Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Antivirus System Pro [Solved]

Started by goostar , Nov 08 2009 10:12 PM

This topic is locked

#16
hammerman

Posted 09 November 2009 - 12:04 PM

Member 4k

Member
4,183 posts

Hi,

Please download Win32kDiag to your desktop.
Double-click on Win32kDiag to run it.
Please do not close it if it appears to get stuck. Just let it run until it finishes.
A log should appear when it is finished. Post that log here.

If it doesn't pop up, a log file called Win32kDiag.txt should be located on your desktop. Please post that.

#17
goostar

Posted 09 November 2009 - 12:16 PM

Member

Topic Starter
Member
79 posts

The log from Win32kDiag:

Running from: C:\Documents and Settings\Bruce\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Bruce\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

#18
hammerman

Posted 09 November 2009 - 12:20 PM

Member 4k

Member
4,183 posts

Hi,

Can you run the OTS and SysProt scans (post #2, steps 2 & 3).

#19
goostar

Posted 09 November 2009 - 12:50 PM

Member

Topic Starter
Member
79 posts

OTS.Txt 415.89KB 150 downloads

#20
goostar

Posted 09 November 2009 - 12:51 PM

Member

Topic Starter
Member
79 posts

Here's the SysProt log:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 872
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 948
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 980
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 1028
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 1040
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1216
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1280
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1400
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1548
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1588
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1684
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1848
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PID: 208
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\ashServ.exe
PID: 272
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 608
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\scardsvr.exe
PID: 692
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1528
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\msdtc.exe
PID: 1632
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1784
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 572
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\mqsvc.exe
PID: 764
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\searchindexer.exe
PID: 928
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\mqtgsvc.exe
PID: 1992
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PID: 2320
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PID: 2348
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 2620
Hidden: No
Window Visible: No

