Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Need help with Virus/Malware removal [Solved]

Started by little_gardener_24 , Sep 29 2009 08:26 AM

This topic is locked

#1
little_gardener_24

Posted 29 September 2009 - 08:26 AM

Member

Member
23 posts

Our computer has been infected with some type of virus or malware though I'm not sure which. It originally removed some icons such as our Internet Explorer icon & we were unable to access those programs. I was able to do a system restore through safe mode to the day before the virus showed up, which recovered our icons. I then downloaded AVG, ran the full scan, and things seemed to be working until I accessed the internet. Several pages, including our home page, only load certain things like the entertainment/sports/news/weather tabs that show up at the top of the page, but none of the articles below show up(you can go to windstream.net to see what I mean). I can access our email account, and read emails but I can't delete any of them because the "delete" button doesn't work when clicked. Also several other links I have found don't work when clicked. I thought it was just an internet setting that may be the problem until I uploaded another antivirus software from my flashdrive and a few seconds after it began the scan, it shut down. Now when I try opening the program I get the following message, "windows cannot access the specified device path or file. you may not have appropriate permissions." This is the same message I got with other antivirus programs before I did the system restore so I think the virus is blocking it. I've tried running Malware antibytes and Spybot search/destroy programs....same message appears. Now my AVG says we're not protected anymore and it won't let me fix that.

Another frustrating issue I've had since I did the system restore is there is a red circle with a white X in the middle icon in the bottom right desktop toolbar. When I open it, it says I have exceeded my profile storage space by a certain number. It is my understanding that the profile space is supposed to be unlimited so I don't know how to reset that either. Please please please help. I don't know what else to try.

**EDIT** I should have mentioned that the reason I know it's a virus/spyware issue is that we had a fake virus removal program called "Total Security" show up on our computer all of a sudden. It kept saying we were unprotected yada yada yada and a couple days later our icons like I.E. began disappearing. We were not able to do any scans from any virus software either. That's when it was recommended to me to perform a system restore.

Edited by little_gardener_24, 01 October 2009 - 12:35 PM.

#2
hammerman

Posted 03 October 2009 - 10:36 AM

Member 4k

Member
4,183 posts

Hello and welcome to GeeksToGo

I'm hammerman and I'm going to help you fix your problem.

Sorry for the delay in replying.

Before we begin, here are some guidelines which will help us both in fixing your problem.

I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.
Please do no attach logs or post them in Quote/Code boxes unless requested.
When posting logs, please ensure Word Wrap is turned off in Notepad. Open Notepad, select Format on the menu bar and make sure that Word Wrap is unchecked.
Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
If in doubt about anything, please ask.

Please follow these steps.

-- Step 1 --

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

-- Step 2 --

Please download Win32kDiag to your desktop.
Double-click on Win32kDiag to run it.
Please do not close it if it appears to get stuck. Just let it run until it finishes.
A log should appear when it is finished. Post that log here.

If it doesn't pop up, a log file called Win32kDiag.txt should be located on your desktop. Please post that.

-- Step 3 --

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

-- Step 4 --

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google....rotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

Click on the Log tab.
In the Write to log box select all items.
Click on the Create Log button on the bottom right.
After a few seconds a new Window should appear.
Make sure Scan all drives is selected and click on the Start button.
When it is complete a new Window will appear to indicate that the scan is finished.
The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

#3
little_gardener_24

Posted 03 October 2009 - 06:57 PM

Member

Topic Starter
Member
23 posts

Thank you so much for your help! Here is the log from exehelper:

exeHelper by Raktor - 09
Build 20090925
Run at 20:55:07 on 10/03/09
Now searching...
Checking for numerical processes...
Deleting file C:\Documents and Settings\All Users\Application Data\11389214\11389214
Deleting file C:\Documents and Settings\All Users\Application Data\11389214\pc11389214ins
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11389214
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\cru629.dat
Deleting file C:\WINDOWS\cru629.dat
Deleting file C:\WINDOWS\system32\critical_warning.html
Checking for bad registry entries...
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Advanced Virus Remover
Removing HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Advanced Virus Remover
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

#4
little_gardener_24

Posted 03 October 2009 - 07:32 PM

Member

Topic Starter
Member
23 posts

Here is the log from Win32kDiag:

Running from: C:\Documents and Settings\Brenda\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Brenda\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ADDINS\ADDINS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\SHARED\RES\RES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}\{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MUI\MUI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

[1] 2004-08-04 03:56:50 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe ()

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

[1] 2004-08-04 03:56:50 743936 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\helpsvc.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Profiles\All Users\Start Menu\Programs\Hoyle®\Hoyle®

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\REPAIR\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\10\msft\windows\windows

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\10\policy\msft\windows\windows

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\51\msft\windows\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\51\policy\msft\windows\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\52\msft\windows\net\net

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\60\msft\windows\common\common

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\60\policy\60\60

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\70\msft\windows\windows

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\70\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\37fefde58a963f27982e5f97ce053f7f\37fefde58a963f27982e5f97ce053f7f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\42ac58cab0e6fa5e500b8de2f1c4f1fa\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SYSTEM32\dumprep.exe

[1] 2004-08-04 03:56:48 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2004-08-04 03:56:48 10752 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\SYSTEM32\dumprep.exe ()

[1] 2002-08-29 07:00:00 9216 C:\i386\DUMPREP.EXE (Microsoft Corporation)

Cannot access: C:\WINDOWS\SYSTEM32\eventlog.dll

[1] 2004-08-04 03:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 03:56:42 55808 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\SYSTEM32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\SYSTEM32\logevent.dll (Microsoft Corporation)

[1] 2002-08-29 07:00:00 49152 C:\i386\EVENTLOG.DLL (Microsoft Corporation)

Found mount point : C:\WINDOWS\Temp\MCE00000\MCE00000

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\WMFA\WMFA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\~offfilt\~offfilt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

#5
little_gardener_24

Posted 03 October 2009 - 07:40 PM

Member

Topic Starter
Member
23 posts

I downloaded OTL and followed the directions however it shut down after a few seconds into the scan and now it says, "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I tried deleting it but it says access denied. I tried downloading it again and replacing it, and I get the same access denied message. What should I try now? Should I complete step 4?

