Solved Crashing After Removing Malware

[Resolved] Crashing After Removing Malware

Hello. This morning I was infected with some form of malware. I got the system tray warning about my security center detecting a virus infection. I have encounted this before on friend's computers so I immediatly knew it was malware. Seconds after the pop-up, my computer blue screened.

I rebooted, saw no system tray pop-ups or anything unusual, and ran Ad-Aware. It found a trojan (Win32.Trojan.Agent Malware was removed, can't find an actual log file for Ad-Aware). The malware file was found in C:\Users\Randy so I checked the folder and noticed two other .exe files and one .bat file all created at the same time as the malware and all with gibberish names, so I deleted those manually.

I then rebooted into safe mode. I ran a Malware Bytes scan, which removed something, an Avast scan, which removed something, and another Ad-Aware scan, which found nothing. I also removed anything funny looking in HJT at this time (like ::1 localhost in the hosts file), but nothing was harmful looking there. All these logs are below.

I then rebooted and ran Windows Update. It installed ~25 updates, everything available to me. After this I rebooted again, updated my video card drivers (I figured since I was rebooting so much I might as well, and I thought the problem was solved), and rebooted again.

After that I was hopeful things were fixed. However, I hopped onto World of Warcraft and after only moments of playing my system locked up and was completely unresponsive. There was no blue screen, and the event viewer doesn't tell me anything except the shut down was unexpected when I turned off the system by holding the power button to reboot it.

Crashing during World of Warcraft is very bad for me. Any suggestions?
Please note the DDS log says Windows Defender is enabled, but I have it disabled in control panel and manually killed the process, so I'm not sure what that's about.


DDS:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Randy at 2:06:58.08 on Thu 07/16/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.2814.1927 [GMT -4:00]

AV: avast! antivirus 4.8.1296 [VPS 081212-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: avast! antivirus 4.8.1296 [VPS 081212-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BandwidthMeterPro\BWMeterPro.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\System32\nvSCPAPISvr.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\Randy\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.alienware.com/Mothership?Comp=%ALIENFACTORY_Company%&SysCode=%ALIENFACTORY_SystemCode%&ai=636E3D34363834323326706F3D35383735373541
uDefault_Page_URL = hxxp://www.alienware.com/Mothership?Comp=%ALIENFACTORY_Company%&SysCode=%ALIENFACTORY_SystemCode%&ai=636E3D34363834323326706F3D35383735373541
mStart Page = hxxp://www.alienware.com/mothership
mDefault_Page_URL = hxxp://www.alienware.com/mothership
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "c:\users\randy\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [BandwidthMeterPro] c:\program files\bandwidthmeterpro\BWMeterPro.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe "
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe "
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [avast!] c:\progra~1\avast4\ashDisp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\users\randy\appdata\roaming\micros~1\windows\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\randy\appdata\roaming\mozilla\firefox\profiles\koolwerl.default\
FF - prefs.js: browser.startup.homepage - www.slashdot.org
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\randy\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\randy\appdata\roaming\mozilla\firefox\profiles\koolwerl.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\users\randy\appdata\roaming\mozilla\firefox\profiles\koolwerl.default\extensions\npdyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\users\randy\appdata\roaming\mozilla\plugins\npoctoshape.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-26 64160]
R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-3-4 134688]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-16 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-16 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2008-10-16 51792]
R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CAMTHWDM.sys [2008-9-17 941784]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\windows\system32\nvSCPAPISvr.exe [2009-6-10 232960]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-10-10 179712]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]

=============== Created Last 30 ================

2009-07-15 23:39 31,871 a------- c:\programdata\nvModes.dat
2009-07-15 23:39 31,871 a------- c:\progra~2\nvModes.dat
2009-07-15 23:30 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-07-15 23:12 2,048 a------- c:\windows\system32\tzres.dll
2009-07-15 23:05 97,800 a------- c:\windows\system32\infocardapi.dll
2009-07-15 23:05 622,080 a------- c:\windows\system32\icardagt.exe
2009-07-15 23:05 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-07-15 23:05 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-07-15 23:05 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-07-15 23:05 11,264 a------- c:\windows\system32\icardres.dll
2009-07-15 23:05 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-07-15 23:05 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-07-15 23:01 96,760 a------- c:\windows\system32\dfshim.dll
2009-07-15 23:01 282,112 a------- c:\windows\system32\mscoree.dll
2009-07-15 23:01 41,984 a------- c:\windows\system32\netfxperf.dll
2009-07-15 23:01 158,720 a------- c:\windows\system32\mscorier.dll
2009-07-15 23:01 83,968 a------- c:\windows\system32\mscories.dll
2009-07-15 22:59 156,160 a------- c:\windows\system32\msls31.dll
2009-07-15 22:56 2,927,104 a------- c:\windows\explorer.exe
2009-07-15 22:53 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-07-15 13:42 <DIR> --d----- c:\users\randy\appdata\roaming\Malwarebytes
2009-07-15 13:42 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 13:42 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-15 13:42 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-15 13:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 13:42 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-15 12:38 31,744 ---shr-- c:\users\randy\Randy.exe
2009-07-09 03:58 <DIR> --d----- c:\program files\PopCap Games
2009-07-04 04:42 <DIR> --d----- c:\program files\Nobilis
2009-07-02 03:21 67,427 a------- c:\windows\system32\x264vfw-uninstall.exe
2009-07-02 03:00 <DIR> --d----- c:\program files\Vstplugins
2009-07-02 03:00 <DIR> --d----- c:\programdata\Sony
2009-07-02 03:00 <DIR> --d----- c:\program files\Sony
2009-06-22 07:54 189,288 a------- c:\windows\system32\PnkBstrB.xtr