Name: C:\Program Files\Hewlett-Packard\IAM\Bin\asghost.exe
PID: 4020
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 3044
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wuauclt.exe
PID: 2060
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
PID: 3724
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 3720
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Bruce\Desktop\OTS.exe
PID: 740
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Bruce\Desktop\SysProt\SysProt.exe
PID: 2680
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Bruce\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: B3365000
Module End: B3370000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E2000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E2000
Module End: 80702C80
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7987000
Module End: F7989000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F7897000
Module End: F789A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F7358000
Module End: F7386000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7989000
Module End: F798B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F7347000
Module End: F7358000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F7487000
Module End: F7490000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F7497000
Module End: F74A6000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F74A7000
Module End: F74B4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: F789B000
Module End: F789E000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: F789F000
Module End: F78A3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7A4F000
Module End: F7A50000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F7707000
Module End: F770E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: F798B000
Module End: F798D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaide.sys
Service Name: ViaIde
Module Base: F798D000
Module End: F798F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aliide.sys
Service Name: AliIde
Module Base: F798F000
Module End: F7991000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pcmcia.sys
Service Name: Pcmcia
Module Base: F7329000
Module End: F7347000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F74B7000
Module End: F74C2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F730A000
Module End: F7329000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: F7991000
Module End: F7993000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F72E4000
Module End: F730A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPIEC.sys
Service Name: ACPIEC
Module Base: F78A3000
Module End: F78A6000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Service Name: ---
Module Base: F7A50000
Module End: F7A51000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F770F000
Module End: F7714000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F74C7000
Module End: F74D4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F72CC000
Module End: F72E4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\iaStor.sys
Service Name: iaStor
Module Base: F7205000
Module End: F72CC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\SbAlg.sys
Service Name: SbAlg
Module Base: F74D7000
Module End: F74E2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F74E7000
Module End: F74F0000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F74F7000
Module End: F7504000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltMgr.sys
Service Name: FltMgr
Module Base: F71E5000
Module End: F7205000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\SbFsLock.sys
Service Name: SbFsLock
Module Base: F7993000
Module End: F7995000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F71D3000
Module End: F71E5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drvmcdb.sys
Service Name: drvmcdb
Module Base: F71BE000
Module End: F71D3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F7507000
Module End: F7510000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F71A7000
Module End: F71BE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\WudfPf.sys
Service Name: WudfPf
Module Base: F7194000
Module End: F71A7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F7107000
Module End: F7194000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F70DA000
Module End: F7107000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\SafeBoot.sys
Service Name: SafeBoot
Module Base: F70C2000
Module End: F70DA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F70A7000
Module End: F70C2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\hpdskflt.sys
Service Name: hpdskflt
Module Base: F7517000
Module End: F7520000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F66DE000
Module End: F66E7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Service Name: nv
Module Base: F5DA3000
Module End: F63B1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F5D8F000
Module End: F5DA3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\e1e5132.sys
Service Name: e1express
Module Base: F5D4E000
Module End: F5D8F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F781F000
Module End: F7825000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F5D2B000
Module End: F5D4E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F7827000
Module End: F782F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: F5D06000
Module End: F5D2B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
Service Name: NETw4x32
Module Base: F5AEC000
Module End: F5D06000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rismc32.sys
Service Name: rismc32
Module Base: F66AE000
Module End: F66BA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\SMCLIB.SYS
Service Name: ---
Module Base: F7943000
Module End: F7947000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: F669E000
Module End: F66AE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Service Name: sdbus
Module Base: F5ADB000
Module End: F5AEC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
Service Name: rimmptsk
Module Base: F668E000
Module End: F669D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
Service Name: rimsptsk
Module Base: F5AC7000
Module End: F5ADB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
Service Name: rismxdp
Module Base: F5A76000
Module End: F5AC7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F667E000
Module End: F668E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F7953000
Module End: F7957000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F5A62000
Module End: F5A76000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
Service Name: IFXTPM
Module Base: F666E000
Module End: F6677000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F64F3000
Module End: F6500000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F782F000
Module End: F7835000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Service Name: SynTP
Module Base: F5A30000
Module End: F5A62000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F79DF000
Module End: F79E1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F7837000
Module End: F783D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F64E3000
Module End: F64EE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Afc.sys
Service Name: Afc
Module Base: F783F000
Module End: F7847000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\AnyDVD.sys
Service Name: AnyDVD
Module Base: F5A18000
Module End: F5A30000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sscdbhk5.sys
Service Name: sscdbhk5
Module Base: F79E1000
Module End: F79E3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F64D3000
Module End: F64E0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F64C3000
Module End: F64D1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F59F5000
Module End: F5A18000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
Service Name: Accelerometer
Module Base: F64B3000
Module End: F64BD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Service Name: WmiAcpi
Module Base: F7963000
Module End: F7966000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
Service Name: HBtnKey
Module Base: F7967000
Module End: F796A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F64A3000
Module End: F64AC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F7847000
Module End: F784E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: F796B000
Module End: F796F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\btkrnl.sys
Service Name: BTKRNL
Module Base: F5925000
Module End: F59F5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\STREAM.SYS
Service Name: ---
Module Base: F6483000
Module End: F648F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7ACA000
Module End: F7ACB000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\RootMdm.sys
Service Name: ROOTMODEM
Module Base: F79ED000
Module End: F79EF000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F773F000
Module End: F7747000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F7637000
Module End: F7644000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F63BD000
Module End: F63C0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F53EB000
Module End: F5402000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F7647000
Module End: F7652000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F7657000
Module End: F7663000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F7747000
Module End: F774C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F53DA000
Module End: F53EB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F7667000
Module End: F7670000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: ECD0B000
Module End: ECD10000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: ECD03000
Module End: ECD08000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\RimSerial.sys
Service Name: RimVSerPort
Module Base: ECCFB000
Module End: ECD02000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: EB7CF000
Module End: EB800000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: ECB9B000
Module End: ECBA5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: ECD41000
Module End: ECD43000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: EB776000
Module End: EB7CF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: EDAB0000
Module End: EDAB4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: EDAA4000
Module End: EDAA8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: ECB8B000
Module End: ECB95000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: ECB7B000
Module End: ECB8A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ADIHdAud.sys
Service Name: ADIHdAudAddService
Module Base: B9F95000
Module End: B9FE0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: B9F71000
Module End: B9F95000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: ECB5B000
Module End: ECB6A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\AEAudio.sys
Service Name: AEAudio
Module Base: B9F5A000
Module End: B9F71000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
Service Name: HSFHWAZL
Module Base: B9F26000
Module End: B9F5A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
Service Name: HSF_DPV
Module Base: B9E34000
Module End: B9F26000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Service Name: winachsf
Module Base: B9D81000
Module End: B9E34000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F7A15000
Module End: F7A17000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: F2732000
Module End: F273A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7B01000
Module End: F7B02000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F7A2F000
Module End: F7A31000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ssrtln.sys
Service Name: ssrtln
Module Base: F272A000
Module End: F2730000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys
Service Name: AvgAsCln
Module Base: F7B02000
Module End: F7B03000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: EDC31000
Module End: EDC37000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F7A31000
Module End: F7A33000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F7A33000
Module End: F7A35000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: EDC29000
Module End: EDC2E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: EDC21000
Module End: EDC29000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: B7802000
Module End: B7805000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: B7263000
Module End: B7276000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: B720B000
Module End: B7263000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Service Name: aswTdi
Module Base: F04C7000
Module End: F04D2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: B71EA000
Module End: B720B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: B71C2000
Module End: B71EA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F04B7000
Module End: F04C0000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: B71A0000
Module End: B71C2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: ECB6B000
Module End: ECB7A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F04A7000
Module End: F04B0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\eabfiltr.sys
Service Name: eabfiltr
Module Base: F7A35000
Module End: F7A37000
Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Service Name: SASKUTIL
Module Base: B717B000
Module End: B71A0000
Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Service Name: SASDIFSV
Module Base: EDC09000
Module End: EDC0F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\RsvLock.SYS
Service Name: RsvLock
Module Base: F7A37000
Module End: F7A39000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: B7150000
Module End: B717B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: B70E1000
Module End: B7150000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F0497000
Module End: F04A0000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: B70BE000
Module End: B70E1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ElbyCDIO.sys
Service Name: ElbyCDIO
Module Base: EDBF9000
Module End: EDBFE000
Hidden: No

