Digital Protection, Windows Security Alerts

Hi GeekPolice,

I seem to have that really troublesome spyware Digital Protection, and Windows Security Alerts on my PC. Like all the other symptoms mentioned, it's got the text bubbles saying stuff like "Harmful viruses detected on your computer" and such and such. It hasn't tried to uninstall Malwarebytes AntiMalware, at least I don't think so, but I can only run it as administrator; I couldn't open it up any other way.

Problem is, I can't run a full scan without my PC showing a message saying "Your system is about to be logged off, please restart ASAP" or something along those lines. And then my system then reboots itself.

Also, I've been trying to find the registry keys and DLL files associated with this thing, but I can't find any of them. I opened up the Task Manager and digprot.exe nor avp.exe are on the list of processes. I don't get it. Please help!

Hi yekkers and Welcome to GeekPolice!

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

DeFogger
Download DeFogger by jpshortstuff from here & save it to your desktop.

• Right click DeFogger then choose Run as Administrator Or you can double-click to run the tool
  
• The application window will appear
  
• Click the Disable button to disable your CD Emulation drivers
  
• Click Yes to continue
  
• A Finished! message will appear
  
• Click OK
  
• DeFogger will now ask to reboot the machine - click OK
  

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until otherwise instructed.

Next

1. Download ComboFix from below:
   
   Combofix download
   
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   You can get help on disabling your protection programs here
   
   
3. Double click on combofix.exe & follow the prompts.
   
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------
   

Hi Kenny,

When I ran DeFogger, DeFogger never asked to reboot the machine after it finished disabling CD emulation drivers, but I didn't any error message either.

This is what was written in the lof defogger_disable:



defogger_disable by jpshortstuff (23.02.10.1)
Log created at 22:16 on 30/14/2010 (Lou)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read gvclsu.sys


-=E.O.F=-



Should I proceed to ComboFix anyways? Or do you want me to do something else?

Yes, ComboFix log please.

ComboFix 10-04-29.05 - Lou 02/05/2010 0:30.1.2 - x86
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.44.1033.18.2037.838 [GMT 1:00]
Running from: c:\users\Lou\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
SP: Norton 360 *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2312294832-2679160596-2828777181-500
c:\$recycle.bin\S-1-5-21-3263774159-3587307793-2732057391-500
C:\Install.exe
c:\users\Lou\AppData\Local\Microsoft\Windows\Temporary Internet Files\4IlokX4rn.jpg
c:\users\Lou\AppData\Local\Microsoft\Windows\Temporary Internet Files\BDt7bJ4.jpg
c:\users\Lou\AppData\Local\Microsoft\Windows\Temporary Internet Files\Oy338ex.jpg
c:\users\Lou\AppData\Local\Microsoft\Windows\Temporary Internet Files\PMFep55.jpg
c:\users\Lou\Desktop\nudetube.com.lnk
c:\users\Lou\Desktop\pornotube.com.lnk
c:\users\Lou\Desktop\youporn.com.lnk
c:\users\Lou\FAVORI~1\_favdata.dat
c:\users\Lou\Favorites\_favdata.dat
c:\windows\system32\KBL.LOG
c:\windows\system32\drivers\gvclsu.sys . . . . failed to delete

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gvclsu
-------\Service_gvclsu


((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))
.