Edited by little_gardener_24, 03 October 2009 - 07:42 PM.

#6
hammerman

Posted 03 October 2009 - 08:52 PM

Member 4k

Member
4,183 posts

Yes, please complete step 4.

#7
little_gardener_24

Posted 04 October 2009 - 11:33 AM

Member

Topic Starter
Member
23 posts

Here is the log from SysProtLog:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\csrss.exe
PID: 628
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\winlogon.exe
PID: 652
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 700
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\lsass.exe
PID: 712
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 884
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 988
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1104
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1192
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1264
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\spoolsv.exe
PID: 1512
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1988
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 244
Hidden: No
Window Visible: Yes

Name: C:\WINDOWS\SYSTEM32\cisvc.exe
PID: 252
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Motive\McciCMService.exe
PID: 564
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1188
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\wdfmgr.exe
PID: 1624
Hidden: No
Window Visible: No

Name: C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PID: 1832
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\proquota.exe
PID: 1760
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
PID: 912
Hidden: No
Window Visible: No

Name: C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
PID: 896
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
PID: 1180
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe
PID: 968
Hidden: No
Window Visible: No

Name: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
PID: 1184
Hidden: No
Window Visible: No

Name: C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
PID: 2100
Hidden: No
Window Visible: No

Name: C:\Program Files\Messenger\msmsgs.exe
PID: 2476
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\ctfmon.exe
PID: 2520
Hidden: No
Window Visible: No

Name: C:\Program Files\Digital Line Detect\DLG.exe
PID: 2792
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\alg.exe
PID: 2820
Hidden: No
Window Visible: No

Name: C:\Program Files\FinePixViewer\QuickDCF2.exe
PID: 2856
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
PID: 2932
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
PID: 3372
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jusched.exe
PID: 1324
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 3396
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 544
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG8\avgtray.exe
PID: 788
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
PID: 2080
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
PID: 2724
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\notepad.exe
PID: 1464
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PID: 3368
Hidden: No
Window Visible: No

Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 3016
Hidden: No
Window Visible: No

Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 240
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Brenda\Desktop\SysProt\SysProt.exe
PID: 2664
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Brenda\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: F2526000
Module End: F2531000
Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806ED700
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806EE000
Module End: 8070E300
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F9F72000
Module End: F9F74000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F9E82000
Module End: F9E85000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F9A23000
Module End: F9A51000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F9F74000
Module End: F9F76000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F9A12000
Module End: F9A23000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F9A72000
Module End: F9A7C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: FA03A000
Module End: FA03B000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F9CF2000
Module End: F9CF9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F9A82000
Module End: F9A8D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F99F3000
Module End: F9A12000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F9CFA000
Module End: F9CFF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F9A92000
Module End: F9A9F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F99DB000
Module End: F99F3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F9AA2000
Module End: F9AAB000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F9AB2000
Module End: F9ABF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F99BB000
Module End: F99DB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F99A9000
Module End: F99BB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F9AC2000
Module End: F9ACB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F9992000
Module End: F99A9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F9905000
Module End: F9992000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F98D8000
Module End: F9905000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F98BE000
Module End: F98D8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agp440.sys
Service Name: agp440
Module Base: F9AD2000
Module End: F9ADD000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F9BF2000
Module End: F9BFB000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys
Service Name: ati2mtaa
Module Base: F981C000
Module End: F9865000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F9808000
Module End: F981C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F9E22000
Module End: F9E28000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F97E4000
Module End: F9808000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F9E2A000
Module End: F9E32000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys
Service Name: HSFHWBS2
Module Base: F97BE000
Module End: F97E4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSF_DP.sys
Service Name: HSF_DP
Module Base: F96B3000
Module End: F97BE000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys
Service Name: winachsf
Module Base: F9629000
Module End: F96B3000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F9E32000
Module End: F9E3A000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\e100b325.sys
Service Name: E100B
Module Base: F9606000
Module End: F9629000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F9C02000
Module End: F9C0F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F9E42000
Module End: F9E48000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F9C12000
Module End: F9C22000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F9F42000
Module End: F9F46000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F95F2000
Module End: F9606000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F9C22000
Module End: F9C32000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F9C32000
Module End: F9C41000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ks.sys
Service Name: ---
Module Base: F95CF000
Module End: F95F2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\pwd_2k.SYS
Service Name: pwd_2k
Module Base: F95B6000
Module End: F95CF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F9C42000
Module End: F9C4D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\smwdm.sys
Service Name: smwdm
Module Base: F9537000
Module End: F95B6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: F9513000
Module End: F9537000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F9C72000
Module End: F9C81000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aeaudio.sys
Service Name: aeaudio
Module Base: FA038000
Module End: FA03A000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: FA03C000
Module End: FA03D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F9C82000
Module End: F9C8F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F9F62000
Module End: F9F65000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F94FC000
Module End: F9513000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F9AF2000
Module End: F9AFD000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F9C92000
Module End: F9C9E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F9E62000
Module End: F9E67000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F94EB000
Module End: F94FC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F9CA2000
Module End: F9CAB000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F9E6A000
Module End: F9E6F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F9E72000
Module End: F9E77000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F9CC2000
Module End: F9CCC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F9E7A000
Module End: F9E80000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F9F7A000
Module End: F9F7C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\update.sys
Service Name: Update
Module Base: F948D000
Module End: F94EB000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\omci.sys
Service Name: omci
Module Base: F9D12000
Module End: F9D17000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F9EFA000
Module End: F9EFE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mmc_2K.SYS
Service Name: mmc_2K
Module Base: F9D1A000
Module End: F9D20000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F9CD2000
Module End: F9CDC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F9CE2000
Module End: F9CF1000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F9F7C000
Module End: F9F7E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Service Name: MODEMCSA
Module Base: F986D000
Module End: F9871000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Service Name: Flpydisk
Module Base: F9D2A000
Module End: F9D2F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Service Name: i2omgmt
Module Base: F9F06000
Module End: F9F09000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F9F82000
Module End: F9F84000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F9D3A000
Module End: F9D40000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F9F84000
Module End: F9F86000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F9F86000
Module End: F9F88000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\cdudf_xp.SYS
Service Name: cdudf_xp
Module Base: F62AC000
Module End: F62E6000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F9D4A000
Module End: F9D52000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS
Service Name: UdfReadr_xp
Module Base: F6267000
Module End: F629A000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F9F1E000
Module End: F9F21000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: F621A000
Module End: F622D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: F61C1000
Module End: F621A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgtdix.sys
Service Name: AvgTdiX
Module Base: F61A8000
Module End: F61C1000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: F6180000
Module End: F61A8000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: F615E000
Module End: F6180000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F9B32000
Module End: F9B3B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: F6133000
Module End: F615E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: F60C3000
Module End: F6133000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F9B62000
Module End: F9B6D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Service Name: AvgMfx86
Module Base: F9D52000
Module End: F9D58000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys
Service Name: AvgLdx86
Module Base: F6072000
Module End: F60C3000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: F604C000
Module End: F6072000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F9B72000
Module End: F9B7B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: F9F3A000
Module End: F9F3D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F9B82000
Module End: F9B8B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F9D5A000
Module End: F9D61000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\LVCD.sys
Service Name: QCDonner
Module Base: F9B92000
Module End: F9B9F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\LVCam2.dll
Service Name: ---
Module Base: F6010000
Module End: F6024000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\LVCodek2.dll
Service Name: ---
Module Base: F5FA7000
Module End: F6010000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\STREAM.SYS
Service Name: ---
Module Base: F9BA2000
Module End: F9BAF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys
Service Name: LHidFlt2
Module Base: F9D6A000
Module End: F9D70000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: F9F5A000
Module End: F9F5D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\LMouFlt2.sys
Service Name: LMouFlt2
Module Base: F5EF6000
Module End: F5F07000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: F946D000
Module End: F947D000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F5EDE000
Module End: F5EF6000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F9FC4000
Module End: F9FC6000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: F623D000
Module End: F6240000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F9D82000
Module End: F9D87000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: FA06D000
Module End: FA06E000
Hidden: No

