odd problem...

Okay, I would like to see logs from the other machines, but not in this thread. It's too difficult for both of us to try to follow procedures for more than 1 machine, in 1 thread. Start new threads for each of the other machines. Entitle them Ried - PC2 and Ried - PC3

Let's get started on this one now. It will require more than 1 round to clean the system. Please stay with me until given the 'all clear' even if symptoms seem to abate.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on combofix.exe & follow the prompts.

• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

ok here is the combo fix log as requested and the other threads will be made shortly.ray:

ComboFix 10-07-07.02 - nathan 07/08/2010 12:05:08.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1563 [GMT -5:00]
Running from: c:\documents and settings\nathan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))
.

2010-07-06 14:48 . 2010-07-06 14:48 -------- d-----w- c:\documents and settings\nathan\Application Data\Malwarebytes
2010-07-06 14:48 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-06 14:48 . 2010-07-06 14:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-06 14:48 . 2010-07-06 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-06 14:48 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-17 01:02 . 2008-11-14 22:35 196608 ----a-w- c:\windows\system32\wps_api.dll
2010-06-17 00:57 . 2009-05-05 17:00 632576 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
2010-06-17 00:01 . 2007-12-14 09:31 57408 ----a-w- c:\windows\system32\drivers\wsimd.sys
2010-06-13 16:11 . 2010-06-17 00:01 -------- d-----w- c:\program files\Atheros
2010-06-13 16:05 . 2010-06-13 16:05 -------- d--h--r- c:\documents and settings\All Users\Application Data\Atheros
2010-06-13 16:03 . 2010-06-17 01:02 -------- d-----w- c:\program files\NETGEAR
2010-06-13 16:03 . 2010-06-13 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NETGEAR
2010-06-08 23:56 . 2010-06-08 23:56 -------- d-----w- c:\documents and settings\Guest\Application Data\TeamViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 17:01 . 2007-12-30 19:10 -------- d-----w- c:\documents and settings\nathan\Application Data\U3
2010-07-06 13:47 . 2007-11-16 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-13 16:05 . 2007-11-16 21:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-06 14:26 . 2010-05-09 14:59 -------- d-----w- c:\documents and settings\nathan\Application Data\Softros Messenger
2010-06-02 00:37 . 2010-06-02 00:37 -------- d-----w- c:\program files\TeamViewer
2010-05-30 15:28 . 2010-05-30 15:28 -------- d-----w- c:\documents and settings\nathan\Application Data\TeamViewer
2010-05-16 14:18 . 2010-05-16 14:18 -------- d-----w- c:\documents and settings\kim\Application Data\Softros Messenger
2010-05-16 14:16 . 2010-05-16 14:16 -------- d-----w- c:\documents and settings\Guest\Application Data\Softros Messenger
2010-05-05 00:40 . 2010-05-05 00:40 212 ----a-w- c:\program files\Setup.log
2010-05-05 00:40 . 2010-05-05 00:40 127 ----a-w- c:\program files\PanaHDS.ini
2010-05-02 14:58 . 2010-05-02 14:58 0 ----a-w- c:\windows\nsreg.dat
2010-04-11 14:25 . 2010-03-21 14:31 69624 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-04-16 15:52 . 2004-08-10 18:51 155936 --sha-r- c:\windows\system32\vlmlrxni.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-30 282624]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 46200]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"BtcMouseMaestro"="c:\program files\HP Wireless 4 Button Laser Mouse\KMaestro.exe" [2007-08-24 344064]

c:\documents and settings\kim\Start Menu\Programs\Startup\
VirtualExpander.lnk - c:\windows\system32\VirtualExpander\VirtualExpander.exe [2007-11-28 474808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-11-16 24576]
Launch Softros Messenger.lnk - c:\program files\Softros Systems\Softros Messenger\Messenger.exe [2010-5-9 1457896]
NETGEAR WNDA3100v2 Smart Wizard.lnk - c:\program files\NETGEAR\WNDA3100v2\WNDA3100v2.exe [2010-6-16 3272704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-11-16 21:52 227328 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 15:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GoogleDesktopManager"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\LRecvTrap\\LRecvTrap.exe"=
"c:\\Program Files\\Softros Systems\\Softros Messenger\\Messenger.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5803:TCP"= 5803:TCP:koxhuqo