2010-05-01 23:41 . 2010-05-01 23:43 -------- d-----w- c:\users\Lou\AppData\Local\temp
2010-05-01 23:41 . 2010-05-01 23:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-01 23:11 . 2010-05-01 23:11 -------- d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2010-04-27 22:21 . 2010-05-01 23:43 823808 ----a-w- c:\windows\system32\drivers\gvclsu.sys
2010-04-27 22:20 . 2010-04-27 22:49 -------- d-sh--w- c:\users\Lou\AppData\Roaming\lowsec
2010-04-27 20:57 . 2010-04-27 20:58 -------- d-----w- c:\program files\Cute Knight Kingdom Demo
2010-04-21 02:12 . 2010-04-21 02:12 32 --s-a-w- c:\users\Lou\AppData\Local\4287020310.dat
2010-04-14 21:57 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 21:57 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 21:57 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 21:56 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 21:56 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 21:56 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 21:54 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 21:54 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 21:54 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 09:44 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 09:44 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 23:17 . 2009-12-12 15:50 -------- d-----w- c:\programdata\Norton
2010-05-01 23:13 . 2007-11-12 06:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-01 23:11 . 2007-11-12 06:57 -------- d-----w- c:\programdata\Symantec
2010-05-01 23:11 . 2008-04-03 05:44 -------- d-----w- c:\program files\Symantec
2010-04-30 21:11 . 2009-01-06 10:20 5972 ----a-w- c:\users\Lou\AppData\Local\d3d9caps.dat
2010-04-27 22:29 . 2008-07-31 12:36 -------- d-----w- c:\users\Lou\AppData\Roaming\uTorrent
2010-04-27 22:29 . 2009-07-13 15:01 -------- d-----w- c:\programdata\pdf995
2010-04-27 03:07 . 2009-07-13 15:01 60 ----a-w- c:\windows\wpd99.drv
2010-04-26 19:13 . 2008-04-03 21:36 -------- d-----w- c:\users\Lou\AppData\Roaming\Skype
2010-04-26 19:05 . 2008-04-03 21:39 -------- d-----w- c:\users\Lou\AppData\Roaming\skypePM
2010-04-15 06:59 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-15 00:10 . 2007-11-12 08:38 -------- d-----w- c:\programdata\Microsoft Help
2010-03-23 20:49 . 2009-09-24 14:38 -------- d-----w- c:\users\Lou\AppData\Roaming\gtk-2.0
2010-03-22 22:59 . 2010-03-22 22:59 -------- d-----w- c:\users\Lou\AppData\Roaming\Malwarebytes
2010-03-22 22:58 . 2010-03-22 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-22 22:58 . 2010-03-22 22:58 -------- d-----w- c:\programdata\Malwarebytes
2010-03-22 22:41 . 2010-03-05 00:35 -------- d-----w- c:\users\Lou\AppData\Roaming\WinShell
2010-03-22 22:41 . 2010-01-21 00:41 -------- d-----w- c:\users\Lou\AppData\Roaming\Dev-Cpp
2010-03-05 00:35 . 2010-03-05 00:35 -------- d-----w- c:\program files\WinShell
2010-03-04 23:55 . 2010-02-24 13:31 -------- d-----w- c:\program files\MiKTeX 2.8
2010-03-04 16:46 . 2008-04-29 21:59 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-25 11:58 . 2008-04-03 04:54 86720 ----a-w- c:\users\Lou\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-23 06:39 . 2010-03-31 11:31 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 11:31 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 11:31 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 11:31 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-11 03:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 03:00 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 03:00 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-12 10:32 . 2010-02-25 01:05 293376 ----a-w- c:\windows\system32\browserchoice.exe
2006-05-03 10:06 . 2008-06-10 22:55 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 . 2008-06-10 22:55 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 13:43 . 2008-06-10 22:55 27648 --sh--w- c:\windows\System32\Smab0.dll
2008-12-21 01:36 . 2008-12-11 09:55 82534432 --sha-w- c:\windows\System32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-02 1783136]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-29 39408]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-01-26 2633976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-10-25 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-28 202032]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-14 222504]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-12 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

c:\users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ac,57,38,9a,c0,34,ca,01

R2 gupdate1c9d35331ba1844;Google Update Service (gupdate1c9d35331ba1844);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 133104]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]

2010-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]

2010-05-01 c:\windows\Tasks\User_Feed_Synchronization-{A7F3F3D5-62F7-427C-B5D4-201B298E7C61}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: o2.co.uk\*.broadband
FF - ProfilePath - c:\users\Lou\AppData\Roaming\Mozilla\Firefox\Profiles\i1isjn8p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=BjZGF2FMESTW56WkCqVBcQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ares - c:\program files\Ares\Ares.exe
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
HKLM-Run-UDC Integration - (no file)
AddRemove-ZoneAlarm - c:\program files\Zone Labs\ZoneAlarm\zauninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-02 00:43
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{1b476100-cbd2-4db2-b7ed-0c4b02c3bd76}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0c001b38
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{28334827-7b80-4bb6-8eaf-ed54843cddaf}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0e0016d3
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{80c093d6-5573-47c3-ba18-68bd130342b3}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:15000000
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{9571ea11-e5d0-4799-81ce-26613d24a134}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:14020054
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{9c642153-bfe0-4511-a0b6-e778ddd5ea9e}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:07001422
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{b9b091aa-3f61-4407-8f4f-838ad2721c82}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:11001f3a
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{f50c0996-5b4a-4c6a-a322-6e991d4caa0e}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:06001422
"Dhcpv6State"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2732)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\O2\bin\sprtsvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\conime.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Completion time: 2010-05-02 00:53:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-01 23:53

Pre-Run: 74,452,357,120 bytes free
Post-Run: 76,932,231,168 bytes free

- - End Of File - - 105A59C67F67732A5570E946279330B1

Also, I couldn't open anything right now. Word, Excel, Paint, Mozilla Firefox... nothing is running. Is that supposed to be the case?