==================== Find3M ====================

2009-07-15 23:35 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-15 23:35 51,200 a------- c:\windows\inf\infpub.dat
2009-07-15 23:34 86,016 a------- c:\windows\inf\infstor.dat
2009-06-22 08:11 137,888 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-22 08:11 189,288 a------- c:\windows\system32\PnkBstrB.exe
2009-06-22 07:54 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-06-15 11:24 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 11:20 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 11:20 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 08:52 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-15 02:46 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-10 08:35 1,194,528 a------- c:\windows\system32\nvcplui.exe
2009-06-10 08:35 1,296,928 a------- c:\windows\system32\nvsvs.dll
2009-06-10 08:34 3,123,744 a------- c:\windows\system32\nvwss.dll
2009-06-10 08:34 4,045,344 a------- c:\windows\system32\nvvitvs.dll
2009-06-10 08:34 4,028,960 a------- c:\windows\system32\nvdisps.dll
2009-06-10 08:34 3,516,960 a------- c:\windows\system32\nvgames.dll
2009-06-10 08:34 1,288,736 a------- c:\windows\system32\nvmobls.dll
2009-06-10 08:34 211,488 a------- c:\windows\system32\nvvsvc.exe
2009-06-10 08:34 195,104 a------- c:\windows\system32\nvmccss.dll
2009-06-10 08:34 13,785,632 a------- c:\windows\system32\nvcpl.dll
2009-06-10 08:34 768,544 a------- c:\windows\system32\nvsvc.dll
2009-06-10 08:34 143,360 a------- c:\windows\system32\nvshext.dll
2009-06-10 08:34 92,704 a------- c:\windows\system32\nvmctray.dll
2009-06-10 06:33 244,736 a------- c:\windows\system32\nvStInst.exe
2009-06-10 06:33 467,968 a------- c:\windows\system32\nvstlink.exe
2009-06-10 06:33 3,953,152 a------- c:\windows\system32\nvstwiz.exe
2009-06-10 06:33 141,824 a------- c:\windows\system32\nvStereoApiI.dll
2009-06-10 06:33 171,520 a------- c:\windows\system32\nvStereoApiI64.dll
2009-06-10 06:33 232,960 a------- c:\windows\system32\nvSCPAPISvr.exe
2009-06-10 06:32 257,536 a------- c:\windows\system32\nvSCPAPI.dll
2009-06-10 06:32 301,568 a------- c:\windows\system32\nvSCPAPI64.dll
2009-06-10 06:32 3,293,184 a------- c:\windows\system32\nvstres.dll
2009-06-10 06:32 5,847 a------- c:\windows\system32\oglstreg.reg
2009-06-10 06:31 167,424 a------- c:\windows\system32\nvstreg.exe
2009-06-10 06:31 1,718,272 a------- c:\windows\system32\nvsttest.exe
2009-06-10 06:31 1,034,752 a------- c:\windows\system32\nvstview.exe
2009-06-10 06:31 89,088 a------- c:\windows\system32\nvimage.dll
2009-06-10 06:29 1,656 a------- c:\windows\system32\nvstdef.reg
2009-06-10 06:03 10,379,264 a------- c:\windows\system32\nvoglv32.dll
2009-06-10 06:03 9,899,296 a------- c:\windows\system32\drivers\nvlddmkm.sys
2009-06-10 06:03 7,611,904 a------- c:\windows\system32\nvd3dum.dll
2009-06-10 06:03 3,148,288 a------- c:\windows\system32\nvwgf2um.dll
2009-06-10 06:03 1,704,960 a------- c:\windows\system32\nvcuda.dll
2009-06-10 06:03 1,317,408 a------- c:\windows\system32\nvcuvenc.dll
2009-06-10 06:03 989,696 a------- c:\windows\system32\nvapi.dll
2009-06-10 06:03 678,432 a------- c:\windows\system32\nvcuvid.dll
2009-06-10 06:03 457,248 a------- c:\windows\system32\nvudisp.exe
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod155.dll
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod.dll
2009-06-10 06:03 4,224 a------- c:\windows\system32\drivers\nvBridge.kmd
2009-06-04 16:39 457,248 a------- c:\windows\system32\NVUNINST.EXE
2009-05-26 03:17 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-09 01:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 01:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-05-02 10:17 98,604 a---h--- c:\windows\system32\mlfcache.dat
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 17:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 17:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 17:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 17:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-30 08:37 293,376 a------- c:\windows\system32\psisdecd.dll
2009-04-30 08:37 428,544 a------- c:\windows\system32\EncDec.dll
2009-04-28 09:55 70,936 a------- c:\windows\system32\PhysXLoader.dll
2009-04-23 08:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 07:55 2,033,152 a------- c:\windows\system32\win32k.sys
2008-08-30 22:24 22,328 a------- c:\users\randy\appdata\roaming\PnkBstrK.sys
2008-08-06 03:58 810 a------- c:\program files\INSTALL.LOG
2008-08-01 21:56 665,600 a------- c:\windows\inf\drvindex.dat
2008-03-06 14:15 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2006-03-20 15:37 5,689,344 a------- c:\program files\mplayerc.exe