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/17/2006 6:25 PM 65536]
R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [4/16/2010 2:18 AM 173352]
S2 qhwdfzl;Shell Security;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 1:51 PM 14336]
S2 WSWNDA3100;WSWNDA3100;c:\program files\NETGEAR\WNDA3100v2\WifiSvc.exe [6/16/2010 8:02 PM 278528]
S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [6/16/2010 7:57 PM 632576]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [7/24/2003 12:10 PM 17149]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qhwdfzl
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3071116
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {03BEFDC2-50AB-4D9A-891B-9C060532ACBF} = 10.0.0.1
FF - ProfilePath - c:\documents and settings\nathan\Application Data\Mozilla\Firefox\Profiles\klhjl7o8.default\
FF - prefs.js: browser.startup.homepage - camaro5.com
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-08 12:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qhwdfzl]
"ServiceDll"="c:\windows\system32\vlmlrxni.dll"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Panasonic\TrapMonitor\Trapmnnt.exe
c:\program files\TeamViewer\Version5\TeamViewer.exe
c:\windows\stsystra.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-07-08 12:12:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-08 17:12

Pre-Run: 63,614,398,464 bytes free
Post-Run: 65,012,621,312 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 188C45F8EF3DAFDDC6E0DB04AE4686FD

Hello nat1 :smile:

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5803:TCP"=-

NetSvc::
qhwdfzl

Driver::
qhwdfzl

Click to expand...

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, please post the contents of C:\ComboFix.txt.

You should see marked improvement now. How is the system behaving?

You're welcome, but we aren't quite through here.

1. Conficker. See this link for a description, which is why I wanted to see scans for all machines that are networked to this one.

2. Yes. I find the bad guys, write the script, then you and I can take them out quite easily, thanks to the author of ComboFix. :wink:

When you have access to the computer and it does not need to be used for several hours by anyone, we need to run this online scan to search for any remnants. It can take several hours, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

ok, here is the dds log and attached is the other log.


DDS (Ver_10-03-17.01) - NTFSx86
Run by nathan at 11:58:12.03 on Sun 07/11/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1643 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Panasonic\TrapMonitor\Trapmnnt.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\WNDA3100v2\WNDA3100v2.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\progra~1\common~1\instal~1\update~1\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Documents and Settings\nathan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3071116
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Acrobat Speed Launch] "c:\program files\adobe\acrobat 8.0\acrobat\acrobat_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [BtcMouseMaestro] "c:\program files\hp wireless 4 button laser mouse\KMaestro.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\softros systems\softros messenger\Messenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wnda3100v2\WNDA3100v2.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nathan\applic~1\mozilla\firefox\profiles\klhjl7o8.default\
FF - prefs.js: browser.startup.homepage - camaro5.com
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-3-17 65536]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-4-16 173352]
R2 WSWNDA3100;WSWNDA3100;c:\program files\netgear\wnda3100v2\WifiSvc.exe [2010-7-10 278528]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [2010-7-10 632576]
S2 twxyhn;Task Manager;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2003-7-24 17149]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2010-7-10 34064]

=============== Created Last 30 ================

2010-07-10 16:52:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-10 16:52:02 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-10 16:14:26 632576 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
2010-07-10 16:14:25 88696 ----a-w- c:\windows\system32\Packet.dll
2010-07-10 16:14:25 721920 ----a-w- c:\windows\system32\lsas2c77.rra
2010-07-10 16:14:25 68224 ----a-w- c:\windows\system32\WanPacket.dll
2010-07-10 16:14:25 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2010-07-10 16:14:25 34064 ----a-w- c:\windows\system32\drivers\npf.sys
2010-07-10 16:14:25 240248 ----a-w- c:\windows\system32\wpcap.dll
2010-07-10 16:14:24 196608 ----a-w- c:\windows\system32\wps_api.dll
2010-07-10 14:40:49 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-07-08 17:04:43 0 d-sha-r- C:\cmdcons
2010-07-08 17:02:32 98816 ----a-w- c:\windows\sed.exe
2010-07-08 17:02:32 77312 ----a-w- c:\windows\MBR.exe
2010-07-08 17:02:32 256512 ----a-w- c:\windows\PEV.exe
2010-07-08 17:02:32 161792 ----a-w- c:\windows\SWREG.exe
2010-07-06 14:48:59 0 d-----w- c:\docume~1\nathan\applic~1\Malwarebytes
2010-07-06 14:48:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-06 14:48:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-06 14:48:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-06 14:48:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-17 01:02:36 721920 ----a-w- c:\windows\system32\lsas84fb.rra
2010-06-17 00:15:57 721920 ----a-w- c:\windows\system32\lsas30ac.rra
2010-06-17 00:01:59 57408 ----a-w- c:\windows\system32\drivers\wsimd.sys
2010-06-13 17:30:29 721920 ----a-w- c:\windows\system32\lsas8ec2.rra
2010-06-13 16:11:38 0 d-----w- c:\program files\Atheros
2010-06-13 16:05:07 0 d--h--r- c:\docume~1\alluse~1\applic~1\Atheros
2010-06-13 16:03:48 0 d-----w- c:\program files\NETGEAR
2010-06-13 16:03:37 0 d-----w- c:\docume~1\alluse~1\applic~1\NETGEAR