Module Name: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Service Name: AVG Anti-Spyware Driver
Module Base: F7B2D000
Module End: F7B2E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS
Service Name: aswSP
Module Base: B709D000
Module End: B70BE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Aavmker4.SYS
Service Name: Aavmker4
Module Base: ECDD9000
Module End: ECDDE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys
Service Name: ATSWPDRV
Module Base: B707C000
Module End: B709D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: B72AA000
Module End: B72AD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Service Name: USBSTOR
Module Base: ECDD1000
Module End: ECDD8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\LVUSBSta.sys
Service Name: LVUSBSta
Module Base: F0477000
Module End: F0480000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbscan.sys
Service Name: usbscan
Module Base: B72A6000
Module End: B72AA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: B729A000
Module End: B729D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Service Name: usbprint
Module Base: ECDC9000
Module End: ECDD0000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: ECBC7000
Module End: ECBCA000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: B7394000
Module End: B7399000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: EBE3F000
Module End: EBE40000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
Service Name: aswFsBlk
Module Base: F786F000
Module End: F7877000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drvnddm.sys
Service Name: drvnddm
Module Base: F0487000
Module End: F0491000
Hidden: No

Module Name: C:\WINDOWS\system32\dla\tfsndres.sys
Service Name: tfsndres
Module Base: F7B58000
Module End: F7B59000
Hidden: No

Module Name: C:\WINDOWS\system32\dla\tfsnifs.sys
Service Name: tfsnifs
Module Base: B3E5B000
Module End: B3E71000
Hidden: No

Module Name: C:\WINDOWS\system32\dla\tfsnopio.sys
Service Name: tfsnopio
Module Base: B780A000
Module End: B780E000
Hidden: No

Module Name: C:\WINDOWS\system32\dla\tfsnpool.sys
Service Name: tfsnpool
Module Base: F042E000
Module End: F0430000
Hidden: No

Module Name: C:\WINDOWS\system32\dla\tfsnboio.sys
Service Name: tfsnboio
Module Base: F787F000
Module End: F7886000
Hidden: No

Module Name: C:\WINDOWS\system32\dla\tfsncofs.sys
Service Name: tfsncofs
Module Base: B7624000
Module End: B762D000
Hidden: No

Module Name: C:\WINDOWS\system32\dla\tfsndrct.sys
Service Name: tfsndrct
Module Base: F7B7B000
Module End: F7B7C000
Hidden: No

Module Name: C:\WINDOWS\system32\dla\tfsnudf.sys
Service Name: tfsnudf
Module Base: B3E42000
Module End: B3E5B000
Hidden: No