============= FINISH: 2:07:26.24 ===============


Attach:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft® Windows Vistaâ„¢ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 7/28/2008 2:17:50 PM
System Uptime: 7/16/2009 1:29:08 AM (1 hours ago)

Motherboard: alienware | | alienware
Processor: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz | Socket 775 | 3000/333mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 923 GiB total, 389.667 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP246: 7/15/2009 10:56:58 PM - Windows Update
RP247: 7/15/2009 11:34:17 PM - Device Driver Package Install: NVIDIA Display adapters

==== Installed Programs ======================

µTorrent
7-Zip 4.57
AAC Decoder
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.4
AIM 6
AlienRespawn v2.0
Anarchy Online
Apple Software Update
AutoUpdate
avast! Antivirus
Bandwidth Meter Pro 2.6 build 617
Camtasia Studio 5
Command & Conquerâ„¢ Red Alertâ„¢ 3
Crysis WARHEAD(R)
Crysis(R)
Digsby
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DTS+AC3 Filter
EA Download Manager
Fallout 3
Fallout 3: Operation Anchorageâ„¢
FEARCombat
FMOD Designer
Fraps (remove only)
Game Cam
Garena
GIMP 2.4.7
GOM Player
Google Chrome
Grand Theft Auto IV
H.264 Decoder
Hamachi 1.0.2.5
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ijji
ijji - Gunz
ijji FireFox Launcher 1.0
Java(TM) 6 Update 11
Java(TM) 6 Update 7
Kremlin
Left 4 Dead
LightScribe 1.4.124.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft .NET Framework 3.5 SP1
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
mIRC
MKV Splitter
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Nero 7 Essentials
NVIDIA Drivers
NVIDIA nTune
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
Octoshape Streaming Services
OpenOffice.org 3.0
Peggle Extreme
Peggle World of Warcraft Edition
PlayNC Launcher
PowerDVD
PunkBuster Services
QuickTime
Real Alternative 1.8.2
Realtek High Definition Audio Driver
RivaTuner v2.24
Rockstar Games Social Club
Starcraft
Stargate Worlds
Steam
Synergy
System Requirements Lab
Tom Clancy's Rainbow Six Vegas 2
Trine Demo (GamesPlanet)
Unreal Tournament 3
VC80CRTRedist - 8.0.50727.762
Vegas Movie Studio Platinum 9.0
Ventrilo Client
Ventrilo Server
VideoLAN VLC media player 0.8.6i
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Warcraft III
Warcraft III: All Products
WebcamMax
Winamp
Windows Media Player Firefox Plugin
WinPcap 4.0.2
WinRAR archiver
Wireshark 1.0.3
World of Warcraft
WowAceUpdater
Wrath of the Lich King Beta
x264vfw - H.264/MPEG-4 AVC codec (remove only)

==== Event Viewer Messages From Past Week ========

7/16/2009 1:30:13 AM, Error: EventLog [6008] - The previous system shutdown at 1:26:59 AM on 7/16/2009 was unexpected.
7/15/2009 12:41:08 PM, Error: EventLog [6008] - The previous system shutdown at 12:38:33 PM on 7/15/2009 was unexpected.
7/15/2009 11:44:55 PM, Error: Service Control Manager [7034] - The avast! Antivirus service terminated unexpectedly. It has done this 1 time(s).
7/15/2009 11:44:52 PM, Error: Service Control Manager [7034] - The avast! iAVS4 Control Service service terminated unexpectedly. It has done this 1 time(s).
7/15/2009 1:49:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments " " in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
7/15/2009 1:49:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments " " in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
7/15/2009 1:49:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments " " in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
7/15/2009 1:49:56 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/15/2009 1:49:49 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments " " in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
7/15/2009 1:49:34 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aswRdr aswSP aswTdi DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
7/15/2009 1:49:34 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/15/2009 1:49:34 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
7/15/2009 1:49:34 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
7/15/2009 1:49:34 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
7/15/2009 1:49:34 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/15/2009 1:49:34 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/15/2009 1:49:34 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
7/15/2009 1:49:34 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/15/2009 1:49:34 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
7/15/2009 1:49:34 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/15/2009 1:49:34 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/15/2009 1:49:34 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

==== End Of File ===========================


Malware Bytes:

Malwarebytes' Anti-Malware 1.39
Database version: 2434
Windows 6.0.6001 Service Pack 1

7/15/2009 2:38:48 PM
mbam-log-2009-07-15 (14-38-48).txt

Scan type: Full Scan (C:\|)
Objects scanned: 306152
Time elapsed: 46 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.



Avast:
Can't find an actual log file for this, but from event viewer:
7/15/2009 5:41:47 PM 1247694107 Randy 1796 Sign of "Win32:Alureon-CD [Rtk]" has been found in "C:\Users\Randy\AppData\Local\Temp\tvqirpipin.tmp" file.
7/15/2009 6:26:13 PM 1247696773 Randy 1796 Sign of "Win32:Alureon-CD [Rtk]" has been found in "C:\Windows\System32\drivers\bqexxoebpckdxawd.sys" file.
Avast said both were removed.


HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:45 AM, on 7/16/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BandwidthMeterPro\BWMeterPro.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware.com/Mothership...%&ai=636E3D34363834323326706F3D35383735373541
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com/Mothership...%&ai=636E3D34363834323326706F3D35383735373541
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware.com/mothership
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com/mothership
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Google Update] "C:\Users\Randy\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BandwidthMeterPro] C:\Program Files\BandwidthMeterPro\BWMeterPro.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Digsby.lnk = C:\Program Files\Digsby\digsby.exe
O13 - Gopher Prefix:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Windows\System32\nvSCPAPISvr.exe

--
End of file - 5005 bytes

 

While watching a video on Hulu while waiting for a response here, my computer again locked up and became completely unresponsive. I spent about 14 hours in safe mode today without encountering this. I did a google search of the new drivers and saw a couple people say they experience freezing with them. I kind of doubt this was the problem but just to eliminate the possibility I rolled back.

I rolled back by removing Nvidia display drivers in add/remove programs, rebooted into safe mode, ran Driver Sweeper and cleaned Nvidia display drivers, rebooted into normal mode, installed the drivers I had been using for months without issue, and rebooted a final time.

 

When the malware first presented itself it blue screened me. I was in safe mode the whole time after that until I installed the new graphic drivers, and the lock ups started after that. Since rolling back I haven't locked up though, so I'm hopeful it's fixed. If you don't see anything bad in the logs then that makes me even more hopeful!

Thanks.

 

ComboFix:

ComboFix 09-07-14.08 - Randy 07/16/2009 21:39.1.2 - NTFSx86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.2814.2261 [GMT -4:00]
Running from: c:\users\Randy\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 081212-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1296 [VPS 081212-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2545094313-196571742-2974639644-500
c:\$recycle.bin\S-1-5-21-3337911705-1415002928-1534695855-500
c:\$recycle.bin\S-1-5-21-3459177451-3773100056-2640556482-500
c:\program files\INSTALL.LOG
c:\users\Randy\AppData\Local\Microsoft\Windows\Temporary Internet Files\ijjistarter_verinfo.dat
c:\users\Randy\Randy.exe
c:\windows\Installer\463a7.msi
c:\windows\Installer\57d4d79.msi

.
((((((((((((((((((((((((( Files Created from 2009-06-17 to 2009-07-17 )))))))))))))))))))))))))))))))
.

