Active Horrible rootkit virus problems

[Active] Horrible rootkit virus problems

hi, i'm running windows XP home and have spent the last two nights battling the worst virus I've ever encountered.

here are all the symptoms and everything i've tried so far!

the other night avira announced out of the blue i had some trojans, so i ran malwarebytes and it detected a bunch of rootkit nasties + more. i cleaned them out and rebooted. but the computer ran very slowly and still had obvious problems and could not run malwarebytes again.

my alarm bells started to ring when i began to get stop error screens, "DRIVER_IRQL_NOT_LESS_OR_EQUAL," when trying to run virus scans or open a combination of programs. freezes, crashes, etc.

i ran combofix in safe mode, but it didn't seem to repair anything.

i tried a system restore but it didn't help. things still ran very slowly, and firefox and IE were now totally disabled: double clicking them from the desktop does nothing, no windows open. my connection is ok because i'm able to access email from outlook express just fine.

i can't find anything out of the ordinary running in my task manager, and nothing that doesn't seem to belong in my msconfig startups.

but i am finding a string of entries called "services" in my windows firewall list of exceptions that i'm almost certain don't belong there. every time i uncheck and delete these entries, they always return on reboot.

in safe mode, MBAM and superantispyware scan totally clean. i downloaded and ran "unhackme," which said it located and removed a rootkit on startup. but i am still having the same problems.

according to the blue error screens that occasionally pop up, the driver causing problems was NDSIS.SYS. so i replaced the windows32 version one with the one in my service pack files. after rebooting, this does not seem to make any difference.

i ran combofix again, which detected an MBR rootkit. i ran "MBR.exe -f" as instructed, but it did not appear to solve anything after rebooting. afterwards, while running GMER, the computer abruptly reset itself.

so where it stands now, i have random crashes and restarts, the computer runs slowly with the hard drive light often running when i'm not doing anything, firefox and IE will not open, and i still have questionable things reappearing in my firewall lists.

please help me if you can think of anything?? i'm sort of at my wit's end now

 

Hi Vladdy,

As indicated at the start of this forum, please *** READ THIS BEFORE POSTING IN THIS FORUM *** then post the requested logs in this thread.

NOTES:

When posting the logs ensure word wrap is switched off (in notepad Uncheck Format->Word Wrap) as this makes them difficult to read.

Be aware that only Malware analysts will advise and they are often busy. Your post will be taken on a first come first served basis but it may take a while before you receive a reply.

You may have to download DDS on another system and transfer across to your ailing computer, and vice versa move the logs to a good system to post.

 

thanks, i'll do this! can DDS run in safe mode?

 

ok, here are the results of the DDS scan. combofix is also now running on the infected computer in safe mode and i'll post those results next:

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 6/4/2006 11:03:49 PM
System Uptime: 3/6/2010 2:03:30 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | 'P4SD-LA'
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | CPU 1 | 3200/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 181 GiB total, 2.16 GiB free.
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Microsoft IR Transceiver
Device ID: USB\VID_045E&PID_006D\MS116FY6
Manufacturer:
Name: Microsoft IR Transceiver
PNP Device ID: USB\VID_045E&PID_006D\MS116FY6
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Video Controller
Device ID: PCI\VEN_14F1&DEV_8800&SUBSYS_48231043&REV_05\4&2E98101C&0&50F0
Manufacturer:
Name: Multimedia Video Controller
PNP Device ID: PCI\VEN_14F1&DEV_8800&SUBSYS_48231043&REV_05\4&2E98101C&0&50F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_14F1&DEV_8802&SUBSYS_48231043&REV_05\4&2E98101C&0&52F0
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_14F1&DEV_8802&SUBSYS_48231043&REV_05\4&2E98101C&0&52F0
Service:

==== System Restore Points ===================

RP152: 3/5/2010 11:08:18 PM - RegRun Virus Scan
RP153: 3/5/2010 11:17:07 PM - RegRun Virus Scan
RP154: 3/5/2010 11:45:30 PM - RegRun Virus Scan
RP155: 3/6/2010 12:23:07 AM - RegRun Virus Scan
RP156: 3/6/2010 1:03:28 AM - Avira AntiVir Personal - 3/6/2010 1:02

