Browser proxy server

E

EdgarJ

New Member
[I posted this problem earlier at Annoyances.org]

I am using Firefox 6.0.2 and today, it was weird seeing the message that my proxy server is refusing connections.

I checked how Firefox connects to the internet and I see that the server config has been changed from "no proxy" to "manual proxy". When I change this to "no proxy", Firefox connects properly.

However when I restart Firefox, the proxy setting reverts to "manual".

I have done a virus scan using Comodo, and I get the trojware.win32.trojan.agent.gen virus.

What should I do?

--------------------------------------------
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7698

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12-Sep-11 8:08:00 PM
mbam-log-2011-09-12 (20-08-00).txt

Scan type: Quick scan
Objects scanned: 173647
Time elapsed: 8 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:17:27 PM, on 12-Sep-11
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService2.exe
C:\Program Files\TP-LINK\COMMON\RaRegistry.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Blue Onion Software\Desk Drive\DeskDrive.exe
C:\Program Files\USBVaccine\USBVaccine.exe
C:\Program Files\Clipdiary\clipdiary.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Iconoid\Iconoid.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\Program Files\TP-LINK\COMMON\TWCU.exe
C:\Program Files\Stickies\stickies.exe
C:\WINDOWS\system32\OSK.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.landbank.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [DeskDriveStartup] C:\Program Files\Blue Onion Software\Desk Drive\DeskDrive.exe
O4 - HKCU\..\Run: [USB Vaccine] C:\Program Files\USBVaccine\USBVaccine.exe /resident
O4 - HKCU\..\Run: [Clipdiary] C:\Program Files\Clipdiary\clipdiary.exe
O4 - HKCU\..\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startup
O4 - HKCU\..\Run: [Iconoid] "C:\Program Files\Iconoid\Iconoid.exe"
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exe
O4 - Global Startup: TP-LINK Wireless Utility.lnk = C:\Program Files\TP-LINK\COMMON\TWCU.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Big%20City%20Adventure/Images/stg_drm.ocx
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1210791222109
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {C4346D6A-0FB5-48AE-95BD-06DE766EB6C8} (LBP_VBAuthentic.Authentic) - https://www.lbpiaccess.com/download/Authentic/LBP_VBAuthentic.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Big%20City%20Adventure/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{00BA0350-A00A-48D1-8755-C7D91713E4F0}: NameServer = 192.168.254.254,202.126.40.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{00BA0350-A00A-48D1-8755-C7D91713E4F0}: NameServer = 192.168.254.254,202.126.40.5
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NitroPDFReaderDriverCreatorReadSpool2 (NitroReaderDriverReadSpool2) - Nitro PDF Software - C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService2.exe
O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Program Files\TP-LINK\COMMON\RaRegistry.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8269 bytes

--------------------------------------------

I have deleted the infected keys/values from the registry (and from the quarantined area of Malwarebytes' Anti-Malware 1.51.1.1800). Rebooted as instructed by Malwarebytes' Anti-Malware. Yet the problem still persists.
 
Last edited:
Hi, I'm glad you decided to post here as well as its easier to help you here than at annoyances.

Since you still seem to be infected then do the following and post the log.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
  • Download this file here :

    Combofix

  • When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
  • Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.

    cf-icon.jpg
  • We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

  • Close all open Windows including this one.
  • Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
    Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
  • Please click on I agree on the disclaimer window.
  • ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.

    cf-preparing.jpg

  • ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.

    erunt.jpg

  • Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:

    recovery-console-prompt.jpg

  • At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
  • Please click on yes in the next window to continue scanning for malware.
  • ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
  • ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  • While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.

    still-scanning-clockchanges.jpg

  • When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
  • This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
  • When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
  • Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.


In your next reply please post:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running


After running combofix, please navigate to C"\qoobox and in that folder will be a file named add-remove programs.txt. Please open that file and copy and paste the contents back here with the other logs requested.
 
