Malware Assistance

[Gamer137]

Hello. Over the past few weeks my computer has been experiencing many problems. They are mostly small and not preventing me from using my system, but the amount of errors occurring is a serious issue. Symptoms include:

Windows Audio Service no longer booting up by default.
Not connecting to my wireless network automatically anymore.
Being unable to access Windows or Microsoft updates, both in Control Pane and though Firefox.
Windows being unable to access profile data upon start up sometimes and will load a profile as if its the first time.
Losing admin powers on an admin profile for certain actions, such as flushing my DNS.
System Restore points no longer being created.
Display settings being lowered to seemingly minimum settings, such as window boarders looking like I'm using Windows XP.
Issues uninstalling programs I no longer need.

I currently use Windows Vista 32-bit updated fully as of 5/24/10 before I was no longer able to update.

------------------------------------------------------------------------------------------------------------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/11/2010 at 07:08 PM

Application Version : 4.39.1002

Core Rules Database Version : 5060
Trace Rules Database Version: 2872

Scan type       : Complete Scan
Total Scan Time : 01:02:46

Memory items scanned      : 568
Memory threats detected   : 0
Registry items scanned    : 7796
Registry threats detected : 0
File items scanned        : 118191
File threats detected     : 2

Adware.Tracking Cookie
   .atdmt.com [ C:\Users\Edward\AppData\Roaming\Mozilla\Firefox\Profiles\0odlnftf.default\cookies.sqlite ]
   .atdmt.com [ C:\Users\Edward\AppData\Roaming\Mozilla\Firefox\Profiles\0odlnftf.default\cookies.sqlite ]
------------------------------------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4190

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

6/11/2010 7:25:36 PM
mbam-log-2010-06-11 (19-25-36).txt

Scan type: Quick scan
Objects scanned: 143755
Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
------------------------------------------------------------------------------------------------------------------------------------------------
I was unable to update my Java because the updater would recognize a certain file in my profile's app folder.
I was also unable to install HighJackThis because the installer would not recognize the installer file on my desktop.

I am willing to provide any other info needed. Thank you in advance for your help.

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools ]A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.
  

[Gamer137]

Thanks for the reply. In case it is relevant, two more symptoms have been on my computer which I forgot too add. Plus I could not find an edit button.

-Adware and redirecting when clicking links in search engines.
-Warnings telling me Host Process has stopped working.

Here is the log.

----------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 10-06-13.01 - Edward 06/13/2010  16:46:22.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2814.1707 [GMT -7:00]
Running from: c:\users\Edward\Desktop\commy.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
(((((((((((((((((((((((((   Files Created from 2010-05-13 to 2010-06-13  )))))))))))))))))))))))))))))))
.

2010-06-13 23:53 . 2010-06-13 23:53   --------   d-----w-   c:\users\Edward\AppData\Local\temp
2010-06-13 23:53 . 2010-06-13 23:53   --------   d-----w-   c:\users\Guest\AppData\Local\temp
2010-06-11 22:16 . 2010-06-12 00:50   63488   ----a-w-   c:\users\Edward\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-11 22:16 . 2010-06-11 22:16   52224   ----a-w-   c:\users\Edward\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-11 22:16 . 2010-06-12 00:50   117760   ----a-w-   c:\users\Edward\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-11 22:16 . 2010-06-11 22:16   --------   d-----w-   c:\users\Edward\AppData\Roaming\SUPERAntiSpyware.com
2010-06-11 22:16 . 2010-06-11 22:16   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-06-11 22:16 . 2010-06-11 22:16   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-06-11 19:50 . 2010-06-11 19:50   934832   ----a-w-   c:\programdata\PrevxCSI\~PrevxCSIUpdate.exe
2010-06-08 05:30 . 2010-06-08 05:30   967   ----a-w-   c:\windows\ScUnin.pif
2010-06-08 05:30 . 2010-06-08 05:30   94208   ----a-w-   c:\windows\ScUnin.exe
2010-06-08 05:30 . 2010-06-08 05:30   12894   ----a-w-   c:\windows\scunin.dat
2010-06-08 05:30 . 2010-06-08 06:08   --------   d-----w-   c:\program files\Starcraft
2010-06-06 21:27 . 2010-06-06 21:27   --------   d-----w-   c:\program files\CCleaner
2010-05-29 06:46 . 2010-05-29 07:04   --------   d-----w-   c:\program files\Total Video Converter
2010-05-25 21:51 . 2010-04-23 14:13   2048   ----a-w-   c:\windows\system32\tzres.dll
2010-05-23 06:49 . 2010-05-23 06:49   --------   d-----w-   c:\users\Colin\AppData\Roaming\com.adobe.px.Uploader.4C35C4D325D350FE0114230CBADCA2DDD0AC8D25.1
2010-05-23 06:49 . 2010-05-23 06:49   38784   ----a-w-   c:\users\Colin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-23 06:49 . 2010-05-23 06:49   --------   d-----w-   c:\program files\Adobe Photoshop.com Uploader
2010-05-23 06:49 . 2010-05-23 06:49   38784   ----a-w-   c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-23 06:49 . 2010-05-23 06:49   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-05-22 21:33 . 2010-05-22 21:36   --------   d-----w-   c:\users\Edward\AppData\Local\FLVService
2010-05-22 21:33 . 2010-05-23 23:52   --------   d-----w-   c:\program files\Freecorder
2010-05-22 21:33 . 2010-05-22 21:33   --------   d-----w-   c:\windows\Freecorder
2010-05-22 21:19 . 2010-05-22 21:19   --------   d-----w-   c:\users\Edward\AppData\Roaming\Audio Recorder Titanium
2010-05-22 17:11 . 2010-05-23 21:19   --------   d-----w-   c:\users\Edward\AppData\Local\qesyttcgy