Module Name: C:\WINDOWS\system32\dla\tfsnudfa.sys
Service Name: tfsnudfa
Module Base: B3E29000
Module End: B3E42000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: F7973000
Module End: F7977000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswMon2.SYS
Service Name: aswMon2
Module Base: B3D73000
Module End: B3D89000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: B3C07000
Module End: B3C33000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: B3D27000
Module End: B3D2B000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\mqac.sys
Service Name: MQAC
Module Base: B3BA0000
Module End: B3BB7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: B3B4E000
Module End: B3BA0000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\RMCast.sys
Service Name: RMCAST
Module Base: B3AF4000
Module End: B3B26000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswRdr.SYS
Service Name: aswRdr
Module Base: B39FC000
Module End: B3A00000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: B35DF000
Module End: B35F4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: B3634000
Module End: B3643000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: B34A1000
Module End: B34B1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: B3410000
Module End: B3451000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: B2584000
Module End: B25AF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ArcSoftVirtualCapture.sys
Service Name: ARCSOFTVIRTUALCAPTURE
Module Base: F796F000
Module End: F7973000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwClose
Address: B70A56B8
Driver Base: B709D000
Driver End: B70BE000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwCreateKey
Address: B70A5574
Driver Base: B709D000
Driver End: B70BE000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDeleteValueKey
Address: B70A5A52
Driver Base: B709D000
Driver End: B70BE000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDuplicateObject
Address: B70A514C
Driver Base: B709D000
Driver End: B70BE000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenKey
Address: B70A564E
Driver Base: B709D000
Driver End: B70BE000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenProcess
Address: B70A508C
Driver Base: B709D000
Driver End: B70BE000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenThread
Address: B70A50F0
Driver Base: B709D000
Driver End: B70BE000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwQueryValueKey
Address: B70A576E
Driver Base: B709D000
Driver End: B70BE000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwRestoreKey
Address: B70A572E
Driver Base: B709D000
Driver End: B70BE000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwSetValueKey
Address: B70A58AE
Driver Base: B709D000
Driver End: B70BE000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwTerminateProcess
Address: F7B2D812
Driver Base: F7B2D000
Driver End: F7B2E000
Driver Name: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: PC155953175710:2183
Remote Address: STATIC.78-47-248-117.CLIENTS.YOUR-SERVER.DE:HTTP
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PC155953175710:2179
Remote Address: 204.2.208.70:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2177
Remote Address: WINDOWSLIVETRANSLATOR.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2175
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2173
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2171
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2169
Remote Address: GX-IN-F102.1E100.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2167
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2161
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2159
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2157
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2152
Remote Address: 209.170.116.55:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2150
Remote Address: 209.170.116.55:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2149
Remote Address: 209.170.116.55:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2143
Remote Address: 209.170.116.55:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2142
Remote Address: 209.170.116.55:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2138
Remote Address: 209.170.116.55:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2134
Remote Address: 80.12.192.48:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2133
Remote Address: 80.12.192.48:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2132
Remote Address: 80.12.192.48:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2017
Remote Address: DSERVER:NETBIOS-SSN
Type: TCP
Process: System
State: ESTABLISHED

Local Address: PC155953175710:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: PC155953175710:2128
Remote Address: 80.12.192.67:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2119
Remote Address: 65.55.15.123:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2117
Remote Address: 65.55.15.123:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2111
Remote Address: 80.12.192.8:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2109
Remote Address: GW-IN-F149.1E100.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2094
Remote Address: 204.160.119.126:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2084
Remote Address: YX-IN-F149.1E100.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2080
Remote Address: MSNBCSPORTS.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2078
Remote Address: 65.55.15.123:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2076
Remote Address: 65.55.15.123:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2066
Remote Address: MSNBCSPORTS.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2064
Remote Address: MSNBCSPORTS.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:KNETD
Remote Address: 65.55.239.188:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2050
Remote Address: 65.55.15.244:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2045
Remote Address: 80.12.192.26:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2043
Remote Address: MSNBCSPORTS.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2040
Remote Address: 80.12.192.8:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: PC155953175710:49100
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: PC155953175710:12143
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: PC155953175710:12119
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: PC155953175710:12110
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: PC155953175710:12080
Remote Address: LOCALHOST:2180
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:12080
Remote Address: LOCALHOST:2164
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:12080
Remote Address: LOCALHOST:2162
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:12080
Remote Address: LOCALHOST:2153
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:12080
Remote Address: LOCALHOST:2112
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:12080
Remote Address: LOCALHOST:2087
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:12080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: LISTENING

Local Address: PC155953175710:12025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: PC155953175710:2120
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:2085
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC155953175710:1027
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: PC155953175710:2107
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\mqsvc.exe
State: LISTENING