ComboFix 11-09-12.03 - Edgar Javison 13-Sep-11 8:10.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1327 [GMT 8:00]
Running from: z:\for installation\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Autorun.inf
c:\documents and settings\Edgar Javison\Application Data\3D3A.E54
c:\documents and settings\Edgar Javison\Application Data\ispro3_0.tmp
c:\documents and settings\Edgar Javison\Application Data\ispro3_1.tmp
c:\documents and settings\Edgar Javison\Application Data\ispro3_2.tmp
c:\documents and settings\Edgar Javison\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Edgar Javison\Local Settings\Application Data\ApplicationHistory\BNS_RS~1.SCR.4393fe30.ini
c:\documents and settings\Edgar Javison\Local Settings\Application Data\ApplicationHistory\ColorPickerPro.exe.f1e54440.ini
c:\documents and settings\Edgar Javison\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Edgar Javison\Local Settings\Application Data\ApplicationHistory\OmeaReader.exe.7ad9ba20.ini
c:\documents and settings\Edgar Javison\Local Settings\Application Data\ApplicationHistory\RssReader.exe.d1c9b1ec.ini
c:\documents and settings\Edgar Javison\WINDOWS
c:\windows\VM305Cap.exe
D:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-13 to 2011-09-13 )))))))))))))))))))))))))))))))
.
.
2011-09-12 11:53 . 2011-09-12 11:53 -------- d-----w- c:\documents and settings\Edgar Javison\Application Data\Malwarebytes
2011-09-12 11:53 . 2011-07-06 11:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-12 11:53 . 2011-09-12 11:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-12 11:52 . 2011-07-06 11:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-12 11:52 . 2011-09-12 11:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-11 12:17 . 2011-09-11 12:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2011-09-05 10:52 . 2011-09-05 10:52 -------- d-----w- c:\program files\DreamQuest
2011-09-03 10:17 . 2011-09-03 10:17 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-12 23:31 . 2004-08-04 12:00 7659520 ----a-w- c:\windows\system32\logonuiX.exe
2011-09-06 20:45 . 2010-10-10 10:51 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:45 . 2010-10-10 10:51 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-06 20:38 . 2011-03-22 11:48 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 20:37 . 2010-10-10 10:52 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-06 20:36 . 2010-10-10 10:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-06 20:36 . 2010-10-10 10:52 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-09-06 20:36 . 2010-10-10 10:52 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-09-06 20:36 . 2010-10-10 10:52 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-09-06 20:36 . 2010-10-10 10:52 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-09-06 20:33 . 2010-10-10 10:52 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-09-03 10:17 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-28 00:39 . 2011-05-14 23:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-24 00:00 . 2009-01-07 15:23 2332416 ----a-w- c:\windows\system32\TUKernel.exe
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 22:09 . 2010-06-01 11:00 285256 ----a-w- c:\windows\system32\guard32.dll
2011-07-07 22:08 . 2010-06-01 11:00 97504 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-07-07 22:08 . 2010-06-01 11:00 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-07-07 22:08 . 2010-06-01 11:00 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-07-07 22:08 . 2010-06-04 03:55 242600 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-06-24 14:10 . 2008-05-14 04:13 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-21 10:56 . 2011-07-08 07:42 17712 ----a-w- c:\windows\system32\nitrolocalui2.dll
2011-06-21 10:56 . 2011-07-08 07:42 26416 ----a-w- c:\windows\system32\nitrolocalmon2.dll
2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-09-08 00:01 . 2011-04-02 05:14 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DeskDriveStartup"="c:\program files\Blue Onion Software\Desk Drive\DeskDrive.exe" [2009-01-03 64000]
"USB Vaccine"="c:\program files\USBVaccine\USBVaccine.exe" [2009-03-04 402176]
"Clipdiary"="c:\program files\Clipdiary\clipdiary.exe" [2009-04-22 1741824]
"WordWeb"="c:\program files\WordWeb\wweb32.exe" [2009-11-08 65216]
"Iconoid"="c:\program files\Iconoid\Iconoid.exe" [2010-08-13 285184]
"TuneUp MemOptimizer"="c:\program files\TuneUp Utilities 2008\MemOptimizer.exe" [2008-06-20 153856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-06-01 341312]