==== Installed Programs ======================

AC3Filter (remove only)
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Illustrator CS
Adobe Reader 7.0.9
Adobe SVG Viewer 3.0
ADS Instant DVD Master Installer V2.x
ADSTech V2.x InstantDVD CapWiz
AIM 6
AOL Uninstaller (Choose which Products to Remove)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AutoUpdate
Bonjour
CCleaner (remove only)
CDBurnerXP
Creative MediaSource 5
Creative Software AutoUpdate
Creative System Information
Critical Update for Windows Media Player 11 (KB959772)
Cucusoft YouTube Mate 7.10
Digidesign Pro Tools LE 7.0
Digidesign Shared Plug-Ins 7.0
Digital Photo Recovery [Demo] 2.0.3
DivX Converter
DivX Player
DivX Web Player
E210
EPSON Print CD
EPSON Printer Software
EPSON SP1400 Reference Guide
ESET Online Scanner
FLV Player
Free Bomb Factory Plug-Ins 7.0
Google Earth
Google Update Helper
HDView for Internet Explorer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Memories Disc
HP My Display
HP Photo and Imaging 2.1 - Scanjet 36X0 Series
InterLok Driver Kit
Interlok driver setup x32
InterVideo WinDVD
iTunes
Java(TM) 6 Update 16
Logitech MouseWare 9.79
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Excel Viewer 97
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works 7.0
MobileMe Control Panel
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.5.7)
MSN Music Assistant
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
Nero 7 Essentials
neroxml
Netflix Movie Viewer
Netscape (7.1)
Panda ActiveScan
Primo
QuickTime
RealPlayer
Recover My Photos
RegRun Reanimator
Runtime
Safari
SDK
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
ShareIns
SiSoftware Sandra Lite XII.SP2c
Sony Picture Utility
SopCast 3.2.4
Sound Blaster X-Fi Xtreme Audio
Spybot - Search & Destroy
StreamTorrent 1.0
StuffIt 12
SUPERAntiSpyware Free Edition
TomTom HOME 2.7.3.1894
TomTom HOME Visual Studio Merge Modules
Toon Boom Studio 4.5
Trivial Pursuit Digital Choice v1.3.0 for Windows XP/Vista
Ulead VideoStudio 6
UnHackMe 5.70 release
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
URGE
VCRedistSetup
Veetle TV 0.9.15
Verizon Online Help and Support
VideoLAN VLC media player 0.8.6f
WD Diagnostics
WD Drive Manager (x86)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip 11.1
XML Paper Specification Shared Components Pack 1.0
Yahoo! Toolbar
Zero Assumption Recovery Version 8.3

==== Event Viewer Messages From Past Week ========

3/6/2010 2:05:32 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip WS2IFSL
3/5/2010 8:35:13 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/5/2010 5:03:52 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/5/2010 4:36:03 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm SASDIFSV SASKUTIL
3/5/2010 4:23:35 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
3/5/2010 4:22:07 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm SASDIFSV SASKUTIL ssmdrv
3/5/2010 3:04:34 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
3/5/2010 2:30:33 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file regsvr32.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
3/5/2010 11:03:04 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL ssmdrv Tcpip WS2IFSL
3/5/2010 11:03:04 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/5/2010 11:03:04 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/5/2010 11:03:04 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/5/2010 11:03:04 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/5/2010 11:02:51 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
3/5/2010 1:20:29 PM, error: Service Control Manager [7000] - The %USBTuner.SvcDesc% service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
3/4/2010 4:20:35 PM, error: PSched [14103] - QoS [Adapter {C30AF1A7-B4BD-44DD-A9F0-0D9B94F16663}]: The netcard driver failed the query for OID_GEN_LINK_SPEED.
3/4/2010 11:19:46 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================





DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL
Run by don at 14:08:38.34 on Sat 03/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2338 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\don\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: ebay.com\www
Trusted Zone: facebook.com\www
Trusted Zone: huffingtonpost.com\www
Trusted Zone: imagekind.com\www
Trusted Zone: live.com\bl111w.blu111.mail
Trusted Zone: msn.com\www.msnbc
Trusted Zone: myspace.com\home
Trusted Zone: myspace.com\www
Trusted Zone: netflix.com\www
Trusted Zone: twitter.com
Trusted Zone: wikipedia.org\www
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149488008680
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183460658812
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: navnet - {AD6E5643-7B0C-46AA-95AD-9773FF2A857A} - c:\program files\navnetapp\ComUtilities.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\don\applic~1\mozilla\firefox\profiles\hk6vq7rn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFFab&query=
FF - plugin: c:\documents and settings\don\application data\mozilla\firefox\profiles\hk6vq7rn.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-6-5 16384]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-26 64288]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
S2 USBTuner;%USBTuner.SvcDesc%;c:\windows\system32\drivers\USBTuner.sys [2001-9-24 41290]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2006-6-4 105472]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-9-27 10664]
S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [2008-3-11 54256]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-3-5 34760]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2010-3-5 24416]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S4 gupdate1c9c46fddd035d6;Google Update Service (gupdate1c9c46fddd035d6);c:\program files\google\update\GoogleUpdate.exe [2009-4-23 133104]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
S4 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite xii.sp2c\RpcAgentSrv.exe [2008-5-26 98488]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
S4 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-5-16 102400]

