\MailWasherPro
2010-05-30 10:19 . 2007-04-05 01:55 -------- d-----w- c:\program files\LogMeIn
2010-05-29 13:24 . 2002-05-20 22:34 -------- d-----w- c:\program files\Java
2010-05-29 13:19 . 2007-10-09 12:12 -------- d-----w- c:\program files\Common Files\Java
2010-05-29 13:18 . 2010-05-29 13:18 503808 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d3ce1d6-n\msvcp71.dll
2010-05-29 13:18 . 2010-05-29 13:18 499712 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d3ce1d6-n\jmc.dll
2010-05-29 13:18 . 2010-05-29 13:18 348160 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d3ce1d6-n\msvcr71.dll
2010-05-29 13:18 . 2010-05-29 13:18 61440 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-419705bf-n\decora-sse.dll
2010-05-29 13:18 . 2010-05-29 13:18 12800 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-419705bf-n\decora-d3d.dll
2010-05-27 22:07 . 2003-11-03 21:12 -------- d-----w- c:\program files\FTP Commander
2010-05-26 03:23 . 2009-08-20 16:27 -------- d-----w- c:\program files\3gp Player
2010-05-25 00:00 . 2008-10-26 21:02 -------- d-----w- c:\documents and settings\Russell Alexander\Application Data\Malwarebytes
2010-05-24 23:59 . 2008-10-26 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-24 22:45 . 2006-10-17 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Line 6
2010-05-24 22:44 . 2006-10-17 02:24 -------- d-----w- c:\documents and settings\Russell Alexander\Application Data\Line 6
2010-05-24 22:43 . 2010-01-15 21:27 -------- d-----w- c:\program files\Line6
2010-05-23 16:54 . 2009-04-14 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-23 15:47 . 2003-01-30 15:14 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-05-23 15:47 . 2006-05-31 14:17 -------- d-----w- c:\program files\Roxio
2010-05-23 15:47 . 2006-05-31 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-05-06 20:59 . 2009-04-29 22:49 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-06 20:59 . 2009-04-29 22:48 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2009-04-29 22:49 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2009-04-29 22:49 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2009-04-29 22:49 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2009-04-29 22:49 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2009-04-29 22:49 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2009-04-29 22:49 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2009-04-29 22:49 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-01 23:29 . 2009-12-16 12:59 2469728 ----a-w- c:\windows\system32\AutoPartNt.exe
2010-04-01 02:48 . 2010-04-01 02:48 411494 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{90CAF868-0B06-4C4A-A6E9-D0FD17C7BAE1}\controlPanelIcon.exe
2010-04-01 02:48 . 2010-04-01 02:48 -------- d-----w- c:\program files\Future Systems Solutions
2010-03-30 14:17 . 2010-03-03 21:58 3823960 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-13 02:01 . 2005-01-28 15:59 16 ----a-w- c:\windows\system32\mswin32.drv
2010-03-10 06:15 . 2004-11-20 06:49 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 01:47 . 2008-11-26 05:29 171552 ----a-w- c:\windows\system32\guard32.dll
2010-03-10 01:47 . 2008-11-26 05:29 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-03-09 22:42 . 2010-03-09 22:42 1974272 ----a-w- c:\documents and settings\All Users\Application Data\Line 6\L6TWXG\L6TWXG.dll
2010-03-09 22:41 . 2010-03-09 22:41 1521152 ----a-w- c:\documents and settings\All Users\Application Data\Line 6\L6TWXG\data\twx\L6TWX.dll
2010-03-07 17:49 . 2010-03-24 22:03 3862528 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\extensions\
[email protected]\plugins\npRACtrl.dll
2010-03-05 00:01 . 2006-09-29 16:05 29312 ----a-w- c:\windows\system32\drivers\l6dp.sys
2010-03-04 04:10 . 2010-03-04 04:10 8854 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\Uninstall_Don_t_Pani_8B46024A8C904725AE476444109CF5A9.exe
2010-03-04 04:10 . 2010-03-04 04:10 40960 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\NewShortcut11_8B46024A8C904725AE476444109CF5A9.exe
2010-03-04 04:10 . 2010-03-04 04:10 40960 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\NewShortcut1_8B46024A8C904725AE476444109CF5A9.exe
2010-03-04 04:10 . 2010-03-04 04:10 2238 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\ARPPRODUCTICON.exe
2002-05-08 03:42 . 2002-05-07 17:50 11079 ---h--w- c:\program files\folder.htt
2001-12-02 08:18 . 2002-05-07 18:26 1586 ------w- c:\program files\MSO_INST.LOG