"BigDog305"="c:\windows\VM305_STI.EXE" [2007-04-09 57344]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-07-07 2554696]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
c:\documents and settings\Edgar Javison\Start Menu\Programs\Startup\
Stickies.lnk - c:\program files\Stickies\stickies.exe [2008-8-28 765952]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
TP-LINK Wireless Utility.lnk - c:\program files\TP-LINK\COMMON\TWCU.exe [2011-2-9 1638400]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 11 (0xb)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"BackgroundSwitcher"="c:\program files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart
"Family Tree Builder Update"=c:\program files\MyHeritage\Bin\FTBCheckUpdates.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13-Sep-10 4:27 PM 25680]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [22-Mar-11 7:48 PM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10-Oct-10 6:52 PM 320856]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [01-Jun-10 7:00 PM 17416]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [04-Jun-10 11:55 AM 242600]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [01-Jun-10 7:00 PM 29400]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10-Oct-10 6:52 PM 20568]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12-Sep-11 7:53 PM 366640]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService2.exe [21-Jun-11 6:57 PM 196912]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [09-Feb-11 6:08 PM 19072]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12-Sep-11 7:52 PM 22712]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12-Sep-11 7:53 PM 41272]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [06-Apr-09 6:38 PM 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [06-Apr-09 6:38 PM 3072]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [08-Aug-10 8:56 PM 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [08-Aug-10 8:56 PM 8320]
S3 NWVNDIS;Novatel Wireless Virtual Network Adapter;c:\windows\system32\drivers\NWVNdis.sys [28-Nov-06 3:59 PM 196096]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [28-May-10 7:04 PM 14896]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]
S3 ZSMC0305;A4 TECH PC Camera V;c:\windows\system32\drivers\usbVM305.sys [14-May-08 1:12 PM 391688]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [29-Apr-11 9:11 PM 136176]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-13 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 01:09]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.landbank.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: lbpiaccess.com\www
TCP: Interfaces\{00BA0350-A00A-48D1-8755-C7D91713E4F0}: NameServer = 192.168.254.254,202.126.40.5
TCP: Interfaces\{A68FA7C8-6388-4198-B88B-9C36E78D8DD6}: NameServer = 121.1.3.168 121.1.3.250
DPF: {C4346D6A-0FB5-48AE-95BD-06DE766EB6C8} - hxxps://www.lbpiaccess.com/download/Authentic/LBP_VBAuthentic.cab
FF - ProfilePath - c:\documents and settings\Edgar Javison\Application Data\Mozilla\Firefox\Profiles\2799c3d7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55192
FF - prefs.js: network.proxy.socks - 192.168.1.1
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 300
FF - user.js: content.notify.interval - 100000
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.switch.threshold - 650000
FF - user.js: dom.disable_window_open_feature.resizable - false
FF - user.js: network.http.max-connections-per-server - 8
.
.
------- File Associations -------
.
txtfile="c:\program files\JGsoft\EditPadLite\EditPadLite.exe" "%1"
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Clipdiary - c:\program files\Clipdiary\uninst.exe
AddRemove-Facebook Plug-In - c:\documents and settings\Edgar Javison\Application Data\Facebook\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-13 08:23
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog305 = c:\windows\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)???????????????????0?????????@??????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\guard32.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(704)
c:\windows\system32\guard32.dll
.
Completion time: 2011-09-13 08:34:26
ComboFix-quarantined-files.txt 2011-09-13 00:34
.
Pre-Run: 1,935,708,160 bytes free
Post-Run: 1,994,346,496 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /TUTag=TATNKF /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=TATNKF-BAK
.
- - End Of File - - E414BF96E0EFCFA475129A50382EFA5F
 