Module Name: \systemroot\win32k.sys:1
Service Name: ---
Module Base: F9D62000
Module End: F9D67000
Hidden: Yes

Module Name: \systemroot\win32k.sys:2
Service Name: ---
Module Base: F9BB2000
Module End: F9BC1000
Hidden: Yes

Module Name: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: F360E000
Module End: F3612000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: F3359000
Module End: F3386000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: F3344000
Module End: F3359000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: F945D000
Module End: F946C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
Service Name: dsunidrv
Module Base: F9F94000
Module End: F9F96000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys
Service Name: Fallback
Module Base: F309F000
Module End: F30E6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys
Service Name: Fsks
Module Base: F3082000
Module End: F309F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys
Service Name: K56
Module Base: F3022000
Module End: F3082000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\MCSTRM.SYS
Service Name: MCSTRM
Module Base: F9FE2000
Module End: F9FE4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: F30FE000
Module End: F3101000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\secdrv.sys
Service Name: Secdrv
Module Base: F5F77000
Module End: F5F81000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys
Service Name: SoftFax
Module Base: F2F29000
Module End: F2F5A000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSF_SPKP.sys
Service Name: SpeakerPhone
Module Base: F2F17000
Module End: F2F29000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\srv.sys
Service Name: Srv
Module Base: F2EC5000
Module End: F2F17000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys
Service Name: Tones
Module Base: F3002000
Module End: F300F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSF_V124.sys
Service Name: V124
Module Base: F2D85000
Module End: F2DFD000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: F295C000
Module End: F299D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: F2457000
Module End: F247B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\asyncmac.sys
Service Name: AsyncMac
Module Base: F34A2000
Module End: F34A6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: F9E3A000
Module End: F9E41000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: FA032000
Module End: FA034000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: FA08A000
Module End: FA08B000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F9D42000
Module End: F9D47000
Hidden: No

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: D3YNY321.DOMAIN.INVALID:2925
Remote Address: 64.225.158.189:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: D3YNY321.DOMAIN.INVALID:2921
Remote Address: 64.225.158.189:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: D3YNY321.DOMAIN.INVALID:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: D3YNY321:18080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: D3YNY321:13128
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: D3YNY321:10080
Remote Address: LOCALHOST:2924
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: D3YNY321:10080
Remote Address: LOCALHOST:2919
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: D3YNY321:10080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: D3YNY321:5152
Remote Address: LOCALHOST:2929
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: D3YNY321:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: D3YNY321:2937
Remote Address: LOCALHOST:10080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: D3YNY321:2924
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED

Local Address: D3YNY321:2919
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED

Local Address: D3YNY321:23570
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\SYSTEM32\svchost.exe
State: LISTENING

Local Address: D3YNY321:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: D3YNY321:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\SYSTEM32\svchost.exe
State: LISTENING