==================== Find3M ====================

2010-05-05 00:40:40 212 ----a-w- c:\program files\Setup.log
2010-05-05 00:40:34 127 ----a-w- c:\program files\PanaHDS.ini
2007-04-16 15:52:53 155936 --sha-r- c:\windows\system32\vlmlrxni.dll

============= FINISH: 11:58:22.76 ===============

Thank you. Open notepad and copy/paste the text in the code box below into it:

NetSvc::
twxyhn

Driver::
twxyhn

Click to expand...

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe. If ComboFix prompts you to update the tool, please allow it to do so.


When finished, please post the C:\ComboFix.txt

it seems fixed, heres the log:

ComboFix 10-07-14.01 - nathan 07/14/2010 14:50:04.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1655 [GMT -5:00]
Running from: c:\documents and settings\nathan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\nathan\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TWXYHN
-------\Service_NPF
-------\Service_twxyhn


((((((((((((((((((((((((( Files Created from 2010-06-14 to 2010-07-14 )))))))))))))))))))))))))))))))
.

2010-07-10 16:52 . 2010-07-10 16:52 -------- d-----w- c:\windows\Sun
2010-07-10 16:52 . 2010-07-10 16:52 503808 ----a-w- c:\documents and settings\nathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b9d3c3b-n\msvcp71.dll
2010-07-10 16:52 . 2010-07-10 16:52 499712 ----a-w- c:\documents and settings\nathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b9d3c3b-n\jmc.dll
2010-07-10 16:52 . 2010-07-10 16:52 348160 ----a-w- c:\documents and settings\nathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b9d3c3b-n\msvcr71.dll
2010-07-10 16:52 . 2010-07-10 16:52 61440 ----a-w- c:\documents and settings\nathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3679756a-n\decora-sse.dll
2010-07-10 16:52 . 2010-07-10 16:52 12800 ----a-w- c:\documents and settings\nathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3679756a-n\decora-d3d.dll
2010-07-10 16:52 . 2010-07-10 16:51 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-10 16:14 . 2009-05-05 17:00 632576 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
2010-07-10 16:14 . 2008-11-14 22:35 196608 ----a-w- c:\windows\system32\wps_api.dll
2010-07-06 14:48 . 2010-07-06 14:48 -------- d-----w- c:\documents and settings\nathan\Application Data\Malwarebytes
2010-07-06 14:48 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-06 14:48 . 2010-07-06 14:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-06 14:48 . 2010-07-06 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-06 14:48 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-17 00:01 . 2007-12-14 09:31 57408 ----a-w- c:\windows\system32\drivers\wsimd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-10 16:51 . 2007-11-16 21:36 -------- d-----w- c:\program files\Java
2010-07-10 16:13 . 2007-11-16 21:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-10 16:10 . 2010-06-13 16:11 -------- d-----w- c:\program files\Atheros
2010-07-08 17:01 . 2007-12-30 19:10 -------- d-----w- c:\documents and settings\nathan\Application Data\U3
2010-07-06 13:47 . 2007-11-16 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-17 01:02 . 2010-06-13 16:03 -------- d-----w- c:\program files\NETGEAR
2010-06-13 16:05 . 2010-06-13 16:05 -------- d--h--r- c:\documents and settings\All Users\Application Data\Atheros
2010-06-13 16:03 . 2010-06-13 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NETGEAR
2010-06-06 14:26 . 2010-05-09 14:59 -------- d-----w- c:\documents and settings\nathan\Application Data\Softros Messenger
2010-06-02 00:37 . 2010-06-02 00:37 -------- d-----w- c:\program files\TeamViewer
2010-05-30 15:28 . 2010-05-30 15:28 -------- d-----w- c:\documents and settings\nathan\Application Data\TeamViewer
2010-05-16 14:18 . 2010-05-16 14:18 -------- d-----w- c:\documents and settings\kim\Application Data\Softros Messenger
2010-05-05 00:40 . 2010-05-05 00:40 212 ----a-w- c:\program files\Setup.log
2010-05-05 00:40 . 2010-05-05 00:40 127 ----a-w- c:\program files\PanaHDS.ini
2010-05-02 14:58 . 2010-05-02 14:58 0 ----a-w- c:\windows\nsreg.dat
2007-04-16 15:52 . 2004-08-10 18:51 155936 --sha-r- c:\windows\system32\vlmlrxni.dll
.