=============== Created Last 30 ================

2010-03-06 09:08:49 98816 ----a-w- c:\windows\sed.exe
2010-03-06 09:08:49 77312 ----a-w- c:\windows\MBR.exe
2010-03-06 09:08:49 261632 ----a-w- c:\windows\PEV.exe
2010-03-06 09:08:49 161792 ----a-w- c:\windows\SWREG.exe
2010-03-06 09:08:40 0 d-----w- C:\ComboFix
2010-03-06 07:08:57 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-03-06 07:04:46 2 --shatr- c:\windows\winstart.bat
2010-03-06 07:04:14 35040 ----a-w- c:\windows\system32\Partizan.exe
2010-03-06 07:04:14 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-03-06 07:04:00 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-03-06 07:03:48 0 d-----w- c:\program files\UnHackMe
2010-03-05 21:44:58 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-10 09:29:27 0 d-----w- c:\program files\iPod
2010-02-10 09:29:20 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-01-08 00:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-10-27 00:17:29 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-05-24 10:59:31 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050420090511\index.dat
2009-05-24 10:59:31 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052420090525\index.dat

============= FINISH: 14:09:38.40 ===============

 

here is my combofix log, from safe mode:



ComboFix 10-03-05.03 - don 03/06/2010 14:19:46.23.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2242 [GMT -8:00]
Running from: c:\documents and settings\don\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-03-06 07:08 . 2010-03-06 08:24 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-03-06 07:04 . 2010-03-06 07:27 2 --shatr- c:\windows\winstart.bat
2010-03-06 07:04 . 2010-03-06 08:18 35040 ----a-w- c:\windows\system32\Partizan.exe
2010-03-06 07:04 . 2010-03-06 08:18 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-03-06 07:04 . 2009-12-22 22:38 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-03-06 07:03 . 2010-03-06 07:27 -------- d-----w- c:\program files\UnHackMe
2010-03-05 21:44 . 2010-03-05 21:44 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-05 11:51 . 2010-03-05 11:51 -------- d-----w- c:\documents and settings\HelpAssistant.DON-2ECAC68C422\LocalLow
2010-03-04 02:32 . 2010-03-05 21:43 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-02-13 11:53 . 2010-02-14 02:23 -------- d-----w- c:\documents and settings\don\Local Settings\Application Data\rfgswb
2010-02-10 09:29 . 2010-02-10 09:29 -------- d-----w- c:\program files\iPod
2010-02-10 09:29 . 2010-02-10 09:30 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 21:42 . 2006-06-05 11:12 -------- d-----w- c:\program files\Microsoft Works
2010-03-04 07:27 . 2006-06-14 20:34 81648 -c--a-w- c:\documents and settings\don\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-10 09:29 . 2007-07-14 12:08 -------- d-----w- c:\program files\Common Files\Apple
2010-01-24 21:19 . 2010-01-24 21:19 -------- d-----w- c:\program files\StreamTorrent 1.0
2010-01-24 21:15 . 2010-01-24 21:15 -------- d-----w- c:\documents and settings\don\Application Data\StreamTorrent
2010-01-23 07:36 . 2010-01-23 07:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TVU Networks
2010-01-20 09:06 . 2008-08-17 06:19 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-18 00:29 . 2008-03-28 10:44 -------- d-----w- c:\program files\FriendBlasterPro
2010-01-15 22:18 . 2008-08-21 22:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-13 02:59 . 2010-01-13 02:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TomTom
2010-01-13 02:58 . 2010-01-13 02:58 -------- d-----w- c:\documents and settings\don\Application Data\TomTom
2010-01-13 02:58 . 2010-01-13 02:58 -------- d-----w- c:\program files\TomTom International B.V
2010-01-13 02:58 . 2010-01-13 02:58 -------- d-----w- c:\program files\TomTom HOME 2
2010-01-10 02:44 . 2010-01-10 02:43 -------- d-----w- c:\program files\Veetle
2010-01-10 02:37 . 2010-01-10 02:37 -------- d-----w- c:\program files\SopCast
2010-01-08 00:07 . 2008-08-21 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2008-08-21 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 20:37 . 2009-10-12 06:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 06:20 . 2006-06-05 06:00 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-04 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 08:33 . 2009-07-23 04:05 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-02-13_12.59.47 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2010-02-12 22:05 67484 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-03-06 10:17 67484 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-03-06 10:17 432708 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-02-12 22:05 432708 c:\windows\system32\perfh009.dat
+ 2006-06-04 22:41 . 2010-03-05 21:46 178648 c:\windows\system32\FNTCACHE.DAT
- 2006-06-04 22:41 . 2009-11-12 22:04 178648 c:\windows\system32\FNTCACHE.DAT
+ 2009-05-22 10:14 . 2010-03-05 21:45 8608020 c:\windows\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2008-04-14 53760]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop "= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^don^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\documents and settings\don\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 22:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
c:\program files\Avira\AntiVir Desktop\avgnt.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-04-24 21:25 149040 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-05-28 19:59 28672 ----a-w- c:\windows\system32\cthelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
2005-10-26 06:21 61440 ----a-w- c:\program files\Digidesign\Drivers\MMERefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT HPW]
2007-04-25 19:36 280064 ----a-w- c:\program files\Portrait Displays\HP My Display\dthtml.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-10 00:24 50760 ----a-w- c:\program files\Common Files\AOL\1163066592\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
2006-02-17 16:59 124520 -c--a-w- c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 03:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2003-11-07 09:50 19968 ------w- c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-01-08 00:07 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2006-06-23 19:33 438359 -c--a-w- c:\progra~1\Verizon\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-16 04:02 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
2006-07-03 04:43 10752 ----a-r- c:\windows\system32\SPIRun.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rofxnsnj]
c:\documents and settings\don\Application Data\rfgswb\qycvsftav.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 17:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnHackMe Monitor]
2009-12-22 22:38 594144 ----a-w- c:\program files\UnHackMe\hackmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 23:45 313472 -c--a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2007-03-11 21:37 936960 -c--a-w- c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
2007-03-01 01:50 180224 ------w- c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager]
2008-05-17 00:12 430080 ----a-w- c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService "=3 (0x3)
"Viewpoint Manager Service "=2 (0x2)
"WMPNetworkSvc "=3 (0x3)
"Stuffit Archive Name Service "=2 (0x2)
"SandraAgentSrv "=2 (0x2)
"NMSAccessU "=2 (0x2)
"NMIndexingService "=3 (0x3)
"NBService "=3 (0x3)
"JavaQuickStarterService "=2 (0x2)
"iPod Service "=3 (0x3)
"idsvc "=3 (0x3)
"IDriverT "=3 (0x3)
"gupdate1c9c46fddd035d6 "=2 (0x2)
"DTSRVC "=2 (0x2)
"digiSPTIService "=3 (0x3)
"DigiRefresh "=2 (0x2)
"Creative Service for CDROM Access "=2 (0x2)
"Bonjour Service "=2 (0x2)
"Apple Mobile Device "=2 (0x2)
"WDBtnMgrSvc.exe "=2 (0x2)
"McAfee SiteAdvisor Service "=2 (0x2)
"Lavasoft Ad-Aware Service "=2 (0x2)
"MsMpSvc "=2 (0x2)
"TomTomHOMEService "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\don\\My Documents\\WS_FTP\\WS_FTP32.EXE "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\321Studios\\Platinum\\BugTool.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe "=
"c:\\Program Files\\SopCast\\SopCast.exe "=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCP:*isabled:Remote Desktop
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"2479:TCP "= 2479:TCP:Services
"3246:TCP "= 3246:TCP:Services