Local Address: PC155953175710:2105
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\mqsvc.exe
State: LISTENING

Local Address: PC155953175710:2103
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\mqsvc.exe
State: LISTENING

Local Address: PC155953175710:1801
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\mqsvc.exe
State: LISTENING

Local Address: PC155953175710:1026
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\mqsvc.exe
State: LISTENING

Local Address: PC155953175710:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: PC155953175710:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: PC155953175710:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: PC155953175710:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: PC155953175710:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: PC155953175710:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: PC155953175710:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: PC155953175710:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: PC155953175710:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: PC155953175710:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: PC155953175710:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: PC155953175710:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: PC155953175710:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: PC155953175710:3527
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\mqsvc.exe
State: NA

Local Address: PC155953175710:1025
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\mqsvc.exe
State: NA

Local Address: PC155953175710:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: PC155953175710:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}
Status: Access denied

#21
hammerman

Posted 09 November 2009 - 01:52 PM

Member 4k

Member
4,183 posts

Hi,

Please follow these steps.

-- Step 1 --

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< HOSTS File > (152 bytes and 5 lines) -> C:\WINDOWS\system32\drivers\etc\hosts
YN -> 91.212.127.227 winsecure2009.microsoft.com ->
YN -> 91.212.127.227 winsecure2009.com ->
YN -> 91.212.127.227 www.winsecure2009.com ->
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \F ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell ->
YN -> \F\Shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun ->
YN -> \F\Shell\AutoRun\\"" -> [Auto&Play]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun\command ->
YN -> \F\Shell\AutoRun\command\\"" -> F:\LaunchU3.exe [F:\LaunchU3.exe -a]
YN -> \{52c700c7-52cc-11dd-b9a2-001de073d8cd} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{52c700c7-52cc-11dd-b9a2-001de073d8cd}\Shell ->
YN -> \{52c700c7-52cc-11dd-b9a2-001de073d8cd}\Shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{52c700c7-52cc-11dd-b9a2-001de073d8cd}\Shell\AutoRun ->
YN -> \{52c700c7-52cc-11dd-b9a2-001de073d8cd}\Shell\AutoRun\\"" -> [Auto&Play]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{52c700c7-52cc-11dd-b9a2-001de073d8cd}\Shell\AutoRun\command ->
YN -> \{52c700c7-52cc-11dd-b9a2-001de073d8cd}\Shell\AutoRun\command\\"" -> J:\LaunchU3.exe [J:\LaunchU3.exe -a]
YN -> \{707961ca-d6e3-11dd-bab3-001de073d8cd} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{707961ca-d6e3-11dd-bab3-001de073d8cd}\Shell ->
YN -> \{707961ca-d6e3-11dd-bab3-001de073d8cd}\Shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{707961ca-d6e3-11dd-bab3-001de073d8cd}\Shell\AutoRun ->
YN -> \{707961ca-d6e3-11dd-bab3-001de073d8cd}\Shell\AutoRun\\"" -> [Auto&Play]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{707961ca-d6e3-11dd-bab3-001de073d8cd}\Shell\AutoRun\command ->
YN -> \{707961ca-d6e3-11dd-bab3-001de073d8cd}\Shell\AutoRun\command\\"" -> G:\LaunchU3.exe [G:\LaunchU3.exe -a]
[Registry - Additional Scans - Safe List]
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
YN -> "" [HKLM] -> Reg Error: Key error. []
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YY -> eehtrfeo hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> C:\Documents and Settings\Bruce\Local Settings\Application Data\bcaqoa\pxwusysguard.exe
[Files/Folders - Created Within 30 Days]
NY -> C:\Documents and Settings\Bruce\Local Settings\Application Data\bcaqoa -> C:\Documents and Settings\Bruce\Local Settings\Application Data\bcaqoa
[Purity]
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

-- Step 2 --

Posted Image

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

-- Step 3 --

Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
- C:\WINDOWS\system32\drivers\iaStor.sys
Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

#22
goostar

Posted 09 November 2009 - 03:16 PM

Member

Topic Starter
Member
79 posts

Here's the OTS log -- I'll send the others shortly.