2008-04-10 20:00 . 2007-03-22 18:57 44360 ------w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-04-10 20:00 . 2007-03-22 18:57 107928 ------w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2007-07-18 19:54 . 2007-04-05 01:56 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2009-11-18 18:03 . 2009-11-18 18:03 0 --sha-w- c:\windows\All Users\DRM\Cache\Indiv01.tmp
2002-06-24 11:59 . 2003-05-14 11:37 1025 --sh--w- c:\windows\page files\maxmeg.sys
2004-11-05 15:27 . 2004-07-24 17:45 10022 --sh--w- c:\windows\SYSTEM\KGyGaAvL.sys
2006-05-03 09:06 . 2007-02-09 22:58 163328 --sh--r- c:\windows\SYSTEM32\flvDX.dll
2007-02-21 10:47 . 2007-06-02 21:54 31232 --sh--r- c:\windows\SYSTEM32\msfDX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-06-17 19:02 8461312 ----a-w- c:\windows\SYSTEM32\shell32.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-09-27 503808]
"vscvol.exe"="h:\roland\VSC32\vscvol.exe" [2000-02-09 36864]
"vsc32cnf.exe"="h:\roland\VSC32\vsc32cnf.exe" [2000-02-07 36864]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"nwiz"="nwiz.exe" [2009-01-15 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-01-30 1800464]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-05-28 5937984]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-05-30 5419008]
"iLike"="c:\program files\iLike\1.1.41\ilikesidebar.exe" [2008-02-12 63024]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="c:\windows\system32\spool\migrate.dll" [2001-08-23 30208]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"<NO NAME>"= 00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"<NO NAME>"= 00000000
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-01 20:20 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI7"=vscapi.dll
"WAVE6"=vscapi.dll
"wave1"=rddv1006.dll
"midi2"=rddv1006.dll
"mixer1"=rddv1006.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Russell Alexander^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Russell Alexander^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]
backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Russell Alexander^Start Menu^Programs^Startup^World Community Grid Agent.lnk]
backup=c:\windows\pss\World Community Grid Agent.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-10-20 13:40 34904 ------w- c:\program files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-10-14 15:28 133104 ----atw- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2004-11-03 20:03 125528 ------w- c:\program files\Common Files\AOL\1110494747\EE\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2002-07-17 15:00 200767 ------w- e:\microsoft money\System\mnyexpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2005-09-01 00:27 1658592 ------w- c:\program files\Messenger\Msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ------w- c:\windows\SYSTEM32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-01-15 13:19 13680640 ----a-w- c:\windows\SYSTEM32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]
2006-01-03 14:58 208896 ------w- c:\windows\SYSTEM32\sw20.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]
2006-01-03 14:59 69632 ------w- c:\windows\SYSTEM32\sw24.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
2001-08-23 18:00 3072 ------w- c:\windows\SYSTEM32\systray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)
"AOL TopSpeedMonitor"=3 (0x3)
"AOL ACS"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"RoxLiveShare"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"GoToMyPC"=3 (0x3)
"C-DillaCdaC11BA"=3 (0x3)
"iPod Service"=3 (0x3)
"UleadBurningHelper"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"IntuitUpdateService"=3 (0x3)
"QBFCService"=3 (0x3)
"Bonjour Service"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
"TomTomHOMEService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ATI Launchpad"=
"RFAgent"=m:\registryfirstaid\rfagent.exe
"SpybotSD TeaTimer"=m:\spybot - search & destroy\TeaTimer.exe
"Steam"="m:\half-life 2\steam.exe" -silent
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"ATIPTA"=atiptaxx.exe
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"f:\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1110494747\\EE\\AOLServiceHost.exe"=