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [6/5/2006 12:13 AM 16384]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/26/2009 4:10 PM 64288]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
S2 USBTuner;%USBTuner.SvcDesc%;c:\windows\system32\drivers\USBTuner.sys [9/24/2001 9:34 AM 41290]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [6/4/2006 10:50 PM 105472]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [9/27/2006 4:12 PM 10664]
S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [3/11/2008 1:42 PM 54256]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [3/5/2010 11:04 PM 34760]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [3/5/2010 11:08 PM 24416]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
S4 gupdate1c9c46fddd035d6;Google Update Service (gupdate1c9c46fddd035d6);c:\program files\Google\Update\GoogleUpdate.exe [4/23/2009 4:01 PM 133104]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1184912]
S4 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [5/26/2008 7:54 PM 98488]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 3:31 AM 92008]
S4 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 4:12 PM 102400]
.
Contents of the 'Scheduled Tasks' folder

2010-03-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 08:37]

2010-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-24 00:01]

2009-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-24 00:01]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: ebay.com\www
Trusted Zone: facebook.com\www
Trusted Zone: huffingtonpost.com\www
Trusted Zone: imagekind.com\www
Trusted Zone: live.com\bl111w.blu111.mail
Trusted Zone: msn.com\www.msnbc
Trusted Zone: myspace.com\home
Trusted Zone: myspace.com\www
Trusted Zone: netflix.com\www
Trusted Zone: twitter.com
Trusted Zone: wikipedia.org\www
FF - ProfilePath - c:\documents and settings\don\Application Data\Mozilla\Firefox\Profiles\hk6vq7rn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFFab&query=
FF - plugin: c:\documents and settings\don\Application Data\Mozilla\Firefox\Profiles\hk6vq7rn.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation

Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ",

"chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ",

"chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 14:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(228)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1828)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-03-06 14:38:27
ComboFix-quarantined-files.txt 2010-03-06 22:38
ComboFix2.txt 2010-03-06 09:39
ComboFix3.txt 2010-03-05 13:02
ComboFix4.txt 2010-03-05 11:45
ComboFix5.txt 2010-03-06 22:18

Pre-Run: 2,300,653,568 bytes free
Post-Run: 2,286,112,768 bytes free

- - End Of File - - ABCFCC44F54B0EA70F09DF66F81732BE

 

thanks - i'm afraid i don't seem to have the previous combofix logs though, this latest log was the only one in the c: folder.