2009-07-17 01:43 . 2009-07-17 01:43 -------- d-----w- c:\users\Randy\AppData\Local\temp
2009-07-16 07:35 . 2009-07-16 07:35 -------- d-----w- c:\windows\nvtmpinst
2009-07-16 07:26 . 2009-07-16 07:26 -------- d-----w- c:\windows\A7E07C2B2220441587E3784D5814BC93.TMP
2009-07-16 07:24 . 2009-07-16 07:30 -------- d-----w- c:\program files\Driver Sweeper
2009-07-16 03:30 . 2009-07-16 03:31 -------- d-----w- c:\program files\SystemRequirementsLab
2009-07-16 03:30 . 2009-07-16 03:30 -------- d-----w- c:\users\Randy\AppData\Roaming\SystemRequirementsLab
2009-07-16 03:30 . 2009-07-16 03:30 290816 ----a-w- c:\users\Randy\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-07-16 03:30 . 2009-07-16 03:30 290816 ----a-w- c:\users\Randy\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-07-16 03:30 . 2009-07-16 03:30 290816 ----a-w- c:\users\Randy\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-07-16 03:30 . 2009-07-16 03:30 290816 ----a-w- c:\users\Randy\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-07-16 03:12 . 2008-10-22 01:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-07-16 03:05 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-07-16 03:05 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-07-16 03:05 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-07-16 03:05 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-07-16 03:05 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-07-16 03:05 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-07-16 03:05 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-07-16 03:01 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-07-16 03:01 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-07-16 03:01 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-07-16 03:01 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-07-16 03:01 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-07-16 03:00 . 2009-05-09 05:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-16 03:00 . 2009-05-09 05:50 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-16 02:56 . 2008-10-29 06:29 2927104 ----a-w- c:\windows\explorer.exe
2009-07-16 02:53 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-07-15 17:42 . 2009-07-15 17:42 -------- d-----w- c:\users\Randy\AppData\Roaming\Malwarebytes
2009-07-15 17:42 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 17:42 . 2009-07-15 17:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 17:42 . 2009-07-15 17:42 -------- d-----w- c:\programdata\Malwarebytes
2009-07-15 17:42 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-09 07:58 . 2009-07-09 07:58 -------- d-----w- c:\program files\PopCap Games
2009-07-08 07:26 . 2009-07-08 07:26 -------- d--h--r- C:\MSOCache
2009-07-04 08:42 . 2009-07-04 08:42 -------- d-----w- c:\program files\Nobilis
2009-07-02 07:21 . 2009-07-02 07:21 67427 ----a-w- c:\windows\system32\x264vfw-uninstall.exe
2009-07-02 07:11 . 2009-07-02 07:11 -------- d-----w- c:\users\Randy\AppData\Roaming\Publish Providers
2009-07-02 07:11 . 2009-07-02 07:25 -------- d-----w- c:\users\Randy\AppData\Roaming\Sony
2009-07-02 07:11 . 2009-07-02 07:11 -------- d-----w- c:\users\Randy\AppData\Local\Sony
2009-07-02 07:00 . 2009-07-02 07:00 -------- d-----w- c:\program files\Vstplugins
2009-07-02 07:00 . 2009-07-02 07:00 -------- d-----w- c:\programdata\Sony
2009-07-02 07:00 . 2009-07-02 07:00 -------- d-----w- c:\program files\Sony
2009-06-29 11:06 . 2008-12-04 05:25 120832 ----a-w- c:\users\Randy\AppData\Roaming\Mozilla\Firefox\Profiles\koolwerl.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-06-22 11:54 . 2009-06-22 11:54 -------- d-----w- c:\users\Randy\AppData\Local\PunkBuster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-16 07:38 . 2008-07-28 18:42 -------- d-----w- c:\programdata\NVIDIA
2009-07-16 07:36 . 2008-03-06 17:37 12 ----a-w- c:\windows\bthservsdp.dat
2009-07-16 07:26 . 2008-08-02 02:00 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-16 03:35 . 2008-08-05 03:29 -------- d-----w- c:\program files\AGEIA Technologies
2009-07-15 16:37 . 2008-08-02 02:53 -------- d-----w- c:\users\Randy\AppData\Roaming\uTorrent
2009-07-09 07:58 . 2008-10-29 20:02 -------- d-----w- c:\programdata\PopCap Games
2009-07-08 07:00 . 2009-01-08 23:07 1 ----a-w- c:\users\Randy\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-07 21:24 . 2008-10-16 07:59 -------- d-----w- c:\program files\Avast4
2009-07-07 21:12 . 2008-08-22 18:45 -------- d-----w- c:\users\Randy\AppData\Roaming\mIRC
2009-07-05 17:53 . 2008-08-02 03:23 -------- d-----w- c:\program files\Digsby
2009-07-02 18:20 . 2008-09-29 16:29 -------- d-----w- c:\users\Randy\AppData\Roaming\gtk-2.0
2009-06-22 12:11 . 2008-08-05 04:24 137888 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-22 12:11 . 2008-08-05 04:23 189288 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-22 12:11 . 2008-08-02 03:35 -------- d-----w- c:\program files\Steam
2009-06-22 11:54 . 2008-08-05 04:23 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-06-22 10:27 . 2008-08-02 03:35 -------- d-----w- c:\program files\Common Files\Steam