"f:\\bittorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AnalogX\\BitPump\\bitpump.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"f:\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\SYSTEM32\DRIVERS\SI3112r.sys [5/12/2004 2:01 PM 97408]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\SYSTEM32\DRIVERS\tdrpm258.sys [12/15/2009 7:06 PM 911680]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [4/29/2009 6:49 PM 164048]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\SYSTEM32\DRIVERS\cmdguard.sys [11/26/2008 1:29 AM 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys [11/26/2008 1:29 AM 25160]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\SYSTEM32\DRIVERS\sp_rsdrv2.sys [4/22/2009 11:26 PM 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [4/29/2009 6:49 PM 19024]
R2 CX88XBAR;KWorld PVR 883 Crossbar;c:\windows\SYSTEM32\DRIVERS\cx88xbar.sys [7/4/2007 11:01 PM 8960]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [5/24/2009 9:37 AM 68136]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [6/2/2007 5:58 PM 12856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/24/2010 7:59 PM 304464]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [10/20/2009 2:19 PM 50704]
R2 RVIEGVST;VSC VST Engine;c:\program files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [12/19/2009 8:02 PM 188276]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\SYSTEM32\DRIVERS\hitmanpro35.sys [5/28/2010 5:05 PM 15944]
R3 L6DP;L6DP;c:\windows\SYSTEM32\DRIVERS\l6dp.sys [9/29/2006 12:05 PM 29312]
R3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\SYSTEM32\DRIVERS\L6TPortB.sys [1/15/2010 5:28 PM 532992]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [5/24/2010 7:59 PM 20952]
R3 vsc32;Virtual Sound Canvas 3.2;c:\windows\SYSTEM32\DRIVERS\vsc.sys [1/1/2006 10:31 PM 951284]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 afcdp;afcdp;c:\windows\SYSTEM32\DRIVERS\afcdp.sys [12/15/2009 7:06 PM 160288]
S3 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [12/15/2009 7:06 PM 2480048]
S3 emuumidi;E-MU USB-MIDI Driver;c:\windows\SYSTEM32\DRIVERS\emuumidi.sys [3/14/2007 2:11 PM 37120]
S3 gupdate1c929d241ac157c;Google Update Service (gupdate1c929d241ac157c);c:\program files\Google\Update\GoogleUpdate.exe [10/9/2008 1:45 AM 133104]
S3 Partizan;Partizan;c:\windows\SYSTEM32\DRIVERS\Partizan.sys [5/24/2010 11:17 PM 35816]
S3 PortReporter;Port Reporter;c:\program files\PortReporter\PortReporter.exe [5/28/2010 10:14 AM 90183]
S3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\SYSTEM32\DRIVERS\p35u.sys [7/28/2008 9:15 PM 116448]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys --> c:\windows\system32\DRIVERS\rcvpn.sys [?]
S3 RD1006;Roland UA-100;c:\windows\SYSTEM32\DRIVERS\rdwm1006.sys [11/20/2004 11:28 AM 169086]
S3 RegGuard;RegGuard;c:\windows\SYSTEM32\DRIVERS\regguard.sys [5/24/2010 11:59 PM 24416]
S3 s3legacy;s3legacy;c:\windows\SYSTEM32\DRIVERS\s3legacy.sys [10/22/2006 7:40 PM 65664]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 sysid;sysid;c:\windows\SYSTEM32\DRIVERS\sysid.sys [4/15/2005 10:41 AM 5568]
S3 TomTomHOMEService;TomTomHOMEService;e:\tomtom home 2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]
S3 U6000ALL;HDTV110 TV Box(ALL);c:\windows\SYSTEM32\DRIVERS\dmdcap.sys [12/13/2008 9:53 PM 230784]
S3 VGAUTI;VGAUTI;c:\windows\SYSTEM32\DRIVERS\vgauti.sys [9/24/2004 10:00 AM 39208]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - GTNDIS5
*NewlyCreated* - HITMANPRO35
*Deregistered* - uphcleanhlp
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 14:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 20:17 7168 ------w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-09 05:45]
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-09 05:45]
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-362288127-839522115-1003Core.job
- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-31 15:28]
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-362288127-839522115-1003UA.job
- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-31 15:28]
2010-05-30 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 21:50]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mWindow Title = Microsoft Internet Explorer provided by MSN
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0.0:80
IE: &AOL Toolbar search
IE: &search with URSEARCH Toolbar
IE: Add to Google Photos Screensa&ver
IE: Append to Existing PDF
IE: Convert link target to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with BitPump - c:\program files\AnalogX\BitPump\ieint.htm
Trusted Zone: accountonline.com\www