 

OK, I will..... is it OK for me to do this in safe mode?

 

OK here is the Combofix log after running the script in safe mode. Will run Hijackthis next:

ComboFix 10-03-05.03 - don 03/06/2010 18:28:00.24.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2363 [GMT -8:00]
Running from: c:\documents and settings\don\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\don\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\don\Application Data\rfgswb\qycvsftav.exe "
"c:\windows\winstart.bat "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\winstart.bat

.
((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
.

2010-03-06 07:08 . 2010-03-06 08:24 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-03-06 07:04 . 2010-03-06 08:18 35040 ----a-w- c:\windows\system32\Partizan.exe
2010-03-06 07:04 . 2010-03-06 08:18 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-03-06 07:04 . 2009-12-22 22:38 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-03-06 07:03 . 2010-03-06 07:27 -------- d-----w- c:\program files\UnHackMe
2010-03-05 21:44 . 2010-03-05 21:44 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-05 11:51 . 2010-03-05 11:51 -------- d-----w- c:\documents and settings\HelpAssistant.DON-2ECAC68C422\LocalLow
2010-03-04 02:32 . 2010-03-05 21:43 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-02-13 11:53 . 2010-02-14 02:23 -------- d-----w- c:\documents and settings\don\Local Settings\Application Data\rfgswb
2010-02-10 09:29 . 2010-02-10 09:29 -------- d-----w- c:\program files\iPod
2010-02-10 09:29 . 2010-02-10 09:30 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 21:42 . 2006-06-05 11:12 -------- d-----w- c:\program files\Microsoft Works
2010-03-04 07:27 . 2006-06-14 20:34 81648 -c--a-w- c:\documents and settings\don\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-10 09:29 . 2007-07-14 12:08 -------- d-----w- c:\program files\Common Files\Apple
2010-01-24 21:19 . 2010-01-24 21:19 -------- d-----w- c:\program files\StreamTorrent 1.0
2010-01-24 21:15 . 2010-01-24 21:15 -------- d-----w- c:\documents and settings\don\Application Data\StreamTorrent
2010-01-23 07:36 . 2010-01-23 07:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TVU Networks
2010-01-20 09:06 . 2008-08-17 06:19 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-18 00:29 . 2008-03-28 10:44 -------- d-----w- c:\program files\FriendBlasterPro
2010-01-15 22:18 . 2008-08-21 22:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-13 02:59 . 2010-01-13 02:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TomTom
2010-01-13 02:58 . 2010-01-13 02:58 -------- d-----w- c:\documents and settings\don\Application Data\TomTom
2010-01-13 02:58 . 2010-01-13 02:58 -------- d-----w- c:\program files\TomTom International B.V
2010-01-13 02:58 . 2010-01-13 02:58 -------- d-----w- c:\program files\TomTom HOME 2
2010-01-10 02:44 . 2010-01-10 02:43 -------- d-----w- c:\program files\Veetle
2010-01-10 02:37 . 2010-01-10 02:37 -------- d-----w- c:\program files\SopCast
2010-01-08 00:07 . 2008-08-21 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2008-08-21 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 20:37 . 2009-10-12 06:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 06:20 . 2006-06-05 06:00 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-04 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 08:33 . 2009-07-23 04:05 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-02-13_12.59.47 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2010-02-12 22:05 67484 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-03-06 10:17 67484 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-03-06 10:17 432708 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-02-12 22:05 432708 c:\windows\system32\perfh009.dat
+ 2006-06-04 22:41 . 2010-03-05 21:46 178648 c:\windows\system32\FNTCACHE.DAT
- 2006-06-04 22:41 . 2009-11-12 22:04 178648 c:\windows\system32\FNTCACHE.DAT
+ 2009-05-22 10:14 . 2010-03-05 21:45 8608020 c:\windows\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2008-04-14 53760]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop "= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^don^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\documents and settings\don\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 22:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
c:\program files\Avira\AntiVir Desktop\avgnt.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-04-24 21:25 149040 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-05-28 19:59 28672 ----a-w- c:\windows\system32\cthelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
2005-10-26 06:21 61440 ----a-w- c:\program files\Digidesign\Drivers\MMERefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT HPW]
2007-04-25 19:36 280064 ----a-w- c:\program files\Portrait Displays\HP My Display\dthtml.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-10 00:24 50760 ----a-w- c:\program files\Common Files\AOL\1163066592\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
2006-02-17 16:59 124520 -c--a-w- c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 03:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2003-11-07 09:50 19968 ------w- c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-01-08 00:07 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2006-06-23 19:33 438359 -c--a-w- c:\progra~1\Verizon\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-16 04:02 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
2006-07-03 04:43 10752 ----a-r- c:\windows\system32\SPIRun.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 17:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnHackMe Monitor]
2009-12-22 22:38 594144 ----a-w- c:\program files\UnHackMe\hackmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 23:45 313472 -c--a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2007-03-11 21:37 936960 -c--a-w- c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
2007-03-01 01:50 180224 ------w- c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager]
2008-05-17 00:12 430080 ----a-w- c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService "=3 (0x3)
"Viewpoint Manager Service "=2 (0x2)
"WMPNetworkSvc "=3 (0x3)
"Stuffit Archive Name Service "=2 (0x2)
"SandraAgentSrv "=2 (0x2)
"NMSAccessU "=2 (0x2)
"NMIndexingService "=3 (0x3)
"NBService "=3 (0x3)
"JavaQuickStarterService "=2 (0x2)
"iPod Service "=3 (0x3)
"idsvc "=3 (0x3)
"IDriverT "=3 (0x3)
"gupdate1c9c46fddd035d6 "=2 (0x2)
"DTSRVC "=2 (0x2)
"digiSPTIService "=3 (0x3)
"DigiRefresh "=2 (0x2)
"Creative Service for CDROM Access "=2 (0x2)
"Bonjour Service "=2 (0x2)
"Apple Mobile Device "=2 (0x2)
"WDBtnMgrSvc.exe "=2 (0x2)
"McAfee SiteAdvisor Service "=2 (0x2)
"Lavasoft Ad-Aware Service "=2 (0x2)
"MsMpSvc "=2 (0x2)
"TomTomHOMEService "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\don\\My Documents\\WS_FTP\\WS_FTP32.EXE "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\321Studios\\Platinum\\BugTool.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe "=
"c:\\Program Files\\SopCast\\SopCast.exe "=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCP:*isabled:Remote Desktop
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"2479:TCP "= 2479:TCP:Services
"3246:TCP "= 3246:TCP:Services