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-13 23:45 . 2010-02-28 19:18   88366   ----a-w-   c:\programdata\nvModes.dat
2010-06-11 22:36 . 2009-11-25 21:19   --------   d-----w-   c:\programdata\PrevxCSI
2010-06-11 19:50 . 2009-11-25 21:20   61952   ----a-w-   c:\windows\system32\PxSecure.dll
2010-06-11 19:50 . 2009-11-25 21:20   61624   ----a-w-   c:\windows\system32\drivers\pxrts.sys
2010-06-11 19:50 . 2009-11-25 21:20   30320   ----a-w-   c:\windows\system32\drivers\pxscan.sys
2010-06-11 19:50 . 2009-11-25 21:20   24400   ----a-w-   c:\windows\system32\drivers\pxkbf.sys
2010-06-11 19:50 . 2009-11-25 21:20   --------   d-----w-   c:\program files\Prevx
2010-06-11 04:13 . 2009-09-15 03:39   --------   d-----w-   c:\users\Colin\AppData\Roaming\uTorrent
2010-06-11 04:10 . 2009-09-05 06:08   --------   d-----w-   c:\users\Colin\AppData\Roaming\LimeWire
2010-06-05 11:17 . 2009-01-20 02:21   --------   d-----w-   c:\programdata\Acer
2010-05-30 03:38 . 2009-08-01 04:53   107808   ----a-w-   c:\users\Colin\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-29 18:44 . 2009-08-03 05:09   --------   d-----w-   c:\users\Edward\AppData\Roaming\LimeWire
2010-05-29 17:25 . 2009-08-01 04:08   107808   ----a-w-   c:\users\Edward\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-29 06:44 . 2010-05-08 00:07   --------   d-----w-   c:\users\Colin\AppData\Roaming\vlc
2010-05-26 05:42 . 2009-08-03 05:30   --------   d-----w-   c:\users\Edward\AppData\Roaming\Apple Computer
2010-05-24 00:46 . 2009-08-17 01:15   1   ----a-w-   c:\users\Colin\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-22 17:24 . 2009-09-15 03:39   --------   d-----w-   c:\program files\uTorrent
2010-05-21 21:14 . 2009-10-02 23:06   221568   ------w-   c:\windows\system32\MpSigStub.exe
2010-05-17 14:08 . 2009-08-06 18:36   1   ----a-w-   c:\users\Edward\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-12 19:13 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-05-12 19:12 . 2009-01-20 01:32   --------   d-----w-   c:\programdata\Microsoft Help
2010-05-09 09:49 . 2010-05-09 09:48   --------   d-----w-   c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-09 09:49 . 2010-05-09 09:48   --------   d-----w-   c:\program files\iTunes
2010-05-09 09:48 . 2010-05-09 09:48   --------   d-----w-   c:\program files\iPod
2010-05-09 09:48 . 2009-08-03 05:28   --------   d-----w-   c:\program files\Common Files\Apple
2010-05-09 09:46 . 2009-08-03 05:29   --------   d-----w-   c:\program files\QuickTime
2010-05-09 09:41 . 2010-05-09 09:41   --------   d-----w-   c:\program files\Bonjour
2010-05-09 09:40 . 2010-05-09 09:40   73000   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-09 09:39 . 2009-12-11 04:47   --------   d-----w-   c:\program files\Safari