Local Address: D3YNY321.DOMAIN.INVALID:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\SYSTEM32\svchost.exe
State: NA

Local Address: D3YNY321.DOMAIN.INVALID:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: D3YNY321.DOMAIN.INVALID:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: D3YNY321.DOMAIN.INVALID:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\SYSTEM32\svchost.exe
State: NA

Local Address: D3YNY321:2920
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: D3YNY321:2763
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: D3YNY321:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\SYSTEM32\svchost.exe
State: NA

Local Address: D3YNY321:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\SYSTEM32\svchost.exe
State: NA

Local Address: D3YNY321:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\SYSTEM32\lsass.exe
State: NA

Local Address: D3YNY321:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\SYSTEM32\lsass.exe
State: NA

Local Address: D3YNY321:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\WINDOWS\SYSTEM32\lowsec
Status: Hidden

Object: C:\WINDOWS\SYSTEM32\sdra64.exe
Status: Hidden

#8
hammerman

Posted 04 October 2009 - 11:36 AM

Member 4k

Member
4,183 posts

Hello,

It looks like the SysProt log was cut-off. Can you check.

#9
little_gardener_24

Posted 04 October 2009 - 11:56 AM

Member

Topic Starter
Member
23 posts

I ran the scan again and opened the log but it ends at the same spot.

#10
hammerman

Posted 04 October 2009 - 12:01 PM

Member 4k

Member
4,183 posts

Thanks for checking.

Please follow these steps in the order shown.

-- Step 1 --

Click on Start -> Run..., and copy-paste the following command (the bolded text) into the "Open:" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

-- Step 2 --

1. Please download The Avenger by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Files to move:
C:\Windows\system32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

-- Step 3 --

Download Combofix from any of the links below but rename it to cfix.exe before saving it to your desktop.

Link 2
Link 3

==================================

Double click on cfix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt so we can continue cleaning the system.

#11
little_gardener_24

Posted 04 October 2009 - 12:16 PM

Member

Topic Starter
Member
23 posts

Here is the Win32 log:

Running from: C:\Documents and Settings\Brenda\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Brenda\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Found mount point : C:\WINDOWS\ADDINS\ADDINS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ADDINS\ADDINS

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Found mount point : C:\WINDOWS\History\History

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\History\History

Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Found mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Found mount point : C:\WINDOWS\IME\SHARED\RES\RES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\SHARED\RES\RES

Found mount point : C:\WINDOWS\Installer\{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}\{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}\{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}

Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Found mount point : C:\WINDOWS\MUI\MUI

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\MUI\MUI

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\News\News

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Profiles\All Users\Start Menu\Programs\Hoyle®\Hoyle®

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Profiles\All Users\Start Menu\Programs\Hoyle®\Hoyle®

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\REPAIR\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\REPAIR\Backup\ServiceState\ServiceState

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\10\msft\windows\windows

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\10\msft\windows\windows

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\10\policy\msft\windows\windows

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\10\policy\msft\windows\windows

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\51\msft\windows\system\system

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\51\msft\windows\system\system

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\51\policy\msft\windows\system\system

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\51\policy\msft\windows\system\system

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\52\msft\windows\net\net

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\52\msft\windows\net\net

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\60\msft\windows\common\common

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\60\msft\windows\common\common

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\60\policy\60\60

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\60\policy\60\60

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\70\msft\windows\windows

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\70\msft\windows\windows

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\70\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\asms\70\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\37fefde58a963f27982e5f97ce053f7f\37fefde58a963f27982e5f97ce053f7f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\37fefde58a963f27982e5f97ce053f7f\37fefde58a963f27982e5f97ce053f7f

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\42ac58cab0e6fa5e500b8de2f1c4f1fa\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\42ac58cab0e6fa5e500b8de2f1c4f1fa\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Cannot access: C:\WINDOWS\SYSTEM32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\SYSTEM32\dumprep.exe

Cannot access: C:\WINDOWS\SYSTEM32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\SYSTEM32\eventlog.dll

[1] 2004-08-04 03:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 03:56:42 55808 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\SYSTEM32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\SYSTEM32\logevent.dll (Microsoft Corporation)

[1] 2002-08-29 07:00:00 49152 C:\i386\EVENTLOG.DLL (Microsoft Corporation)

Found mount point : C:\WINDOWS\Temp\MCE00000\MCE00000

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00000\MCE00000

Found mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Found mount point : C:\WINDOWS\Temp\WMFA\WMFA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WMFA\WMFA

Found mount point : C:\WINDOWS\Temp\~offfilt\~offfilt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\~offfilt\~offfilt

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Finished!

#12
little_gardener_24

Posted 04 October 2009 - 12:26 PM

Member

Topic Starter
Member
23 posts

Here is the avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\Windows\system32\logevent.dll|C:\WINDOWS\SYSTEM32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#13
little_gardener_24

Posted 04 October 2009 - 01:07 PM

Member

Topic Starter
Member
23 posts

I am so excited! When I logged onto the internet, the articles now appear!
Here is the combo fix log:

ComboFix 09-10-04.01 - Brenda 10/04/2009 14:36.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.68 [GMT -4:00]
Running from: c:\documents and settings\Brenda\Desktop\cfix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\osyrocu.dl
c:\documents and settings\Brenda\Local Settings\Application Data\byka._dl
c:\documents and settings\Brenda\Local Settings\Application Data\tojygosyq.dl
c:\documents and settings\Brenda\Local Settings\Temporary Internet Files\ajaciqi.ban
C:\LOG2.tmp
C:\LOG6EE.tmp
C:\LOGB.tmp
c:\program files\Common Files\qywo.dl
c:\program files\screensavers.com
c:\windows\AUTOLNCH.REG
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\cyzacufycy.dl
c:\windows\Downloaded Program Files\MiNIbugtransporter.dll
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\Installer\140811.msi
c:\windows\Installer\140816.msi
c:\windows\Installer\17fcb3.msi
c:\windows\Installer\17fcb9.msi
c:\windows\Installer\17fcbf.msi
c:\windows\Installer\24fa212.msp
c:\windows\Installer\40a4d.msp
c:\windows\ONETW.DRV
c:\windows\system32\bycasyly.ban
c:\windows\system32\cru629.dat
c:\windows\system32\hesohixiki.dl
c:\windows\system32\kihipapo.dll.tmp
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user(10).ds
c:\windows\system32\lowsec\user(11).ds
c:\windows\system32\lowsec\user(12).ds
c:\windows\system32\lowsec\user(13).ds
c:\windows\system32\lowsec\user(2).ds
c:\windows\system32\lowsec\user(3).ds
c:\windows\system32\lowsec\user(4).ds
c:\windows\system32\lowsec\user(5).ds
c:\windows\system32\lowsec\user(6).ds
c:\windows\system32\lowsec\user(7).ds
c:\windows\system32\lowsec\user(8).ds
c:\windows\system32\lowsec\user(9).ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\rijikoyi.dll.tmp
c:\windows\system32\rikojine(2).dll
c:\windows\system32\sdra64.exe
c:\windows\system32\yelosuso.dll.tmp

----- BITS: Possible infected sites -----

hxxp://download.yimg.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-09-29 00:54 . 2009-09-29 00:54 -------- d-----w- c:\documents and settings\Brenda\Application Data\Malwarebytes
2009-09-29 00:53 . 2009-09-29 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-29 00:47 . 2009-09-29 00:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-29 00:45 . 2009-09-29 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-27 22:33 . 2009-09-27 22:33 -------- d-----w- c:\documents and settings\Brenda\Application Data\DivX
2009-09-27 18:20 . 2009-09-27 18:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-27 18:20 . 2009-09-27 18:20 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-27 18:20 . 2009-10-03 21:56 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-27 18:20 . 2009-09-27 18:20 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-27 18:20 . 2009-09-27 18:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-27 18:08 . 2002-01-08 21:00 176128 ----a-w- c:\windows\system32\RcdScan.dll
2009-09-27 18:08 . 2000-03-23 16:50 446464 ----a-r- c:\windows\system32\hhactivex.dll
2009-09-27 18:08 . 1998-06-18 03:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2009-09-27 17:41 . 2009-09-27 17:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-09-27 17:40 . 2009-09-27 17:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-09-26 08:36 . 2009-10-03 00:28 -------- d-----w- c:\documents and settings\Brenda\Application Data\LimeWire
2009-09-26 01:31 . 2009-09-26 01:31 -------- d-----r- c:\documents and settings\Desktop
2009-09-25 23:22 . 2009-09-27 21:35 -------- d-----w- C:\$AVG8.VAULT$
2009-09-25 22:47 . 2009-09-25 22:47 -------- d-----w- c:\program files\AVG
2009-09-25 22:47 . 2009-09-27 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-25 22:36 . 2009-09-25 22:36 -------- d-----w- c:\documents and settings\Brenda\Application Data\AVG8
2009-09-25 22:20 . 2009-09-28 15:37 0 ----a-w- c:\windows\win32k.sys
2009-09-25 22:07 . 2009-09-25 22:07 -------- d-----r- c:\program files\Skype
2009-09-25 22:07 . 2009-09-25 22:07 -------- d-----w- c:\program files\Common Files\Skype
2009-09-25 22:05 . 2009-09-25 22:05 -------- d-----w- c:\program files\Yahoo! Games
2009-09-25 22:05 . 2009-09-25 22:05 -------- d-----w- c:\program files\Postal2STP
2009-09-25 22:05 . 2009-09-25 22:05 -------- d-----w- c:\program files\Freeze.com
2009-09-25 22:02 . 2009-09-25 22:02 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2009-09-24 05:31 . 2009-09-24 05:31 16151 ----a-w- c:\documents and settings\Brenda\Local Settings\Application Data\ywyhupinam.dat
2009-09-24 01:44 . 2009-09-24 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-09-23 08:30 . 2009-09-23 08:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-09-23 00:42 . 2009-09-25 22:08 -------- d-----w- c:\program files\Common Files\McAfee
2009-09-23 00:42 . 2009-09-25 22:08 -------- d-----w- c:\program files\McAfee.com
2009-09-23 00:42 . 2009-09-25 22:08 -------- d-----w- c:\program files\McAfee
2009-09-22 22:46 . 2002-11-27 15:59 56952 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-22 22:46 . 2009-09-27 18:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-09-22 22:46 . 2009-09-27 17:30 -------- d-s---w- c:\documents and settings\Administrator
2009-09-22 22:31 . 2009-09-25 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-22 22:31 . 2009-09-22 22:31 -------- d-----w- c:\program files\Lavasoft
2009-09-22 22:16 . 2009-09-25 22:09 -------- dc----w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-21 17:52 . 2009-10-04 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\11389214
2009-09-21 17:43 . 2009-09-21 17:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-20 21:31 . 2009-09-20 21:31 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-09-20 02:48 . 2009-09-23 14:17 -------- d-----w- c:\program files\Windstream Toolbar
2009-09-19 18:28 . 2009-09-19 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-09-19 18:28 . 2009-09-19 18:28 -------- d-----w- c:\program files\Common Files\Motive
2009-09-19 18:28 . 2009-09-19 18:28 -------- d-----w- c:\program files\windstream_act
2009-09-19 18:21 . 2009-09-19 18:21 -------- d-----w- c:\windows\system32\LogFiles
2009-09-17 17:10 . 2009-09-17 17:10 61440 ----a-w- c:\windows\diabunin.exe
2009-09-17 17:10 . 2009-09-17 17:36 -------- d-----w- C:\Diablo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-03 17:34 . 2005-12-11 07:03 -------- d-----w- c:\program files\Diablo II
2009-09-29 00:47 . 2005-04-04 01:10 -------- d-----w- c:\program files\Java
2009-09-27 22:06 . 2003-06-29 03:15 -------- d-----w- c:\documents and settings\Brenda\Application Data\Yahoo! Messenger
2009-09-27 22:05 . 2008-03-30 02:45 -------- d-----w- c:\documents and settings\Brenda\Application Data\U3
2009-09-27 22:05 . 2007-10-21 00:02 -------- d-----w- c:\documents and settings\Brenda\Application Data\Pogo Games
2009-09-27 22:04 . 2009-04-05 01:05 -------- d-----w- c:\documents and settings\Brenda\Application Data\Move Networks
2009-09-27 17:37 . 2006-10-26 22:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-25 22:05 . 2007-09-10 08:15 -------- d-----w- c:\program files\NovaLogic
2009-09-24 05:31 . 2009-09-24 05:31 16947 ----a-w- c:\program files\Common Files\xonesuj.db
2009-09-23 17:24 . 2008-07-20 07:34 58 ----a-w- c:\documents and settings\.limewire\downloads.dat
2009-09-23 17:24 . 2006-02-07 02:21 6059 ----a-w- c:\documents and settings\.limewire\spam.dat
2009-09-23 16:56 . 2009-03-28 01:22 26341 ----a-w- c:\documents and settings\.limewire\library5.dat
2009-09-23 16:33 . 2002-11-27 16:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-23 14:17 . 2009-05-25 21:34 -------- d-----w- c:\program files\DivX
2009-09-20 20:49 . 2002-11-27 16:02 -------- d-----w- c:\program files\EarthLink 5.0
2009-09-18 01:47 . 2005-11-25 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-17 17:10 . 2008-06-22 16:26 86528 ----a-w- c:\windows\bnetunin.exe
2009-08-29 17:03 . 2002-12-04 22:53 123312 ----a-w- c:\documents and settings\Brenda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 16:49 . 2009-08-29 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-29 16:46 . 2002-11-27 15:32 -------- d-----w- c:\program files\Microsoft Works
2009-08-05 09:01 . 2002-08-29 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-04 07:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2006-02-20 16:28 . 2006-02-20 16:29 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7f559c93-2b3f-4ad7-8b03-ed64f0b1a494}"= "c:\program files\Windstream Toolbar\Helper.dll" [2009-09-20 201216]