I uninstalled Comodo and Avast; installed Microsoft Security Essentials and turned on the Windows firewall.

Problem still persists.
 
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:57:23 PM, on 13-Sep-11
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService2.exe
C:\Program Files\TP-LINK\COMMON\RaRegistry.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Blue Onion Software\Desk Drive\DeskDrive.exe
C:\Program Files\USBVaccine\USBVaccine.exe
C:\Program Files\Clipdiary\clipdiary.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Iconoid\Iconoid.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\Program Files\TP-LINK\COMMON\TWCU.exe
C:\Program Files\Stickies\stickies.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe
C:\WINDOWS\system32\osk.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.landbank.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [DeskDriveStartup] C:\Program Files\Blue Onion Software\Desk Drive\DeskDrive.exe
O4 - HKCU\..\Run: [USB Vaccine] C:\Program Files\USBVaccine\USBVaccine.exe /resident
O4 - HKCU\..\Run: [Clipdiary] C:\Program Files\Clipdiary\clipdiary.exe
O4 - HKCU\..\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startup
O4 - HKCU\..\Run: [Iconoid] "C:\Program Files\Iconoid\Iconoid.exe"
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exe
O4 - Global Startup: TP-LINK Wireless Utility.lnk = C:\Program Files\TP-LINK\COMMON\TWCU.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Big%20City%20Adventure/Images/stg_drm.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1210791222109
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {C4346D6A-0FB5-48AE-95BD-06DE766EB6C8} (LBP_VBAuthentic.Authentic) - https://www.lbpiaccess.com/download/Authentic/LBP_VBAuthentic.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Big%20City%20Adventure/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{00BA0350-A00A-48D1-8755-C7D91713E4F0}: NameServer = 192.168.254.254,202.126.40.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{00BA0350-A00A-48D1-8755-C7D91713E4F0}: NameServer = 192.168.254.254,202.126.40.5
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NitroPDFReaderDriverCreatorReadSpool2 (NitroReaderDriverReadSpool2) - Nitro PDF Software - C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService2.exe
O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Program Files\TP-LINK\COMMON\RaRegistry.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7901 bytes
 
[add-remove programs.txt]