All Processes Killed
[Registry - Safe List]
91.212.127.227 winsecure2009.microsoft.com removed from HOSTS file successfully
91.212.127.227 winsecure2009.com removed from HOSTS file successfully
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun\command not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{52c700c7-52cc-11dd-b9a2-001de073d8cd}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52c700c7-52cc-11dd-b9a2-001de073d8cd}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{52c700c7-52cc-11dd-b9a2-001de073d8cd}\Shell\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{52c700c7-52cc-11dd-b9a2-001de073d8cd}\Shell not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{52c700c7-52cc-11dd-b9a2-001de073d8cd}\Shell\AutoRun\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{52c700c7-52cc-11dd-b9a2-001de073d8cd}\Shell\AutoRun not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{52c700c7-52cc-11dd-b9a2-001de073d8cd}\Shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{52c700c7-52cc-11dd-b9a2-001de073d8cd}\Shell\AutoRun\command not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{707961ca-d6e3-11dd-bab3-001de073d8cd}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{707961ca-d6e3-11dd-bab3-001de073d8cd}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{707961ca-d6e3-11dd-bab3-001de073d8cd}\Shell\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{707961ca-d6e3-11dd-bab3-001de073d8cd}\Shell not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{707961ca-d6e3-11dd-bab3-001de073d8cd}\Shell\AutoRun\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{707961ca-d6e3-11dd-bab3-001de073d8cd}\Shell\AutoRun not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{707961ca-d6e3-11dd-bab3-001de073d8cd}\Shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{707961ca-d6e3-11dd-bab3-001de073d8cd}\Shell\AutoRun\command not found.
[Registry - Additional Scans - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\eehtrfeo hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ not found.
File not found.
C:\Documents and Settings\Bruce\Local Settings\Application Data\bcaqoa\pxwusysguard.exe moved successfully.
[Files/Folders - Created Within 30 Days]
C:\Documents and Settings\Bruce\Local Settings\Application Data\bcaqoa folder moved successfully.
[Purity]
Purity scan complete.
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Bruce
->Temp folder emptied: 198507381 bytes
->Temporary Internet Files folder emptied: 229102782 bytes
->Java cache emptied: 8240350 bytes
->FireFox cache emptied: 69032000 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Guest
->Temp folder emptied: 543469 bytes
->Temporary Internet Files folder emptied: 5585188 bytes
->FireFox cache emptied: 3828842 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 3237929 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 51286 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 5015093 bytes
RecycleBin emptied: 2248537 bytes

Total Files Cleaned = 501.18 mb

< End of fix log >
OTS by OldTimer - Version 3.1.4.0 fix logfile created on 11092009_150835

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!
C:\WINDOWS\temp\Perflib_Perfdata_110.dat moved successfully.

Registry entries deleted on Reboot...

#23
goostar

Posted 09 November 2009 - 04:34 PM

Member

Topic Starter
Member
79 posts

Here's the Malwarebytes log:

Malwarebytes' Anti-Malware 1.41
Database version: 3136
Windows 5.1.2600 Service Pack 2

11/9/2009 4:33:24 PM
mbam-log-2009-11-09 (16-33-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 285007
Time elapsed: 1 hour(s), 10 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\_OTS\MovedFiles\11092009_150835\C_Documents and Settings\Bruce\Local Settings\Application Data\bcaqoa\pxwusysguard.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruce\Desktop\svchost.com (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#24
goostar

Posted 09 November 2009 - 05:00 PM

Member

Topic Starter
Member
79 posts

When the VirSCAN.org test finished, I tried to click on the "copy to clipboard" button but nothing happened. I copied and pasted anyway. It did say nothing was found and that the file had been scanned before therefore no system results would be saved.