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [6/5/2006 12:13 AM 16384]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/26/2009 4:10 PM 64288]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
S2 USBTuner;%USBTuner.SvcDesc%;c:\windows\system32\drivers\USBTuner.sys [9/24/2001 9:34 AM 41290]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [6/4/2006 10:50 PM 105472]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [9/27/2006 4:12 PM 10664]
S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [3/11/2008 1:42 PM 54256]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [3/5/2010 11:04 PM 34760]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [3/5/2010 11:08 PM 24416]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
S4 gupdate1c9c46fddd035d6;Google Update Service (gupdate1c9c46fddd035d6);c:\program files\Google\Update\GoogleUpdate.exe [4/23/2009 4:01 PM 133104]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1184912]
S4 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [5/26/2008 7:54 PM 98488]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 3:31 AM 92008]
S4 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 4:12 PM 102400]
.
Contents of the 'Scheduled Tasks' folder

2010-03-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 08:37]

2010-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-24 00:01]

2009-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-24 00:01]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: bitterfilms.com\www
Trusted Zone: ebay.com\www
Trusted Zone: facebook.com\www
Trusted Zone: huffingtonpost.com\www
Trusted Zone: imagekind.com\www
Trusted Zone: live.com\bl111w.blu111.mail
Trusted Zone: msn.com\www.msnbc
Trusted Zone: myspace.com\home
Trusted Zone: myspace.com\www
Trusted Zone: netflix.com\www
Trusted Zone: twitter.com
Trusted Zone: wikipedia.org\www
FF - ProfilePath - c:\documents and settings\don\Application Data\Mozilla\Firefox\Profiles\hk6vq7rn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFFab&query=
FF - plugin: c:\documents and settings\don\Application Data\Mozilla\Firefox\Profiles\hk6vq7rn.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 18:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(228)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-03-06 18:47:01
ComboFix-quarantined-files.txt 2010-03-07 02:46
ComboFix2.txt 2010-03-06 22:38
ComboFix3.txt 2010-03-06 09:39
ComboFix4.txt 2010-03-05 13:02
ComboFix5.txt 2010-03-07 02:26

Pre-Run: 2,302,459,904 bytes free
Post-Run: 2,288,898,048 bytes free

- - End Of File - - BFA7131F48A488F3789570C70D76D80D

 

OK, here is Hijackthis from normal mode. Will try Combofix in normal mode now:


Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 6:53:22 PM, on 3/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\DON\Application Data\Mozilla\Profiles\default\i4dwww6b.slt\prefs.js)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.ebay.com
O15 - Trusted Zone: http://www.facebook.com
O15 - Trusted Zone: http://www.huffingtonpost.com
O15 - Trusted Zone: http://bl111w.blu111.mail.live.com
O15 - Trusted Zone: http://www.msnbc.msn.com
O15 - Trusted Zone: http://home.myspace.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://www.netflix.com
O15 - Trusted Zone: http://*.twitter.com
O15 - Trusted Zone: http://www.wikipedia.org
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149488008680
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183460658812
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: navnet - {AD6E5643-7B0C-46AA-95AD-9773FF2A857A} - C:\Program Files\NavNetApp\ComUtilities.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

--
End of file - 5669 bytes

 

Here is the Combofix log from normal mode. In normal mode, I still cannot open Firefox or IE. I am also still concerned about those firewall exceptions you see listed in the log, for "Services." (Every time I delete these they return on reboot and I don't know what they are.)