123 Free Solitaire
3D Custom Screensaver
A4 TECH PC Camera V
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Any Video Converter 3.0.7
Aqua Bubble 2
AquAdvisor
Around the World in 80 Days 1.0
ASUS WLAN Card Utilities/Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI Parental Control & Encoder
ATK0100 ACPI UTILITY
Audacity 1.2.6
avast! Free Antivirus
Belarc Advisor 8.1
BlueSoleil
BNS Random Screen Saver Starter
BusinessCardsMX 3.92
CDisplayEx 1.8
Championship Hearts All-Stars 7.40
Cheat Engine 5.6.1
Chikka Messenger V4
Clipdiary 2.1
COMODO Internet Security
Compatibility Pack for the 2007 Office system
Convert
Copy File Name 2.0.0.7
Cubis Gold 2
Desk Drive
Digsby
DVD Suite
****** Partition Master 3.5 Home Edition
Edraw Max 4
Facebook Plug-In
FastStone Image Viewer 4.6
FastStone MaxView 2.2
FastStone Photo Resizer 2.5
FileHippo.com Update Checker
Fireflies Screensaver (remove only)
Free and Easy Biorhythm Calculator version 3.01
FreeCommander 2008.06
GoAruna 0.1.10
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2570791)
Iconoid version 3.8.6
IconTweaker
Image Mender 1.1
Inpaint
iSpring Pro 3.5.0
JaSMiN 3D Color Changer 4
Java Auto Updater
Java(TM) 6 Update 26
jFinancialCalc
John's Background Switcher 4.4
Just Great Software EditPad Lite 6.4.1
Last.fm 1.5.4.27091
LogonStudio
Mahjong Epic
Malwarebytes' Anti-Malware version 1.51.1.1800
MediaMonkey 3.2
MediaShow 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft ICE
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mobilink
Motorola SM56 Speakerphone Modem
Mozilla Firefox 6.0.2 (x86 en-US)
MP3 Player Utilities 3.68
MSVC80_x86
MSVC80_x86_v2
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
MusicBrainz Picard 0.10
MyHeritage Family Tree Builder
Nitro PDF Reader 2
Nokia Connectivity Cable Driver
Nokia Map Loader
Nokia Music
Nokia Ovi Application Installer
Nokia Ovi Application Installer 6.85.3010
Nokia Ovi Content Copier
Nokia Ovi Content Copier 6.85.3010
Nokia Ovi One Touch Access
Nokia Ovi One Touch Access 6.85.3010
Nokia Ovi Suite
Nokia Ovi System Utilities
Nokia Ovi System Utilities 6.85.3010
Nokia PC Suite
Nokia Photos
Nokia Software Updater
oDesk Team
Password Keeper
PathCopyEx
PC Connectivity Solution
PhotoFiltre
PhotoNow! 1.0
Plants vs. Zombies
PopCap Browser Plugin
PowerDirector
PowerDVD
PPTminimizer
PrimoPDF -- brought to you by Nitro PDF Software
QT Lite 4.1.0
RarZilla Free Unrar
Realtek High Definition Audio Driver
Secunia PSI
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Smart Bro
SmartBee v3.10
Sony Picture Utility
Sony USB Driver
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
SpywareBlaster 4.4
Stickies 6.7a
SunPlus PMP Transcoding
Sunplus Spca536
SymmTime
Synaptics Pointing Device Driver
Taskbar Calculator
The Word
TheSage
TP-LINK Wireless Utility
Treasure Of Persia
True Launch Bar
TuneUp Utilities 2008
TweetDeck
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
VLC media player 1.1.11
WebFldrs XP
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (05/22/2008 3.8)
Windows Driver Package - Nokia Modem (05/22/2008 7.00.0.1)
Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1)
Windows Driver Package - Nokia Modem (06/09/2010 4.5)
Windows Driver Package - Nokia Modem (06/09/2010 7.01.0.7)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
WinPatrol 2009
WinZip 11.2
Wondershare DVD Ripper Platinum(Build 4.2.0.16)
Wondershare Photo Collage Studio 4.2.16.1
Wondershare Video Converter Platinum(Build 4.2.0.56)
WordWeb
Yahoo! BrowserPlus 2.9.8
Yahoo! Messenger
 
I'm suspicious of these entries in Firefox:

FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55192
FF - prefs.js: network.proxy.socks - 192.168.1.1
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
 
I think I found the offending app. I disabled my Firefox add-ons and enabled them one at a time. Everything went fine until I enabled XMarks. Will try reinstalling it to see if this add-on is really the culprit or whether it just happened that it was the one thing the worm got to first.
 
port 3128 is found to be mostly used by malware, a couple games otherwise. I would highly recommend uninstalling the following programs.

TuneUp Utilities 2008
WebFldrs XP

And if you have any illegal or pirated apps/games installed, you should remove them as well. I'm not saying you do, but when someone is infected, sometimes it comes from illegal/pirated apps installed.

And since you don't have any trend micro security software installed, we need to get rid of an entry in your combofix log. Please do the following.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code: 
Killall::

Driver::

TMPassthruMP



3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

I would also recommend running an online scan.

Please download and run the ESET Online Scanner
Disable any antivirus/security programs.
IMPORTANT! UN-check Remove found threats
Accept any security warnings from your browser.
Check Scan archives
Click Start
ESET will then download updates, install and then start scanning your system.
When the scan is done, push list of found threats
Click on Export to text file , and save the file to your desktop using a file name, such as ESETlog. Include the contents of this report in your next reply.
If no threats are found then it won't produce a log.
 
Then don't worry about it, sometimes it shows up and others it don't. Just follow the rest of the procedure and keep me informed.
 