((((((((((((((((((((((((((((( [email protected]_17.09.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-14 19:53 . 2010-07-14 19:53 16384 c:\windows\temp\Perflib_Perfdata_788.dat
+ 2009-08-07 00:24 . 2009-08-07 00:24 44768 c:\windows\system32\wups2.dll
+ 2004-08-10 19:02 . 2009-08-07 00:24 35552 c:\windows\system32\wups.dll
+ 2004-08-10 19:02 . 2009-08-07 00:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-07-10 14:40 . 2009-08-07 00:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2004-08-10 19:02 . 2009-08-07 00:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2004-08-10 19:02 . 2009-08-07 00:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-10 18:50 . 2009-08-07 00:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-10 18:50 . 2009-08-07 00:24 96480 c:\windows\system32\cdm.dll
- 2010-06-13 16:03 . 2010-06-17 00:01 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut9_385FFF305DB34C18B1F9D7793D1B9A0B.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut9_385FFF305DB34C18B1F9D7793D1B9A0B.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut8_385FFF305DB34C18B1F9D7793D1B9A0B.exe
- 2010-06-13 16:03 . 2010-06-17 00:01 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut8_385FFF305DB34C18B1F9D7793D1B9A0B.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut6_385FFF305DB34C18B1F9D7793D1B9A0B.exe
- 2010-06-13 16:03 . 2010-06-17 00:01 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut6_385FFF305DB34C18B1F9D7793D1B9A0B.exe
- 2010-06-13 16:03 . 2010-06-17 00:01 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut5_385FFF305DB34C18B1F9D7793D1B9A0B.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut5_385FFF305DB34C18B1F9D7793D1B9A0B.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut4_385FFF305DB34C18B1F9D7793D1B9A0B.exe
- 2010-06-13 16:03 . 2010-06-17 00:01 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut4_385FFF305DB34C18B1F9D7793D1B9A0B.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut23_385FFF305DB34C18B1F9D7793D1B9A0B.exe
- 2010-06-13 16:03 . 2010-06-17 00:01 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut23_385FFF305DB34C18B1F9D7793D1B9A0B.exe
- 2010-06-13 16:03 . 2010-06-17 00:01 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut22_385FFF305DB34C18B1F9D7793D1B9A0B.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut22_385FFF305DB34C18B1F9D7793D1B9A0B.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 4710 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut21_C0100D9E237245E2BDA5BD18F9B03298.exe
- 2010-06-13 16:03 . 2010-06-17 00:01 4710 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut21_C0100D9E237245E2BDA5BD18F9B03298.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut2_385FFF305DB34C18B1F9D7793D1B9A0B.exe
- 2010-06-13 16:03 . 2010-06-17 00:01 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut2_385FFF305DB34C18B1F9D7793D1B9A0B.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut19_385FFF305DB34C18B1F9D7793D1B9A0B.exe
- 2010-06-13 16:03 . 2010-06-17 00:01 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut19_385FFF305DB34C18B1F9D7793D1B9A0B.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut18_385FFF305DB34C18B1F9D7793D1B9A0B.exe
- 2010-06-13 16:03 . 2010-06-17 00:01 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut18_385FFF305DB34C18B1F9D7793D1B9A0B.exe
- 2010-06-13 16:03 . 2010-06-17 00:01 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut17_385FFF305DB34C18B1F9D7793D1B9A0B.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut17_385FFF305DB34C18B1F9D7793D1B9A0B.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut16_385FFF305DB34C18B1F9D7793D1B9A0B.exe
- 2010-06-13 16:03 . 2010-06-17 00:01 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut16_385FFF305DB34C18B1F9D7793D1B9A0B.exe
- 2010-06-13 16:03 . 2010-06-17 00:01 4710 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut15_C0100D9E237245E2BDA5BD18F9B03298.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 4710 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut15_C0100D9E237245E2BDA5BD18F9B03298.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut14_385FFF305DB34C18B1F9D7793D1B9A0B.exe
- 2010-06-13 16:03 . 2010-06-17 00:01 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut14_385FFF305DB34C18B1F9D7793D1B9A0B.exe
- 2010-06-13 16:03 . 2010-06-17 00:01 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut13_385FFF305DB34C18B1F9D7793D1B9A0B.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut13_385FFF305DB34C18B1F9D7793D1B9A0B.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 4710 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut11_C0100D9E237245E2BDA5BD18F9B03298.exe
- 2010-06-13 16:03 . 2010-06-17 00:01 4710 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut11_C0100D9E237245E2BDA5BD18F9B03298.exe
- 2010-06-13 16:03 . 2010-06-17 00:01 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut1_385FFF305DB34C18B1F9D7793D1B9A0B.exe
+ 2010-06-13 16:03 . 2010-07-10 16:10 3638 c:\windows\Installer\{C0100D9E-2372-45E2-BDA5-BD18F9B03298}\NewShortcut1_385FFF305DB34C18B1F9D7793D1B9A0B.exe
+ 2004-08-10 19:02 . 2009-08-07 00:24 209632 c:\windows\system32\wuweb.dll
+ 2004-08-10 19:02 . 2009-08-07 00:24 327896 c:\windows\system32\wucltui.dll
+ 2004-08-10 19:02 . 2009-08-07 00:23 575704 c:\windows\system32\wuapi.dll
+ 2007-11-16 21:36 . 2010-07-10 16:51 153376 c:\windows\system32\javaws.exe
+ 2007-11-16 21:36 . 2010-07-10 16:51 145184 c:\windows\system32\javaw.exe
+ 2007-11-16 21:36 . 2010-07-10 16:51 145184 c:\windows\system32\java.exe
+ 2004-08-10 19:02 . 2009-08-07 00:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2004-08-10 19:02 . 2009-08-07 00:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2004-08-10 19:02 . 2009-08-07 00:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2010-07-10 16:52 . 2010-07-10 16:52 180224 c:\windows\Installer\796dad.msi
+ 2010-07-10 16:51 . 2010-07-10 16:51 576000 c:\windows\Installer\796da8.msi
+ 2004-08-10 19:02 . 2009-08-07 00:23 1929952 c:\windows\system32\wuaueng.dll
+ 2004-08-10 19:02 . 2009-08-07 00:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2010-06-13 16:03 . 2010-07-10 16:11 15243776 c:\windows\Downloaded Installations\{3030A6B7-BF78-4AB1-A229-C01653E34F81}\WNDA3100.msi
- 2010-06-13 16:03 . 2010-06-17 00:00 15243776 c:\windows\Downloaded Installations\{3030A6B7-BF78-4AB1-A229-C01653E34F81}\WNDA3100.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-30 282624]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 46200]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"BtcMouseMaestro"="c:\program files\HP Wireless 4 Button Laser Mouse\KMaestro.exe" [2007-08-24 344064]