2010-05-09 09:38 . 2010-05-09 09:38   79144   ----a-w-   c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-05-06 21:20 . 2009-11-25 20:59   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-06 00:21 . 2010-01-08 03:04   107416   ----a-w-   c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-29 22:39 . 2009-11-25 20:59   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-11-25 20:59   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-26 01:22 . 2006-10-11 01:50   --------   d-----w-   c:\programdata\NVIDIA
2010-04-25 20:55 . 2010-04-25 20:02   --------   d-----w-   c:\users\Colin\AppData\Roaming\MozillaControl
2010-04-25 20:26 . 2010-04-25 20:26   48648   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2010-04-25 20:25 . 2010-04-25 20:25   690952   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-25 20:25 . 2010-04-25 20:25   416128   ----a-w-   c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2010-04-25 20:25 . 2010-04-25 20:25   652296   ----a-w-   c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2010-04-25 19:52 . 2010-04-25 19:52   --------   d-----w-   c:\program files\Mozilla ActiveX Control v1.7.12
2010-04-25 19:52 . 2010-04-25 19:52   --------   d-----w-   c:\program files\VideoLAN
2010-04-21 13:52 . 2009-11-04 02:35   --------   d-----w-   c:\program files\AVS4YOU
2010-04-21 13:40 . 2010-04-21 13:40   --------   d-----w-   c:\users\Edward\AppData\Roaming\Audio Recorder for Free
2010-04-21 03:07 . 2009-10-13 01:07   --------   d-----w-   c:\programdata\NOS
2010-04-16 15:33 . 2010-04-16 15:33   41472   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2010-04-16 15:33 . 2010-04-16 15:33   3003680   ----a-w-   c:\windows\system32\usbaaplrc.dll
2010-04-08 20:20 . 2010-04-08 20:20   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-03-29 15:53 . 2010-04-18 23:49   32576   ----a-w-   c:\users\Edward\AppData\Roaming\Mozilla\Firefox\Profiles\0odlnftf.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-03-29 15:53 . 2010-04-18 23:49   29984   ----a-w-   c:\users\Edward\AppData\Roaming\Mozilla\Firefox\Profiles\0odlnftf.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2008-10-15 09:44 . 2009-12-28 06:31   4196864   ----a-w-   c:\program files\AcroRead.msi
2008-10-15 09:42 . 2009-12-28 06:31   92911648   ----a-w-   c:\program files\Data1.cab
2006-11-15 15:38 . 2009-12-28 06:31   1728   ----a-w-   c:\program files\abcpy.ini
2006-08-25 17:00 . 2009-12-28 06:31   292   ----a-w-   c:\program files\setup.ini
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2173A04E-31C4-4236-99EF-0447372C5FF7}]
2009-09-15 03:51   1358848   ----a-w-   c:\program files\Aerosmith Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F7914565-B323-471B-AC62-6C618F00ECED}"= "c:\program files\Aerosmith Toolbar\Toolbar.dll" [2009-09-15 1358848]