UPDATE: I was able to get IE to work again, after totally resetting the program in Internet Settings.... still no Firefox

ComboFix 10-03-06.03 - don 03/06/2010 19:00:52.25.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2197 [GMT -8:00]
Running from: c:\documents and settings\don\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
.

2010-03-07 02:52 . 2010-03-07 02:52 -------- d-----w- c:\program files\TrendMicro
2010-03-06 07:08 . 2010-03-06 08:24 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-03-06 07:04 . 2010-03-06 08:18 35040 ----a-w- c:\windows\system32\Partizan.exe
2010-03-06 07:04 . 2010-03-06 08:18 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-03-06 07:04 . 2009-12-22 22:38 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-03-06 07:03 . 2010-03-06 07:27 -------- d-----w- c:\program files\UnHackMe
2010-03-05 21:44 . 2010-03-05 21:44 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-05 11:51 . 2010-03-05 11:51 -------- d-----w- c:\documents and settings\HelpAssistant.DON-2ECAC68C422\LocalLow
2010-03-04 02:32 . 2010-03-05 21:43 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-02-13 11:53 . 2010-02-14 02:23 -------- d-----w- c:\documents and settings\don\Local Settings\Application Data\rfgswb
2010-02-10 09:29 . 2010-02-10 09:29 -------- d-----w- c:\program files\iPod
2010-02-10 09:29 . 2010-02-10 09:30 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 21:42 . 2006-06-05 11:12 -------- d-----w- c:\program files\Microsoft Works
2010-03-04 07:27 . 2006-06-14 20:34 81648 -c--a-w- c:\documents and settings\don\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-10 09:29 . 2007-07-14 12:08 -------- d-----w- c:\program files\Common Files\Apple
2010-01-24 21:19 . 2010-01-24 21:19 -------- d-----w- c:\program files\StreamTorrent 1.0
2010-01-24 21:15 . 2010-01-24 21:15 -------- d-----w- c:\documents and settings\don\Application Data\StreamTorrent
2010-01-23 07:36 . 2010-01-23 07:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TVU Networks
2010-01-20 09:06 . 2008-08-17 06:19 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-18 00:29 . 2008-03-28 10:44 -------- d-----w- c:\program files\FriendBlasterPro
2010-01-15 22:18 . 2008-08-21 22:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-13 02:59 . 2010-01-13 02:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TomTom
2010-01-13 02:58 . 2010-01-13 02:58 -------- d-----w- c:\documents and settings\don\Application Data\TomTom
2010-01-13 02:58 . 2010-01-13 02:58 -------- d-----w- c:\program files\TomTom International B.V
2010-01-13 02:58 . 2010-01-13 02:58 -------- d-----w- c:\program files\TomTom HOME 2
2010-01-10 02:44 . 2010-01-10 02:43 -------- d-----w- c:\program files\Veetle
2010-01-10 02:37 . 2010-01-10 02:37 -------- d-----w- c:\program files\SopCast
2010-01-08 00:07 . 2008-08-21 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2008-08-21 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 20:37 . 2009-10-12 06:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 06:20 . 2006-06-05 06:00 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-04 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 08:33 . 2009-07-23 04:05 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-02-13_12.59.47 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2010-02-12 22:05 67484 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-03-07 02:55 67484 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-03-07 02:55 432708 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-02-12 22:05 432708 c:\windows\system32\perfh009.dat
+ 2006-06-04 22:41 . 2010-03-05 21:46 178648 c:\windows\system32\FNTCACHE.DAT
- 2006-06-04 22:41 . 2009-11-12 22:04 178648 c:\windows\system32\FNTCACHE.DAT
+ 2009-05-22 10:14 . 2010-03-05 21:45 8608020 c:\windows\system32\Restore\rstrlog.dat
+ 2010-03-07 02:52 . 2010-03-07 02:52 1093632 c:\windows\Installer\1e2fb.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2008-04-14 53760]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop "= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^don^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\documents and settings\don\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 22:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
c:\program files\Avira\AntiVir Desktop\avgnt.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-04-24 21:25 149040 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-05-28 19:59 28672 ----a-w- c:\windows\system32\cthelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
2005-10-26 06:21 61440 ----a-w- c:\program files\Digidesign\Drivers\MMERefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT HPW]
2007-04-25 19:36 280064 ----a-w- c:\program files\Portrait Displays\HP My Display\dthtml.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-10 00:24 50760 ----a-w- c:\program files\Common Files\AOL\1163066592\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
2006-02-17 16:59 124520 -c--a-w- c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 03:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2003-11-07 09:50 19968 ------w- c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-01-08 00:07 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2006-06-23 19:33 438359 -c--a-w- c:\progra~1\Verizon\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-16 04:02 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
2006-07-03 04:43 10752 ----a-r- c:\windows\system32\SPIRun.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 17:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnHackMe Monitor]
2009-12-22 22:38 594144 ----a-w- c:\program files\UnHackMe\hackmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 23:45 313472 -c--a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2007-03-11 21:37 936960 -c--a-w- c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
2007-03-01 01:50 180224 ------w- c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager]
2008-05-17 00:12 430080 ----a-w- c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService "=3 (0x3)
"Viewpoint Manager Service "=2 (0x2)
"WMPNetworkSvc "=3 (0x3)
"Stuffit Archive Name Service "=2 (0x2)
"SandraAgentSrv "=2 (0x2)
"NMSAccessU "=2 (0x2)
"NMIndexingService "=3 (0x3)
"NBService "=3 (0x3)
"JavaQuickStarterService "=2 (0x2)
"iPod Service "=3 (0x3)
"idsvc "=3 (0x3)
"IDriverT "=3 (0x3)
"gupdate1c9c46fddd035d6 "=2 (0x2)
"DTSRVC "=2 (0x2)
"digiSPTIService "=3 (0x3)
"DigiRefresh "=2 (0x2)
"Creative Service for CDROM Access "=2 (0x2)
"Bonjour Service "=2 (0x2)
"Apple Mobile Device "=2 (0x2)
"WDBtnMgrSvc.exe "=2 (0x2)
"McAfee SiteAdvisor Service "=2 (0x2)
"Lavasoft Ad-Aware Service "=2 (0x2)
"MsMpSvc "=2 (0x2)
"TomTomHOMEService "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\don\\My Documents\\WS_FTP\\WS_FTP32.EXE "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\321Studios\\Platinum\\BugTool.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe "=
"c:\\Program Files\\SopCast\\SopCast.exe "=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCP:*isabled:Remote Desktop
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"2479:TCP "= 2479:TCP:Services
"3246:TCP "= 3246:TCP:Services