a-squared 4.5.0.8 20091110030148 2009-11-10 - 4.042
AhnLab V3 2009.11.09.04 2009.11.09 2009-11-09 - 0.937
AntiVir 8.2.1.61 7.1.6.210 2009-11-09 - 0.463
Antiy 2.0.18 20091105.3216324 2009-11-05 - 0.119
Arcavir 2009 200911091328 2009-11-09 - 0.041
Authentium 5.1.1 200911091706 2009-11-09 - 2.075
AVAST! 4.7.4 091109-1 2009-11-09 - 0.023
AVG 8.5.288 270.14.58/2493 2009-11-10 - 0.339
BitDefender 7.81008.4482609 7.28842 2009-11-10 - 3.888
CA (VET) 35.1.0 7111 2009-11-08 - 7.212
ClamAV 0.95.2 10002 2009-11-09 - 0.063
Comodo 3.12 2900 2009-11-09 - 0.736
CP Secure 1.3.0.5 2009.11.10 2009-11-10 - 0.077
Dr.Web 4.44.0.9170 2009.11.09 2009-11-09 - 6.585
F-Prot 4.4.4.56 20091109 2009-11-09 - 2.009
F-Secure 7.02.73807 2009.11.09.13 2009-11-09 - 9.007
Fortinet 2.81-3.120 11.43 2009-11-09 - 0.191
GData 19.8785/19.548 20091109 2009-11-09 - 5.862
Ikarus T3.1.01.74 2009.11.09.74494 2009-11-09 - 4.084
JiangMin 11.0.800 2009.11.09 2009-11-09 - 4.134
Kaspersky 5.5.10 2009.11.09 2009-11-09 - 0.064
KingSoft 2009.2.5.15 2009.11.9.19 2009-11-09 - 0.533
McAfee 5.3.00 5797 2009-11-09 - 3.489
Microsoft 1.5202 2009.11.09 2009-11-09 - 6.224
Norman 6.01.09 6.01.00 2009-11-09 - 4.007
nProtect 20091109.02 6126224 2009-11-09 - 7.614
Panda 9.05.01 2009.11.09 2009-11-09 - 1.849
Quick Heal 10.00 2009.11.09 2009-11-09 - 1.332
Rising 20.0 22.21.00.08 2009-11-09 - 1.039
Sophos 3.00.1 4.46 2009-11-10 - 2.976
Sunbelt 5499 5499 2009-11-09 - 1.772
Symantec 1.3.0.24 20091109.003 2009-11-09 - 0.231
The Hacker 6.5.0.2 v00063 2009-11-06 - 0.822
Trend Micro 8.700-1004 6.614.04 2009-11-09 - 0.074
VBA32 3.12.10.11 20091109.1425 2009-11-09 - 2.100
ViRobot 20091109 2009.11.09 2009-11-09 - 0.426
VirusBuster 4.5.11.10 10.113.12/2004500 2009-11-09 - 2.568

#25
hammerman

Posted 09 November 2009 - 06:42 PM

Member 4k

Member
4,183 posts

Hi,

Please follow these steps.

-- Step 1 --

1. Please download The Avenger by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to move:
C:\SwSetup\HDD\iastor.sys | C:\Windows\System32\drivers\iaStor.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

-- Step 2 --

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

#26
goostar

Posted 09 November 2009 - 07:27 PM

Member

Topic Starter
Member
79 posts

Here's the avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\SwSetup\HDD\iastor.sys|C:\Windows\System32\drivers\iaStor.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

And here's the combofix log:

ComboFix 09-11-08.03 - Bruce 11/09/2009 19:08.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1566 [GMT -6:00]
Running from: c:\documents and settings\Bruce\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1351 [VPS 091109-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bruce\My Documents\ZbThumbnail.info
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
D:\Autorun.inf

Infected copy of c:\windows\System32\DRIVERS\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it

.
((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.