[HKEY_CLASSES_ROOT\clsid\{7f559c93-2b3f-4ad7-8b03-ed64f0b1a494}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{DECE53AA-244F-427E-8935-3A093D249E4C}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{31A42398-1CD9-4FB9-8451-BEE871AFD7C3}"= "c:\program files\Windstream Toolbar\Toolbar.dll" [2009-09-20 1358848]

[HKEY_CLASSES_ROOT\clsid\{31a42398-1cd9-4fb9-8451-bee871afd7c3}]
[HKEY_CLASSES_ROOT\FCTB000059851.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{E90A8C7D-65EB-4102-95F8-1037AEA4D353}]
[HKEY_CLASSES_ROOT\FCTB000059851.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{31A42398-1CD9-4FB9-8451-BEE871AFD7C3}"= "c:\program files\Windstream Toolbar\Toolbar.dll" [2009-09-20 1358848]

[HKEY_CLASSES_ROOT\clsid\{31a42398-1cd9-4fb9-8451-bee871afd7c3}]
[HKEY_CLASSES_ROOT\FCTB000059851.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{E90A8C7D-65EB-4102-95F8-1037AEA4D353}]
[HKEY_CLASSES_ROOT\FCTB000059851.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"Lexmark X84-X85 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X84-X85.exe" [2002-08-23 40960]
"Lexmark X84-X85 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X84-X85.exe" [2002-09-04 53248]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-09-19 36864]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-06-27 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-04-02 180269]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-06 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-29 149280]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-03 2023704]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-03-04 19968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2002-11-27 45056]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-6-11 303104]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-10-8 169472]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]
Reality Fusion GameCam SE.lnk - c:\program files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe [2000-7-10 323584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-27 18:20 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Diablo\\diablo.exe"=
"c:\\Program Files\\Windstream Toolbar\\TroubleShooter.exe"=
"c:\\Program Files\\Windstream Toolbar\\ToolbarUpdate.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [9/27/2009 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [9/27/2009 2:20 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/27/2009 2:19 PM 297752]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/27/2009 2:19 PM 908056]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" --> c:\program files\McAfee\SiteAdvisor\McSACore.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-10-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-11-27 16:24]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uStart Page = hxxp://www.windstream.net/wind/portal/index.aspx
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Lisa\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
HKCU-Run-WebCamRT.exe - (no file)
HKLM-Run-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
HKLM-Run-newuzumuj - c:\windows\system32\dutuhabe.dll
SharedTaskScheduler-{74dfe427-475c-41a5-8a69-9b87dc64b4b7} - c:\windows\system32\wenunuve.dll
SharedTaskScheduler-{607d58cc-37ab-4649-9e29-b7caf7409b4f} - c:\windows\system32\dutuhabe.dll
SSODL-yorovolov-{74dfe427-475c-41a5-8a69-9b87dc64b4b7} - c:\windows\system32\wenunuve.dll
SSODL-behudizip-{607d58cc-37ab-4649-9e29-b7caf7409b4f} - c:\windows\system32\dutuhabe.dll
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys
AddRemove-MoodLogic DeviceLink - c:\progra~1\MOODLO~1\COMPON~1\DEVICE~1\UNWISE.EXE
AddRemove-Works2002Setup - c:\program files\Microsoft Works Suite 2002\Setup\Launcher.exe
AddRemove-{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} - c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 14:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(516)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-10-04 15:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 19:03

Pre-Run: 98,445,418,496 bytes free
Post-Run: 100,124,200,960 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

318 --- E O F --- 2009-08-26 07:02

#14
hammerman

Posted 04 October 2009 - 02:11 PM

Member 4k

Member
4,183 posts

Hello,

WARNING:
You have a backdoor trojan installed on your computer.
Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Please follow these steps.