[HKEY_CLASSES_ROOT\clsid\{f7914565-b323-471b-ac62-6c618f00eced}]
[HKEY_CLASSES_ROOT\FCTB000059849.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{95E63F23-9987-43A9-A3E9-0DF0770E48E4}]
[HKEY_CLASSES_ROOT\FCTB000059849.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F7914565-B323-471B-AC62-6C618F00ECED}"= "c:\program files\Aerosmith Toolbar\Toolbar.dll" [2009-09-15 1358848]

[HKEY_CLASSES_ROOT\clsid\{f7914565-b323-471b-ac62-6c618f00eced}]
[HKEY_CLASSES_ROOT\FCTB000059849.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{95E63F23-9987-43A9-A3E9-0DF0770E48E4}]
[HKEY_CLASSES_ROOT\FCTB000059849.IEToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Macro Express Pro.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Macro Express Pro.lnk
backup=c:\windows\pss\Macro Express Pro.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Colin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Edward^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\Edward\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-02-18 02:37   177472   ----a-w-   c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 22:06   142120   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 22:39   1090952   ----a-w-   c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2010-03-07 03:35   2937528   ----a-w-   c:\program files\Pando Networks\Media Booster\PMB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 04:53   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-06-07 17:13   2403568   ----a-w-   c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):41,70,09,b2,74,12,ca,01

R3 mercury;mercury;c:\windows\system32\mercury.sys

R3 XDva280;XDva280;c:\windows\system32\XDva280.sys

R4 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2010-06-11 6377352]
S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2010-06-11 30320]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-01 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-08-01 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-08-01 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-01 297752]
S2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-06-11 61624]
S3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2009-08-01 464384]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-08-22 66592]
S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-06-11 24400]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
getPlusHelper   REG_MULTI_SZ      getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.mc593.mail.yahoo.com/mc/welcome?.gx=0&.tm=1249108828&.rand=2d7d3moni52ou
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
FF - ProfilePath - c:\users\Edward\AppData\Roaming\Mozilla\Firefox\Profiles\0odlnftf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://us.mc593.mail.yahoo.com/mc/welcome?.gx=1&.tm=1274564598&.rand=28e4qfpqf89m5|http://www.worldofwarcraft.com/index.xml
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\users\Edward\AppData\Roaming\Mozilla\Firefox\Profiles\0odlnftf.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-F5D7050v3 - c:\program files\Belkin\F5D7050v3\Belkinwcui.exe
MSConfigStartUp-RtHDVCpl - RtHDVCpl.exe
MSConfigStartUp-Skytel - Skytel.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-VeohPlugin - c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
MSConfigStartUp-xcmrlwet - c:\users\Edward\AppData\Local\qesyttcgy\jcpycxetssd.exe
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel
AddRemove-Medieval Total War - c:\program files\Total War\Medieval - Total War\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-13 16:53
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-06-13  16:55:07
ComboFix-quarantined-files.txt  2010-06-13 23:55

Pre-Run: 25,142,337,536 bytes free
Post-Run: 25,892,204,544 bytes free

- - End Of File - - 2ACC0AB6C6B81E888DB23CB3800C67AD

[SuperDave]

P2P - I see you have P2P software installed on your machine. (uTorrent and LimeWire) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

===============================

Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  KillAll::
  
  DDS::
  uInternet Settings,ProxyServer = http=127.0.0.1:5555
  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• I do not need to see the log from the above script.
  

=====================================

Have any of your problems cleared up yet?

================================

I'd like us to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[Gamer137]

My computer did resume automatic updates last night. All the way from checking too installing and rebooting. Just in case it hurts the process.

----------------------------------------------------------------------------------------------------------------------------------------------

C:\Users\Colin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\35249897-28cfcbcd   multiple threats   deleted - quarantined
C:\Users\Colin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\5b3d5486-3140527f   a variant of Java/TrojanDownloader.Agent.NAN trojan   deleted - quarantined
C:\Users\Edward\AppData\Local\VirtualStore\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul   Win32/Dursg.A trojan   cleaned by deleting - quarantined
C:\Users\Edward\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\30b3cfe8-5f5ea1ee   multiple threats   deleted - quarantined
C:\Users\Edward\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\4bd7933b-1af294b8   probably a variant of Win32/Agent trojan   deleted - quarantined

[SuperDave]

Are you still having all those problems?

[Gamer137]

I believe not. The updates and adware have been fixed, which were the big ones. Others also appear fine.

[SuperDave]

Well, that sounds good. If there's nothing else, let's do some clean-up.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type commy /uninstall in the runbox
* Make sure there's a space between commy and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

====================================

Download OTC by OldTimer and save it to your desktop.

1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.

===============================

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

================================

Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

===============================

Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[Gamer137]

Thanks for the assistance. You guys rock! The hardest part will be keeping my younger brother from abusing the computer again. 

[SuperDave]

Put him on a leash with a restricted account.