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [6/5/2006 12:13 AM 16384]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/26/2009 4:10 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
S2 USBTuner;%USBTuner.SvcDesc%;c:\windows\system32\drivers\USBTuner.sys [9/24/2001 9:34 AM 41290]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [6/4/2006 10:50 PM 105472]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [9/27/2006 4:12 PM 10664]
S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [3/11/2008 1:42 PM 54256]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [3/5/2010 11:04 PM 34760]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [3/5/2010 11:08 PM 24416]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
S4 gupdate1c9c46fddd035d6;Google Update Service (gupdate1c9c46fddd035d6);c:\program files\Google\Update\GoogleUpdate.exe [4/23/2009 4:01 PM 133104]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1184912]
S4 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [5/26/2008 7:54 PM 98488]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 3:31 AM 92008]
S4 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 4:12 PM 102400]
.
Contents of the 'Scheduled Tasks' folder

2010-03-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 08:37]

2010-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-24 00:01]

2009-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-24 00:01]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: ebay.com\www
Trusted Zone: facebook.com\www
Trusted Zone: huffingtonpost.com\www
Trusted Zone: imagekind.com\www
Trusted Zone: live.com\bl111w.blu111.mail
Trusted Zone: msn.com\www.msnbc
Trusted Zone: myspace.com\home
Trusted Zone: myspace.com\www
Trusted Zone: netflix.com\www
Trusted Zone: twitter.com
Trusted Zone: wikipedia.org\www
FF - ProfilePath - c:\documents and settings\don\Application Data\Mozilla\Firefox\Profiles\hk6vq7rn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFFab&query=
FF - plugin: c:\documents and settings\don\Application Data\Mozilla\Firefox\Profiles\hk6vq7rn.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 19:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(464)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-06 19:18:03
ComboFix-quarantined-files.txt 2010-03-07 03:18
ComboFix2.txt 2010-03-07 02:47
ComboFix3.txt 2010-03-06 22:38
ComboFix4.txt 2010-03-06 09:39
ComboFix5.txt 2010-03-07 03:00

Pre-Run: 2,257,317,888 bytes free
Post-Run: 2,244,370,432 bytes free

- - End Of File - - 0FE7563C0435DC8A5BC7ECCDE6AEA57F

 

I could be wrong, but I don't believe these TCP Services were in my firewall exceptions before the trouble began:

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3389:TCP "= 3389:TCP:*isabled:Remote Desktop
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"2479:TCP "= 2479:TCP:Services
"3246:TCP "= 3246:TCP:Services