2009-06-15 15:24 . 2009-07-16 02:55 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-07-16 02:55 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-07-16 02:55 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-07-16 02:55 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-15 06:46 . 2009-06-15 06:46 15688 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-06-15 06:46 . 2009-03-05 18:19 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-10 16:01 . 2008-08-22 18:45 -------- d-----w- c:\program files\mIRC
2009-06-10 12:35 . 2009-06-10 12:35 1194528 ----a-w- c:\windows\system32\nvcplui.exe
2009-06-10 12:34 . 2009-06-10 12:34 143360 ----a-w- c:\windows\system32\nvshext.dll
2009-06-10 10:33 . 2009-06-10 10:33 244736 ----a-w- c:\windows\system32\nvStInst.exe
2009-06-10 10:33 . 2009-06-10 10:33 467968 ----a-w- c:\windows\system32\nvstlink.exe
2009-06-10 10:33 . 2009-06-10 10:33 3953152 ----a-w- c:\windows\system32\nvstwiz.exe
2009-06-10 10:33 . 2009-06-10 10:33 141824 ----a-w- c:\windows\system32\nvStereoApiI.dll
2009-06-10 10:33 . 2009-06-10 10:33 171520 ----a-w- c:\windows\system32\nvStereoApiI64.dll
2009-06-10 10:33 . 2009-06-10 10:33 232960 ----a-w- c:\windows\system32\nvSCPAPISvr.exe
2009-06-10 10:32 . 2009-06-10 10:32 257536 ----a-w- c:\windows\system32\nvSCPAPI.dll
2009-06-10 10:32 . 2009-06-10 10:32 301568 ----a-w- c:\windows\system32\nvSCPAPI64.dll
2009-06-10 10:32 . 2009-06-10 10:32 3293184 ----a-w- c:\windows\system32\nvstres.dll
2009-06-10 10:32 . 2009-06-10 10:32 5847 ----a-w- c:\windows\system32\oglstreg.reg
2009-06-10 10:31 . 2009-06-10 10:31 167424 ----a-w- c:\windows\system32\nvstreg.exe
2009-06-10 10:31 . 2009-06-10 10:31 1718272 ----a-w- c:\windows\system32\nvsttest.exe
2009-06-10 10:31 . 2009-06-10 10:31 1034752 ----a-w- c:\windows\system32\nvstview.exe
2009-06-10 10:31 . 2009-06-10 10:31 89088 ----a-w- c:\windows\system32\nvimage.dll
2009-06-10 10:29 . 2009-06-10 10:29 1656 ----a-w- c:\windows\system32\nvstdef.reg
2009-06-10 10:03 . 2009-06-10 10:03 678432 ----a-w- c:\windows\system32\nvcuvid.dll
2009-06-10 10:03 . 2009-06-10 10:03 4224 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2009-06-10 10:03 . 2009-06-10 10:03 151552 ----a-w- c:\windows\system32\nvcod155.dll
2009-06-10 10:03 . 2009-06-10 10:03 1317408 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-06-06 06:59 . 2009-06-06 06:59 120088 ----a-w- c:\users\Randy\AppData\Roaming\Mozilla\Plugins\npoctoshape.dll
2009-06-06 06:59 . 2009-06-06 06:59 -------- d-----w- c:\users\Randy\AppData\Roaming\Octoshape
2009-06-05 13:07 . 2009-06-05 13:06 -------- d-----w- c:\program files\RivaTuner v2.24
2009-06-04 20:39 . 2008-07-28 18:39 457248 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-06-04 12:41 . 2008-08-07 20:03 -------- d-----w- c:\program files\DivX
2009-06-04 12:41 . 2009-04-06 10:04 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-04 10:03 . 2009-06-06 06:59 396288 ----a-w- c:\users\Randy\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-0906040-0-libOctoshapeClient.dll
2009-06-04 10:03 . 2009-06-06 06:59 124184 ----a-w- c:\users\Randy\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-0906040-0-apoctoshape.dll
2009-06-04 10:03 . 2009-06-06 06:59 120088 ----a-w- c:\users\Randy\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-0906040-0-npoctoshape.dll
2009-05-28 12:20 . 2009-06-06 06:59 655872 ----a-w- c:\users\Randy\AppData\Roaming\Octoshape\Octoshape Streaming Services\pmv304-0905281-0-libOctoshapeClient.dll
2009-05-26 07:17 . 2009-05-26 07:19 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-26 07:17 . 2009-05-26 07:17 64160 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-05-02 14:17 . 2008-12-13 23:01 98604 ---ha-w- c:\windows\system32\mlfcache.dat
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-30 12:37 . 2009-07-16 02:56 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-04-30 12:37 . 2009-07-16 02:56 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-04-28 13:55 . 2009-04-28 13:55 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-04-23 12:42 . 2009-07-16 02:55 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:55 . 2009-07-16 02:56 2033152 ----a-w- c:\windows\system32\win32k.sys
2006-03-20 19:37 . 2006-03-20 19:37 5689344 ----a-w- c:\program files\mplayerc.exe
2009-06-13 03:07 . 2008-08-02 02:00 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update "= "c:\users\Randy\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"BandwidthMeterPro "= "c:\program files\BandwidthMeterPro\BWMeterPro.exe" [2008-08-16 236032]
"NVIDIA nTune "= "c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NeroFilterCheck "= "c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl "= "c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut "= "c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-02-03 136600]
"avast! "= "c:\progra~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-10-07 13584928]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2008-10-07 92704]
"RtHDVCpl "= "RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-31 4702208]