ComboFix 11-09-13.04 - Edgar Javison 14-Sep-11 16:50:46.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1349 [GMT 8:00]
Running from: c:\documents and settings\Edgar Javison\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Edgar Javison\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Edgar Javison\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Edgar Javison\Local Settings\Application Data\ApplicationHistory\BNS_RS~1.SCR.4393fe30.ini
c:\windows\system32\d3d9caps.dat
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_TMPassthruMP
.
.
((((((((((((((((((((((((( Files Created from 2011-08-14 to 2011-09-14 )))))))))))))))))))))))))))))))
.
.
2011-09-14 06:16 . 2011-09-14 06:16 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BA0A435-AA1E-4014-9255-60B63403D625}\MpKsl60bd4052.sys
2011-09-13 08:27 . 2011-08-11 11:44 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BA0A435-AA1E-4014-9255-60B63403D625}\mpengine.dll
2011-09-13 08:26 . 2011-08-11 11:44 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-09-13 05:11 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-09-13 04:55 . 2011-09-13 04:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-09-13 04:54 . 2011-09-13 11:55 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-12 11:53 . 2011-09-12 11:53 -------- d-----w- c:\documents and settings\Edgar Javison\Application Data\Malwarebytes
2011-09-12 11:53 . 2011-09-12 11:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-11 12:17 . 2011-09-11 12:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2011-09-05 10:52 . 2011-09-05 10:52 -------- d-----w- c:\program files\DreamQuest
2011-09-03 10:17 . 2011-09-03 10:17 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-14 09:03 . 2004-08-04 12:00 7659520 ----a-w- c:\windows\system32\logonuiX.exe
2011-09-03 10:17 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-28 00:39 . 2011-05-14 23:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-24 00:00 . 2009-01-07 15:23 2332416 ----a-w- c:\windows\system32\TUKernel.exe
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2008-05-14 04:13 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-21 10:56 . 2011-07-08 07:42 17712 ----a-w- c:\windows\system32\nitrolocalui2.dll
2011-06-21 10:56 . 2011-07-08 07:42 26416 ----a-w- c:\windows\system32\nitrolocalmon2.dll
2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-09-08 00:01 . 2011-04-02 05:14 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-13_00.27.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-14 09:00 . 2011-09-14 09:00 16384 c:\windows\temp\Perflib_Perfdata_c0.dat
+ 2010-10-24 13:25 . 2011-04-18 05:18 165648 c:\windows\system32\drivers\MpFilter.sys
+ 2011-09-13 08:27 . 2011-09-13 08:27 785920 c:\windows\Installer\6c6bf.msi
+ 2011-09-13 08:25 . 2011-09-13 08:25 483840 c:\windows\Installer\6c694.msi
+ 2011-09-13 08:25 . 2011-09-13 08:25 301056 c:\windows\Installer\6c688.msi
+ 2010-06-15 23:54 . 2011-09-13 08:09 1474832 c:\windows\system32\drivers\sfi.dat
- 2010-06-15 23:54 . 2011-09-12 23:58 1474832 c:\windows\system32\drivers\sfi.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DeskDriveStartup"="c:\program files\Blue Onion Software\Desk Drive\DeskDrive.exe" [2009-01-03 64000]
"USB Vaccine"="c:\program files\USBVaccine\USBVaccine.exe" [2009-03-04 402176]
"Clipdiary"="c:\program files\Clipdiary\clipdiary.exe" [2009-04-22 1741824]
"WordWeb"="c:\program files\WordWeb\wweb32.exe" [2009-11-08 65216]
"Iconoid"="c:\program files\Iconoid\Iconoid.exe" [2010-08-13 285184]
"TuneUp MemOptimizer"="c:\program files\TuneUp Utilities 2008\MemOptimizer.exe" [2008-06-20 153856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-06-01 341312]
"BigDog305"="c:\windows\VM305_STI.EXE" [2007-04-09 57344]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]
.
c:\documents and settings\Edgar Javison\Start Menu\Programs\Startup\
Stickies.lnk - c:\program files\Stickies\stickies.exe [2008-8-28 765952]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