-- Step 1 --

I notice you are running one or more Peer-to-Peer (P2P) programs. The files shared by P2P programs are often infected with viruses and malware, even though they may appear to be legitimate. For this reason, I would recommend you uninstall them. If you decide to keep them, I ask that you do not use them while we are fixing your problem.

An article indicating the Dangers of P2P can be found here

-- Step 2 --

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\documents and settings\Brenda\Local Settings\Application Data\ywyhupinam.dat
c:\windows\system32\ezsidmv.dat
c:\program files\Common Files\xonesuj.db

Folder::
c:\documents and settings\All Users\Application Data\11389214

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

-- Step 3 --

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

-- Step 4 --

Posted Image

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

-- Step 5 --

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

#15
little_gardener_24

Posted 04 October 2009 - 06:02 PM

Member

Topic Starter
Member
23 posts

Here is the 2nd log report from ComboFix:

ComboFix 09-10-04.01 - Brenda 10/04/2009 19:46.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.93 [GMT -4:00]
Running from: c:\documents and settings\Brenda\Desktop\cfix.exe
Command switches used :: c:\documents and settings\Brenda\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\Brenda\Local Settings\Application Data\ywyhupinam.dat"
"c:\program files\Common Files\xonesuj.db"
"c:\windows\system32\ezsidmv.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\11389214
c:\documents and settings\All Users\Application Data\11389214\pc11389214reg
c:\documents and settings\Brenda\Local Settings\Application Data\ywyhupinam.dat
c:\program files\Common Files\xonesuj.db
c:\windows\system32\ezsidmv.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-09-29 00:54 . 2009-09-29 00:54 -------- d-----w- c:\documents and settings\Brenda\Application Data\Malwarebytes
2009-09-29 00:53 . 2009-09-29 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-29 00:47 . 2009-09-29 00:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-29 00:45 . 2009-09-29 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-27 22:33 . 2009-09-27 22:33 -------- d-----w- c:\documents and settings\Brenda\Application Data\DivX
2009-09-27 18:20 . 2009-09-27 18:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-27 18:20 . 2009-09-27 18:20 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-27 18:20 . 2009-10-04 22:54 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-27 18:20 . 2009-09-27 18:20 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-27 18:20 . 2009-09-27 18:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-27 18:08 . 2002-01-08 21:00 176128 ----a-w- c:\windows\system32\RcdScan.dll
2009-09-27 18:08 . 2000-03-23 16:50 446464 ----a-r- c:\windows\system32\hhactivex.dll
2009-09-27 18:08 . 1998-06-18 03:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2009-09-27 17:41 . 2009-09-27 17:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-09-27 17:40 . 2009-09-27 17:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-09-26 08:36 . 2009-10-03 00:28 -------- d-----w- c:\documents and settings\Brenda\Application Data\LimeWire
2009-09-26 01:31 . 2009-09-26 01:31 -------- d-----r- c:\documents and settings\Desktop
2009-09-25 23:22 . 2009-09-27 21:35 -------- d-----w- C:\$AVG8.VAULT$
2009-09-25 22:47 . 2009-09-25 22:47 -------- d-----w- c:\program files\AVG
2009-09-25 22:47 . 2009-10-04 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-25 22:36 . 2009-09-25 22:36 -------- d-----w- c:\documents and settings\Brenda\Application Data\AVG8
2009-09-25 22:20 . 2009-09-28 15:37 0 ----a-w- c:\windows\win32k.sys
2009-09-25 22:07 . 2009-09-25 22:07 -------- d-----r- c:\program files\Skype
2009-09-25 22:07 . 2009-09-25 22:07 -------- d-----w- c:\program files\Common Files\Skype
2009-09-25 22:05 . 2009-09-25 22:05 -------- d-----w- c:\program files\Yahoo! Games
2009-09-25 22:05 . 2009-09-25 22:05 -------- d-----w- c:\program files\Postal2STP
2009-09-25 22:05 . 2009-09-25 22:05 -------- d-----w- c:\program files\Freeze.com
2009-09-25 22:02 . 2009-09-25 22:02 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2009-09-24 01:44 . 2009-09-24 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-09-23 08:30 . 2009-09-23 08:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-09-23 00:42 . 2009-09-25 22:08 -------- d-----w- c:\program files\Common Files\McAfee
2009-09-23 00:42 . 2009-09-25 22:08 -------- d-----w- c:\program files\McAfee.com
2009-09-23 00:42 . 2009-09-25 22:08 -------- d-----w- c:\program files\McAfee
2009-09-22 22:46 . 2002-11-27 15:59 56952 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-22 22:46 . 2009-10-04 23:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-09-22 22:46 . 2009-09-27 17:30 -------- d-s---w- c:\documents and settings\Administrator
2009-09-22 22:31 . 2009-09-25 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-22 22:31 . 2009-09-22 22:31 -------- d-----w- c:\program files\Lavasoft
2009-09-22 22:16 . 2009-09-25 22:09 -------- dc----w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-21 17:43 . 2009-09-21 17:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-20 02:48 . 2009-09-23 14:17 -------- d-----w- c:\program files\Windstream Toolbar
2009-09-19 18:28 . 2009-09-19 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-09-19 18:28 . 2009-09-19 18:28 -------- d-----w- c:\program files\Common Files\Motive
2009-09-19 18:28 . 2009-09-19 18:28 -------- d-----w- c:\program files\windstream_act
2009-09-19 18:21 . 2009-09-19 18:21 -------- d-----w- c:\windows\system32\LogFiles
2009-09-17 17:10 . 2009-09-17 17:10 61440 ----a-w- c:\windows\diabunin.exe
2009-09-17 17:10 . 2009-09-17 17:36 -------- d-----w- C:\Diablo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 19:49 . 2009-07-11 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-04 19:49 . 2009-07-11 22:32 -------- d-----w- c:\program files\NOS
2009-10-03 17:34 . 2005-12-11 07:03 -------- d-----w- c:\program files\Diablo II
2009-09-29 00:47 . 2005-04-04 01:10 -------- d-----w- c:\program files\Java
2009-09-27 22:06 . 2003-06-29 03:15 -------- d-----w- c:\documents and settings\Brenda\Application Data\Yahoo! Messenger
2009-09-27 22:05 . 2008-03-30 02:45 -------- d-----w- c:\documents and settings\Brenda\Application Data\U3
2009-09-27 22:05 . 2007-10-21 00:02 -------- d-----w- c:\documents and settings\Brenda\Application Data\Pogo Games
2009-09-27 22:04 . 2009-04-05 01:05 -------- d-----w- c:\documents and settings\Brenda\Application Data\Move Networks
2009-09-27 17:37 . 2006-10-26 22:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-25 22:05 . 2007-09-10 08:15 -------- d-----w- c:\program files\NovaLogic
2009-09-23 17:24 . 2008-07-20 07:34 58 ----a-w- c:\documents and settings\.limewire\downloads.dat
2009-09-23 17:24 . 2006-02-07 02:21 6059 ----a-w- c:\documents and settings\.limewire\spam.dat
2009-09-23 16:56 . 2009-03-28 01:22 26341 ----a-w- c:\documents and settings\.limewire\library5.dat
2009-09-23 16:33 . 2002-11-27 16:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-23 14:17 . 2009-05-25 21:34 -------- d-----w- c:\program files\DivX
2009-09-20 20:49 . 2002-11-27 16:02 -------- d-----w- c:\program files\EarthLink 5.0
2009-09-18 01:47 . 2005-11-25 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-17 17:10 . 2008-06-22 16:26 86528 ----a-w- c:\windows\bnetunin.exe
2009-08-29 17:03 . 2002-12-04 22:53 123312 ----a-w- c:\documents and settings\Brenda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 16:49 . 2009-08-29 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-29 16:46 . 2002-11-27 15:32 -------- d-----w- c:\program files\Microsoft Works
2009-08-05 09:01 . 2002-08-29 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-04 07:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2006-02-20 16:28 . 2006-02-20 16:29 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7f559c93-2b3f-4ad7-8b03-ed64f0b1a494}"= "c:\program files\Windstream Toolbar\Helper.dll" [2009-09-20 201216]