Trusted Zone: intuit.com\ttlc
Trusted Zone: line6.net
Trusted Zone: turbotax.com
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\progra~1\GetRight\xx2gr.dll
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\progra~1\GetRight\xx2gr.dll
DPF: ChatSpace Java Client 2.1.0.84 - hxxp://63.102.227.45/Java/cs4ms084.cab
DPF: Dialpad Java Applet - hxxp://www.dialpad.com/applet/src/vscp.cab
DPF: Dialpad US Java Applet - hxxp://www.dialpad.com/applet/src/vscp.cab
DPF: DirectAnimation Java Classes
DPF: Internet Explorer Classes for Java
DPF: Microsoft XML Parser for Java
DPF: Serome Web2Phone - hxxp://www.dialpad.com/applet/vscp.cab
DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB}
DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2}
DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - hxxp://aerial.leepa.org/ecwplugins/NCS.cab
DPF: {8C6C6922-6258-44AC-9912-53964AC55276} - hxxp://217.160.140.67/download/xloader10.cab
FF - ProfilePath - c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\extensions\{50997114-a686-4585-8fb9-ce1093a1cf75}\components\FFAlert.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\extensions\
[email protected]\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPil86.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: d:\download manager\npfpdlm.dll
FF - plugin: e:\realplayer\Netscape6\nppl3260.dll
FF - plugin: e:\realplayer\Netscape6\nprjplug.dll
FF - plugin: e:\realplayer\Netscape6\nprpjplug.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npdrmv2.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npdsplay.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npmusicn.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\NPOFF12.DLL
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin2.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin3.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin4.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin5.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npwmsdrm.dll
FF - plugin: h:\itunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-05-30 19:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\$$$\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a4,0b,a3,4e,39,fb,e1,6f,e1,7c,f9,09,76,5c,d0,e0,d9,0e,ec,64,a2,c4,5d,
4e,3c,3a,17,fd,d8,d5,45,ce,84,0f,56,9c,36,87,46,b0,27,5a,d4,94,1a,a2,81,1e,\
"??"=hex:2f,b6,6f,45,ee,e2,ec,0a,29,d5,69,d3,55,fd,2c,18
[HKEY_USERS\$$$\Software\SecuROM\License information*]
"datasecu"=hex:3f,d8,08,15,6f,be,39,d7,ec,d2,25,24,1e,c7,72,6a,59,91,53,10,85,
ca,2a,56,69,d5,29,f9,fa,bc,44,07,e7,7f,b2,72,dd,a1,06,fe,b4,4d,49,25,8e,5c,\
"rkeysecu"=hex:38,98,b0,2f,0e,4a,40,d1,71,86,9b,cb,a4,d4,42,6a
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1348)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
- - - - - - - > 'lsass.exe'(1404)
c:\windows\system32\rddv1006.dll
- - - - - - - > 'explorer.exe'(14020)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\windows\system32\crypserv.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\smlogsvc.exe
f:\uphclean\uphclean.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
c:\windows\system32\wscntfy.exe
c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
.
**************************************************************************
.
Completion time: 2010-05-30 19:15:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-30 23:15
ComboFix2.txt 2010-05-30 14:36
ComboFix3.txt 2010-03-28 18:52
ComboFix4.txt 2010-03-27 18:29
Pre-Run: 15,359,689,216 bytes free
Post-Run: 15,352,502,784 bytes free
Current=3 Default=3 Failed=2 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - 681840A0E2949420EDFC66F931AFEE1A
Now, in order to run CF, I had to disable Avast and MBAM, as well as my firewall. When I checked MSConfig, I had a number of entries that were in my root folder that had never been there before. I started to uncheck them, then realized I should keep a record, so I canceled and started this reply.
I re-opened MSConfig, and guess what? All of those weird entries had disappeared! Here's some of the weird entries that I've found in my root:
IoU.sys
IPH.PH
key.sah
msbr (no extension)
NULL
and a number of others.
Jotti found nothing wrong with them, but why were they in MSConfig and then disappear? And IOU.sys is new, along with some .bin files.
I'm willing to work through this - I want to find out what this thing is and how to defeat it. Thanks for your help.