Also, I couldn't open anything right now. Word, Excel, Paint, Mozilla Firefox... nothing is running. Is that supposed to be the case?

Nope.. Let me know if the below fixs it?

Run CFScript

• Close any open browsers.
  
• Open Notepad by click start
  
• Click Run
  
• Type notepad into the box and click enter
  
• Notepad will open
  
• Copy and Paste everything from the Code box into Notepad:
  

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.








This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Oddly enough, when I used the Run command in the Start menu to get notepad up, everything seemed to miraculously work again. I didn't type anything else in the Run command either other than notepad. Just double-clicked my stuff and they're all up and running again.

It looked like that alone solved the problem. Is the modified ComboFix scan still necessary? If not, is there anything else I should do or look out for?

The file is bad and needs to be removed.

ComboFix 10-04-29.05 - Lou 03/05/2010 10:49:37.2.2 - x86
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.44.1033.18.2037.1075 [GMT 1:00]
Running from: c:\users\Lou\Desktop\ComboFix.exe
Command switches used :: c:\users\Lou\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
SP: Norton 360 *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gvclsu.sys

.
((((((((((((((((((((((((( Files Created from 2010-04-03 to 2010-05-03 )))))))))))))))))))))))))))))))
.

2010-05-03 09:57 . 2010-05-03 09:59 -------- d-----w- c:\users\Lou\AppData\Local\temp
2010-05-03 09:57 . 2010-05-03 09:57 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-03 09:57 . 2010-05-03 09:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-03 09:45 . 2010-05-03 09:46 -------- d-----w- C:\32788R22FWJFW
2010-05-02 21:28 . 2010-02-24 09:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-05-01 23:11 . 2010-05-01 23:11 -------- d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2010-04-27 22:20 . 2010-04-27 22:49 -------- d-sh--w- c:\users\Lou\AppData\Roaming\lowsec
2010-04-27 20:57 . 2010-04-27 20:58 -------- d-----w- c:\program files\Cute Knight Kingdom Demo
2010-04-21 02:12 . 2010-04-21 02:12 32 --s-a-w- c:\users\Lou\AppData\Local\4287020310.dat
2010-04-14 21:57 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 21:57 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 21:57 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 21:56 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 21:56 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 21:56 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 21:54 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 21:54 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 21:54 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 09:44 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 09:44 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-02 21:55 . 2008-04-03 21:36 -------- d-----w- c:\users\Lou\AppData\Roaming\Skype
2010-05-02 00:22 . 2009-07-13 15:01 -------- d-----w- c:\programdata\pdf995
2010-05-01 23:17 . 2009-12-12 15:50 -------- d-----w- c:\programdata\Norton
2010-05-01 23:13 . 2007-11-12 06:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-01 23:11 . 2007-11-12 06:57 -------- d-----w- c:\programdata\Symantec
2010-05-01 23:11 . 2008-04-03 05:44 -------- d-----w- c:\program files\Symantec
2010-04-30 21:11 . 2009-01-06 10:20 5972 ----a-w- c:\users\Lou\AppData\Local\d3d9caps.dat
2010-04-27 22:29 . 2008-07-31 12:36 -------- d-----w- c:\users\Lou\AppData\Roaming\uTorrent
2010-04-27 03:07 . 2009-07-13 15:01 60 ----a-w- c:\windows\wpd99.drv
2010-04-26 19:05 . 2008-04-03 21:39 -------- d-----w- c:\users\Lou\AppData\Roaming\skypePM
2010-04-15 06:59 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-15 00:10 . 2007-11-12 08:38 -------- d-----w- c:\programdata\Microsoft Help
2010-03-23 20:49 . 2009-09-24 14:38 -------- d-----w- c:\users\Lou\AppData\Roaming\gtk-2.0
2010-03-22 22:59 . 2010-03-22 22:59 -------- d-----w- c:\users\Lou\AppData\Roaming\Malwarebytes
2010-03-22 22:58 . 2010-03-22 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-22 22:58 . 2010-03-22 22:58 -------- d-----w- c:\programdata\Malwarebytes
2010-03-22 22:41 . 2010-03-05 00:35 -------- d-----w- c:\users\Lou\AppData\Roaming\WinShell
2010-03-22 22:41 . 2010-01-21 00:41 -------- d-----w- c:\users\Lou\AppData\Roaming\Dev-Cpp
2010-03-05 00:35 . 2010-03-05 00:35 -------- d-----w- c:\program files\WinShell
2010-03-04 23:55 . 2010-02-24 13:31 -------- d-----w- c:\program files\MiKTeX 2.8
2010-03-04 16:46 . 2008-04-29 21:59 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-25 11:58 . 2008-04-03 04:54 86720 ----a-w- c:\users\Lou\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-23 06:39 . 2010-03-31 11:31 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 11:31 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 11:31 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 11:31 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-11 03:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 03:00 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 03:00 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-12 10:32 . 2010-02-25 01:05 293376 ----a-w- c:\windows\system32\browserchoice.exe
2006-05-03 10:06 . 2008-06-10 22:55 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 . 2008-06-10 22:55 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 13:43 . 2008-06-10 22:55 27648 --sh--w- c:\windows\System32\Smab0.dll
2008-12-21 01:36 . 2008-12-11 09:55 82534432 --sha-w- c:\windows\System32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-02 1783136]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-29 39408]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-01-26 2633976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-10-25 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-28 202032]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-14 222504]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-12 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