[HKEY_CLASSES_ROOT\clsid\{7f559c93-2b3f-4ad7-8b03-ed64f0b1a494}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{DECE53AA-244F-427E-8935-3A093D249E4C}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{31A42398-1CD9-4FB9-8451-BEE871AFD7C3}"= "c:\program files\Windstream Toolbar\Toolbar.dll" [2009-09-20 1358848]

[HKEY_CLASSES_ROOT\clsid\{31a42398-1cd9-4fb9-8451-bee871afd7c3}]
[HKEY_CLASSES_ROOT\FCTB000059851.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{E90A8C7D-65EB-4102-95F8-1037AEA4D353}]
[HKEY_CLASSES_ROOT\FCTB000059851.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{31A42398-1CD9-4FB9-8451-BEE871AFD7C3}"= "c:\program files\Windstream Toolbar\Toolbar.dll" [2009-09-20 1358848]

[HKEY_CLASSES_ROOT\clsid\{31a42398-1cd9-4fb9-8451-bee871afd7c3}]
[HKEY_CLASSES_ROOT\FCTB000059851.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{E90A8C7D-65EB-4102-95F8-1037AEA4D353}]
[HKEY_CLASSES_ROOT\FCTB000059851.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"Lexmark X84-X85 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X84-X85.exe" [2002-08-23 40960]
"Lexmark X84-X85 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X84-X85.exe" [2002-09-04 53248]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-09-19 36864]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-06-27 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-04-02 180269]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-06 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-29 149280]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-03 2023704]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-03-04 19968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2002-11-27 45056]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-6-11 303104]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-10-8 169472]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]
Reality Fusion GameCam SE.lnk - c:\program files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe [2000-7-10 323584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-27 18:20 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Diablo\\diablo.exe"=
"c:\\Program Files\\Windstream Toolbar\\TroubleShooter.exe"=
"c:\\Program Files\\Windstream Toolbar\\ToolbarUpdate.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [9/27/2009 2:20 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [9/27/2009 2:20 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/27/2009 2:19 PM 297752]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/27/2009 2:19 PM 908056]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" --> c:\program files\McAfee\SiteAdvisor\McSACore.exe [?]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/29/2002 7:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-10-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-11-27 16:24]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uStart Page = hxxp://www.windstream.net/wind/portal/index.aspx
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Lisa\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 19:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-10-04 19:58
ComboFix-quarantined-files.txt 2009-10-04 23:57
ComboFix2.txt 2009-10-04 19:03

Pre-Run: 100,045,860,864 bytes free
Post-Run: 100,017,225,728 bytes free

232 --- E O F --- 2009-08-26 07:02