TP-LINK Wireless Utility.lnk - c:\program files\TP-LINK\COMMON\TWCU.exe [2011-2-9 1638400]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 11 (0xb)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"BackgroundSwitcher"="c:\program files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart
"Family Tree Builder Update"=c:\program files\MyHeritage\Bin\FTBCheckUpdates.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13-Sep-10 4:27 PM 25680]
R1 MpKsl60bd4052;MpKsl60bd4052;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BA0A435-AA1E-4014-9255-60B63403D625}\MpKsl60bd4052.sys [14-Sep-11 2:16 PM 28752]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService2.exe [21-Jun-11 6:57 PM 196912]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [09-Feb-11 6:08 PM 19072]
S1 MpKsl4d38513f;MpKsl4d38513f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8CBD31AB-3448-4280-B958-C6193714F6E1}\MpKsl4d38513f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8CBD31AB-3448-4280-B958-C6193714F6E1}\MpKsl4d38513f.sys [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [06-Apr-09 6:38 PM 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [06-Apr-09 6:38 PM 3072]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [08-Aug-10 8:56 PM 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [08-Aug-10 8:56 PM 8320]
S3 NWVNDIS;Novatel Wireless Virtual Network Adapter;c:\windows\system32\drivers\NWVNdis.sys [28-Nov-06 3:59 PM 196096]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [28-May-10 7:04 PM 14896]
S3 ZSMC0305;A4 TECH PC Camera V;c:\windows\system32\drivers\usbVM305.sys [14-May-08 1:12 PM 391688]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [29-Apr-11 9:11 PM 136176]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-14 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 01:09]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.landbank.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: lbpiaccess.com\www
TCP: Interfaces\{00BA0350-A00A-48D1-8755-C7D91713E4F0}: NameServer = 192.168.254.254,202.126.40.5
DPF: {C4346D6A-0FB5-48AE-95BD-06DE766EB6C8} - hxxps://www.lbpiaccess.com/download/Authentic/LBP_VBAuthentic.cab
FF - ProfilePath - c:\documents and settings\Edgar Javison\Application Data\Mozilla\Firefox\Profiles\2799c3d7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55192
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 300
FF - user.js: content.notify.interval - 100000
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.switch.threshold - 650000
FF - user.js: dom.disable_window_open_feature.resizable - false
FF - user.js: network.http.max-connections-per-server - 8
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-14 17:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog305 = c:\windows\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)???????????????????0?????????@??????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1960)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\program files\TrueLaunchBar\tlb.dll
c:\program files\TrueLaunchBar\plugins\cdctrl\ControlCD.dll
c:\program files\TrueLaunchBar\plugins\abook\abook.dll
c:\program files\TrueLaunchBar\plugins\batchrun\batchrun.dll
c:\program files\TrueLaunchBar\plugins\tlbclock\tlbclock.dll
c:\program files\TrueLaunchBar\plugins\turnoff\turnoff.dll
c:\program files\TrueLaunchBar\plugins\volctl\volctrl.dll
c:\program files\Marco Maroni\Taskbar Calculator\TBCalc.dll
c:\windows\system32\ieframe.dll
c:\program files\Iconoid\tr3dll32.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\ASTSRV.EXE
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\TP-LINK\COMMON\RaRegistry.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-09-14 17:08:52 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-14 09:08
ComboFix2.txt 2011-09-13 00:34
.
Pre-Run: 3,004,510,208 bytes free
Post-Run: 2,891,452,416 bytes free
.
- - End Of File - - F854D069BDE33829FF7B506180F9D706
 
The combofix log still shows that you have the tuneup utilities 2008 still installed. Did you uninstall this yet? I also recommend, which I forgot to list in the first set of uninstalls, to uninstall Winpatrol.

I still need you to run that Eset online scan as well from my earlier post.
 
You must log in or register to reply here.
Back
Top