c:\documents and settings\kim\Start Menu\Programs\Startup\
VirtualExpander.lnk - c:\windows\system32\VirtualExpander\VirtualExpander.exe [2007-11-28 474808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-11-16 24576]
Launch Softros Messenger.lnk - c:\program files\Softros Systems\Softros Messenger\Messenger.exe [2010-5-9 1457896]
NETGEAR WNDA3100v2 Smart Wizard.lnk - c:\program files\NETGEAR\WNDA3100v2\WNDA3100v2.exe [2010-6-16 3272704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-11-16 21:52 227328 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 15:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GoogleDesktopManager"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\LRecvTrap\\LRecvTrap.exe"=
"c:\\Program Files\\Softros Systems\\Softros Messenger\\Messenger.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5803:TCP"= 5803:TCP:koxhuqo

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/17/2006 6:25 PM 65536]
R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [4/16/2010 2:18 AM 173352]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [7/10/2010 11:14 AM 632576]
S2 WSWNDA3100;WSWNDA3100;c:\program files\NETGEAR\WNDA3100v2\WifiSvc.exe [7/10/2010 11:14 AM 278528]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [7/24/2003 12:10 PM 17149]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3071116
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\nathan\Application Data\Mozilla\Firefox\Profiles\klhjl7o8.default\
FF - prefs.js: browser.startup.homepage - camaro5.com
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-14 14:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Panasonic\TrapMonitor\Trapmnnt.exe
c:\program files\TeamViewer\Version5\TeamViewer.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-07-14 14:57:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-14 19:57
ComboFix2.txt 2010-07-09 17:38
ComboFix3.txt 2010-07-08 17:12

Pre-Run: 64,226,222,080 bytes free
Post-Run: 64,222,781,440 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - E71D6C029F51B86C56B61500B8CECC17