c:\users\Randy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Digsby.lnk - c:\program files\Digsby\digsby.exe [2008-9-8 137728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA "= 0 (0x0)
"EnableUIADesktopToggle "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux "=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2545094313-196571742-2974639644-1000]
"EnableNotificationsRef "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe "= c:\program files\NCsoft\Exteel\System\Exteel.exe:*:Enabled:Exteel

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{AA2339C1-F857-4183-82BB-8EBD5D953B5D}c:\\program files\\utorrent\\utorrent.exe "= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{6F37A68B-C3E0-49B9-960E-F96F22B6008A}c:\\program files\\utorrent\\utorrent.exe "= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{C68A5F9D-C0C0-4886-9AA5-9BD6B9256588}c:\\program files\\steam\\steamapps\\souliosis@excite.com\\team fortress 2\\hl2.exe "= UDP:c:\program files\steam\steamapps\souliosis@excite.com\team fortress 2\hl2.exe:hl2
"UDP Query User{9941CBD4-EF02-4F14-986F-B5266033AA09}c:\\program files\\steam\\steamapps\\souliosis@excite.com\\team fortress 2\\hl2.exe "= TCP:c:\program files\steam\steamapps\souliosis@excite.com\team fortress 2\hl2.exe:hl2
"TCP Query User{1C7A02DC-CEA3-4C8A-83B9-9D0419BE65B2}c:\\program files\\steam\\steamapps\\souliosis@excite.com\\counter-strike\\hl.exe "= UDP:c:\program files\steam\steamapps\souliosis@excite.com\counter-strike\hl.exe:Half-Life Launcher
"UDP Query User{CBE21774-3C8C-40F8-9CBF-15E19FD551DC}c:\\program files\\steam\\steamapps\\souliosis@excite.com\\counter-strike\\hl.exe "= TCP:c:\program files\steam\steamapps\souliosis@excite.com\counter-strike\hl.exe:Half-Life Launcher
"TCP Query User{49606161-0394-471A-BF37-EAF71D055052}c:\\warcraft iii\\war3.exe "= UDP:c:\warcraft iii\war3.exe:Warcraft III
"UDP Query User{A62BA279-5724-458C-817A-D88B947B4106}c:\\warcraft iii\\war3.exe "= TCP:c:\warcraft iii\war3.exe:Warcraft III
"TCP Query User{07CFE90C-1523-4F21-8366-B7C245008C30}c:\\program files\\digsby\\digsby.exe "= UDP:c:\program files\digsby\digsby.exeigsby IM
"UDP Query User{C31BBCE6-E2E5-46DD-A7F5-9594ED7E49BE}c:\\program files\\digsby\\digsby.exe "= TCP:c:\program files\digsby\digsby.exeigsby IM
"TCP Query User{4324DA5B-F957-443E-A92B-08676131BA13}c:\\windows\\system32\\javaw.exe "= UDP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{059ED29F-89C7-449E-8634-80F7FB26CDF3}c:\\windows\\system32\\javaw.exe "= TCP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"{2D3344D1-D46E-41C6-AC2C-9F1C8CDC6762} "= UDP:c:\sins of a solar empire\Sins of a Solar Empire.exe:Sins of a Solar Empire
"{059B3FF9-BE59-463A-BEA7-5408AF041035} "= TCP:c:\sins of a solar empire\Sins of a Solar Empire.exe:Sins of a Solar Empire
"{B9FF3459-BEA1-41A9-AAD9-BA179A08DC19} "= UDP:c:\unreal tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{C0E2022F-B68E-4189-95F9-9787CF3DCF21} "= TCP:c:\unreal tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{47A858DD-08B0-4F76-B38A-BBEE4966D385} "= UDP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{0084A761-5848-46C7-BED1-288B3DDDA916} "= TCP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{FD0F2738-5805-4994-932B-E8FAF49EBC48} "= UDP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{BE75336F-A600-477C-B8AF-3D8C86A612A2} "= TCP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{0186F8BB-73F1-4022-9520-4E3809017C9B} "= UDP:c:\windows\System32\PnkBstrA.exenkBstrA
"{E18461D1-4E0D-4EDB-96D6-B53EE0FEC27E} "= TCP:c:\windows\System32\PnkBstrA.exenkBstrA
"{0A7B8EF8-8C29-4C93-B2DD-B1C6C0458A54} "= UDP:c:\windows\System32\PnkBstrB.exenkBstrB
"{F07E7477-12B6-474C-89B0-20E331898306} "= TCP:c:\windows\System32\PnkBstrB.exenkBstrB
"{5C5EA9D6-341E-4A13-A388-C8435E5742D2} "= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{43D77A6E-62F3-4BC6-A94B-F95F3389197C} "= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{8EC9CB8B-B27D-4E92-9BD9-3BCA4C84BD6D} "= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{6A6FE8DF-AC4A-4388-9777-3C2B25CB234A} "= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{13C710AD-EEDE-489E-A49C-098379F76C98} "= UDP:c:\program files\FEARCombat\FEARMP.exe:FEAR Combat
"{80D9CCD0-2BE5-42C7-9A1B-F97E0EF41EDE} "= TCP:c:\program files\FEARCombat\FEARMP.exe:FEAR Combat
"{AB7F8E26-6F6C-430A-9F6F-A7C7C38C4834} "= UDP:c:\windows\System32\PnkBstrA.exenkBstrA
"{E7F00AB8-EDFD-49A6-80E3-45D2EBE2522C} "= TCP:c:\windows\System32\PnkBstrA.exenkBstrA
"{E67B67DD-DD30-4DC4-AEA0-F7FD2C00C994} "= UDP:c:\windows\System32\PnkBstrB.exenkBstrB
"{0EA1C417-FB5F-4065-AAB9-15466A44F365} "= TCP:c:\windows\System32\PnkBstrB.exenkBstrB
"{CEF7944B-B36B-4066-9BF1-6AEAB7B917D5} "= UDP:c:\program files\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe:Tom Clancy's Rainbow Six Vegas 2
"{6700B00A-DF30-4A89-B3C3-626912658FA1} "= TCP:c:\program files\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe:Tom Clancy's Rainbow Six Vegas 2
"{0A3141DF-F641-4794-BA98-BD006E4F4FBD} "= UDP:c:\program files\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Launcher.exe:Tom Clancy's Rainbow Six Vegas 2 Update
"{E777E826-81A5-4B51-8DDF-55F34E6EE6B7} "= TCP:c:\program files\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Launcher.exe:Tom Clancy's Rainbow Six Vegas 2 Update
"{DCD19070-A014-4B1A-954C-E66153F7686D} "= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5D4294EA-3174-45CD-831A-1AC7B69827CE} "= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E466B62C-4FD6-411D-92D1-B7CE44E44712} "= UDP:c:\program files\AIM6\aim6.exe:AIM
"{501E301B-B6B3-4CBF-9AF0-3CE3AE05632D} "= TCP:c:\program files\AIM6\aim6.exe:AIM
"{985315FF-E2B2-4CC4-A2C3-D016DB118B38} "= UDP:c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe:Rockstar Games Social Club
"{256CA618-1D1A-49E1-8917-81C9221D6DB2} "= TCP:c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe:Rockstar Games Social Club
"{F4BBD55B-76CE-4A84-A885-62408141A74C} "= UDP:c:\program files\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe:Grand Theft Auto IV
"{1640B81C-C3A8-4A72-9064-B6109F220C6F} "= TCP:c:\program files\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe:Grand Theft Auto IV
"{05E0430F-3156-4FF3-ABBF-2A7C0597B406} "= UDP:c:\program files\DNA\btdna.exeNA
"{E837D13C-3529-4074-9D61-B9BCE1D49D9B} "= TCP:c:\program files\DNA\btdna.exeNA
"{9A6495F0-D346-41E0-A7D5-99BA7AA6402B} "= UDP:c:\program files\Steam\steamapps\common\peggle extreme\PeggleExtreme.exeeggle Extreme
"{6E4CE8F8-40D8-4314-ADC7-9E41E03CF23D} "= TCP:c:\program files\Steam\steamapps\common\peggle extreme\PeggleExtreme.exeeggle Extreme
"{4FCEBFE7-BAA3-4E68-A1B0-B82E2FB35231} "= UDP:c:\program files\Steam\steamapps\common\left 4 dead\left4dead.exe:Left 4 Dead
"{638D7F26-0DC4-4FE1-A8CF-FD56A54A80F5} "= TCP:c:\program files\Steam\steamapps\common\left 4 dead\left4dead.exe:Left 4 Dead
"TCP Query User{5177EF9E-A7ED-4FDF-8259-E0F62C45C648}c:\\program files\\mirc\\mirc.exe "= UDP:c:\program files\mirc\mirc.exe:mIRC
"UDP Query User{F6FBA889-3B6B-4569-91E8-D17BD03C2F4D}c:\\program files\\mirc\\mirc.exe "= TCP:c:\program files\mirc\mirc.exe:mIRC
"{2A0E5867-A3E6-450B-A8A1-7C7C9C094542} "= UDP:c:\users\Randy\AppData\LocalLow\Dyyno Receiver\DPPM.exeyyno Plugin Receiver
"{6B0193D6-6652-44D5-BAFF-E4F7006B6CA1} "= TCP:c:\users\Randy\AppData\LocalLow\Dyyno Receiver\DPPM.exeyyno Plugin Receiver