c:\users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ac,57,38,9a,c0,34,ca,01

R2 gupdate1c9d35331ba1844;Google Update Service (gupdate1c9d35331ba1844);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 133104]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]
S2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [2007-06-07 202280]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]

2010-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]

2010-05-02 c:\windows\Tasks\User_Feed_Synchronization-{A7F3F3D5-62F7-427C-B5D4-201B298E7C61}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: o2.co.uk\*.broadband
FF - ProfilePath - c:\users\Lou\AppData\Roaming\Mozilla\Firefox\Profiles\i1isjn8p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=BjZGF2FMESTW56WkCqVBcQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4084)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\conime.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-05-03 11:08:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-03 10:08
ComboFix2.txt 2010-05-01 23:53

Pre-Run: 77,465,112,576 bytes free
Post-Run: 77,389,950,976 bytes free

- - End Of File - - 4B8188CF8518F39F9618869A0A430CAC

Your PC had a rootkit that has replaced your ide driver iaStor.sys file with malware.

The driver was replaced. If we had removed it. Your PC would not restart.

Lets make sure all is gone. Were almost done here.

Please download ATF Cleaner by Atribune.

• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.
  

Click Exit on the Main menu to close the program.


Next



Please download Malwarebytes Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4061

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

03/05/2010 12:25:57
mbam-log-2010-05-03 (12-25-57).txt

Scan type: Quick scan
Objects scanned: 117529
Time elapsed: 6 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Your Computer is Clean


Be sure to run, Secunia software inspector & update checker.



Some final items:


Follow these steps to uninstall Combofix and tools used in the removal of malware

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
  
  
• Please follow the prompts to uninstall Combofix.
  
• You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
  

This will uninstall Combofix and anything assoicated with it.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  
• From within Internet Explorer click on the Tools menu and then click on Options.
  
• Click once on the Security tab
  
• Click once on the Internet icon so it becomes highlighted.
  
• Click once on the Custom Level button.
  
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  
• Next press the Apply button and then the OK to exit the Internet Properties page.
  

Additional Security Measures


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Secunia software inspector & update checker

My Blog Malware And Spyware Tips

Also, see here for system improvement: Help! My computer is slow!


It was a pleasure working with you yekkers.

One more thing:

To re-enable your Emulation drivers, double click DeFogger to run the tool.

• The application window will appear
  
• Click the Re-enable button to re-enable your CD Emulation drivers
  
• Click Yes to continue
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger will now ask to reboot the machine - click OK
  

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Thanks a lot Kenny, you're a life-saver! I'd buy you a beer if I could, but I'll go for the next best alternative. Will be sure to donate; keep up the good work!