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DisableNotifications "= 1 (0x1)
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe "= c:\program files\NCsoft\Exteel\System\Exteel.exe:*:Enabled:Exteel

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [5/26/2009 3:19 AM 64160]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [10/16/2008 4:00 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [10/16/2008 4:00 AM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [10/16/2008 3:59 AM 51792]
R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\System32\drivers\CAMTHWDM.sys [9/17/2008 6:19 PM 941784]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1029456]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\windows\System32\nvSCPAPISvr.exe [6/10/2009 6:33 AM 232960]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [10/10/2007 3:31 PM 179712]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [11/6/2007 4:22 PM 34064]

--- Other Services/Drivers In Memory ---

*Deregistered* - PROCEXP111

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2545094313-196571742-2974639644-1000Core.job
- c:\users\Randy\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 22:56]

2009-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2545094313-196571742-2974639644-1000UA.job
- c:\users\Randy\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 22:56]

2009-07-16 c:\windows\Tasks\User_Feed_Synchronization-{905A6184-4DE0-4B3C-970B-41BBFCADA0BA}.job
- c:\windows\system32\msfeedssync.exe [2009-07-16 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.alienware.com/Mothership?Comp=%ALIENFACTORY_Company%&SysCode=%ALIENFACTORY_SystemCode%&ai=636E3D34363834323326706F3D35383735373541
mStart Page = hxxp://www.alienware.com/mothership
FF - ProfilePath - c:\users\Randy\AppData\Roaming\Mozilla\Firefox\Profiles\koolwerl.default\
FF - prefs.js: browser.startup.homepage - www.slashdot.org
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Randy\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\Randy\AppData\Roaming\Mozilla\Firefox\Profiles\koolwerl.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\users\Randy\AppData\Roaming\Mozilla\Firefox\Profiles\koolwerl.default\extensions\NPDyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\users\Randy\AppData\Roaming\Mozilla\plugins\npoctoshape.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-16 21:43
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2545094313-196571742-2974639644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*n*e*t*@*POä…_l¨h±â€švzui£â€“¹p\OpenWithList]
@Class= "Shell "

[HKEY_USERS\S-1-5-21-2545094313-196571742-2974639644-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"?? "=hex:4d,7a,2e,54,53,8a,e8,e5,0c,1e,65,91,2b,f8,3a,9f,a0,c3,13,48,18,3c,a6,
eb,f8,59,bf,3c,46,ba,b8,cc,d6,72,3a,13,21,c0,a4,64,27,e8,94,c4,c4,08,43,07,\
"?? "=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-2545094313-196571742-2974639644-1000\Software\SecuROM\License information*]
"datasecu "=hex:21,fc,90,25,ab,9a,9e,78,26,51,a6,15,ab,61,5b,2c,b9,ef,65,15,2a,
87,46,d8,3f,df,b5,95,a1,8d,f6,9c,87,a6,c4,b4,35,b4,40,be,f3,b6,5f,ee,23,1a,\
"rkeysecu "=hex:93,e1,1d,26,43,f2,c3,e7,29,07,6d,66,6c,3a,22,a6
.
Completion time: 2009-07-17 21:45
ComboFix-quarantined-files.txt 2009-07-17 01:45

Pre-Run: 418,531,119,104 bytes free
Post-Run: 420,998,291,456 bytes free

308 --- E O F --- 2009-07-16 03:16




HJT threw an error:
Please help us improve HijackThis by reporting this error

Click 'Yes' to submit

Error Details:

An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=system.ini, sSection=boot, sValue=Shell)
Error #5 - Invalid procedure call or argument

Windows version: Windows NT 6.00.1905
MSIE version: 8.0.6001.18783
HijackThis version: 2.0.2


HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:22 PM, on 7/16/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com/Mothership...%&ai=636E3D34363834323326706F3D35383735373541
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com/mothership
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Google Update] "C:\Users\Randy\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BandwidthMeterPro] C:\Program Files\BandwidthMeterPro\BWMeterPro.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - Startup: Digsby.lnk = C:\Program Files\Digsby\digsby.exe
O13 - Gopher Prefix:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Windows\System32\nvSCPAPISvr.exe

--
End of file - 4431 bytes

 

Waiting for a mod to approve the post with the log files. Just thought I'd include this info in case it's relevant: after running ComboFix, Internet Explorer was set to my default browser (usually it's Firefox), and an IE icon showed up on my desktop (not even a shortcut). Just trying to include all info. I did install the latest IE with the Windows Updates, but this stuff didn't happen until after ComboFix ran.

 

Cool, everything went without a hitch there. Thanks for your help!