2009-11-10 01:05 . 2004-08-04 00:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-10 01:05 . 2004-08-04 00:59 95360 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-09 21:08 . 2009-11-09 21:08 -------- d-----w- C:\_OTS
2009-11-09 03:14 . 2009-11-09 03:14 -------- d-----w- c:\documents and settings\Bruce\Application Data\Malwarebytes
2009-11-09 03:12 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-09 03:12 . 2009-11-09 21:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-09 03:12 . 2009-11-09 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-09 03:12 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-07 00:46 . 2009-11-07 00:46 -------- d-----w- c:\documents and settings\Bruce\Local Settings\Application Data\Yahoo
2009-11-07 00:44 . 2009-05-27 01:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-10-28 00:22 . 2009-06-01 18:51 27792 ----a-w- c:\windows\system32\drivers\point32.sys
2009-10-28 00:20 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-10-28 00:20 . 2009-06-01 18:51 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2009-10-28 00:20 . 2009-06-01 18:51 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2009-10-28 00:20 . 2009-10-28 00:20 -------- d-----w- c:\program files\Microsoft IntelliPoint
2009-10-27 23:53 . 2009-10-27 23:55 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Adobe
2009-10-27 23:51 . 2009-10-27 23:51 -------- d-----w- c:\documents and settings\Guest\Application Data\Windows Search
2009-10-27 23:50 . 2009-10-27 23:50 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Apple Computer
2009-10-27 23:50 . 2009-10-27 23:50 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\TechSmith
2009-10-27 23:50 . 2009-10-27 23:50 -------- d-----w- c:\documents and settings\Guest\Application Data\ArcSoft
2009-10-19 03:43 . 2009-08-19 10:18 107864 ----a-w- c:\windows\system32\tsccvid.dll
2009-10-19 03:43 . 2009-10-19 03:43 -------- d-----w- c:\windows\system32\QuickTime
2009-10-19 03:42 . 2009-10-19 03:42 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2009-10-18 00:52 . 2006-11-10 20:05 18688 ----a-w- c:\windows\system32\drivers\afc.sys
2009-10-18 00:50 . 1995-08-01 09:44 212480 ----a-w- c:\windows\PCDLIB32.DLL
2009-10-18 00:49 . 2005-04-27 21:36 245408 ----a-w- c:\windows\system32\unicows.dll
2009-10-18 00:49 . 2007-07-02 20:08 15616 ----a-w- c:\windows\system32\drivers\ArcSoftVirtualCapture.sys
2009-10-18 00:49 . 2006-12-07 14:22 49152 ----a-w- c:\windows\system32\ArcFakeCapture.dll
2009-10-18 00:38 . 2009-10-28 00:26 2325872 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-18 00:37 . 2004-08-04 04:10 78464 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2009-10-18 00:37 . 2004-08-04 04:10 78464 ----a-w- c:\windows\system32\dllcache\usbvideo.sys
2009-10-17 21:04 . 2009-10-27 23:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-17 20:17 . 2009-10-17 20:17 -------- d-----w- c:\documents and settings\Bruce\Local Settings\Application Data\TechSmith
2009-10-17 20:16 . 2009-10-19 03:42 -------- d-----w- c:\program files\TechSmith

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 21:02 . 2009-01-19 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-09 17:10 . 2008-04-01 05:51 -------- d-----w- c:\documents and settings\Bruce\Application Data\Skype
2009-11-09 15:03 . 2008-05-29 03:41 256 ----a-w- c:\windows\system32\pool.bin
2009-11-09 14:03 . 2008-04-01 05:53 -------- d-----w- c:\documents and settings\Bruce\Application Data\skypePM
2009-11-09 13:40 . 2007-07-17 04:20 108699 ----a-w- c:\windows\system32\nvModes.dat
2009-11-09 13:40 . 2009-06-09 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-11-07 00:44 . 2008-04-01 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-28 00:31 . 2008-03-31 20:57 109360 ----a-w- c:\documents and settings\Bruce\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-28 00:24 . 2008-03-29 00:51 -------- d-----w- c:\program files\Google
2009-10-28 00:22 . 2009-10-28 00:22 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-10-28 00:22 . 2009-10-28 00:22 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-10-28 00:06 . 2009-10-28 00:06 664 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\d3d9caps.tmp
2009-10-27 23:50 . 2009-06-17 00:51 108968 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-27 08:06 . 2007-07-17 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-27 08:04 . 2009-04-03 18:21 -------- d-----w- c:\program files\Microsoft Works
2009-10-18 23:12 . 2009-01-19 15:46 -------- d-----w- c:\documents and settings\Bruce\Application Data\Arcsoft
2009-10-18 00:53 . 2007-07-17 04:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-18 00:53 . 2007-07-17 04:46 -------- d-----w- c:\program files\HP
2009-10-18 00:52 . 2009-01-19 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-10-18 00:52 . 2009-01-19 15:45 -------- d-----w- c:\program files\ArcSoft
2009-10-17 20:16 . 2008-03-31 16:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-15 12:44 . 2008-04-01 17:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-12 17:11 . 2008-04-21 12:52 -------- d-----w- c:\documents and settings\Bruce\Application Data\U3
2009-10-10 19:46 . 2008-03-31 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-10 19:45 . 2008-03-31 16:27 -------- d-----w- c:\program files\Lavasoft
2009-10-10 19:43 . 2009-10-10 19:43 6944624 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe
2009-10-10 05:46 . 2009-10-10 05:46 -------- d-----w- c:\documents and settings\Bruce\Application Data\SlySoft
2009-10-10 05:45 . 2009-10-09 23:14 -------- d-----w- c:\program files\SlySoft
2009-10-09 23:20 . 2009-10-09 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2009-10-09 17:20 . 2009-10-09 17:20 -------- d-----w- c:\documents and settings\Bruce\Application Data\Creative
2009-10-09 17:15 . 2009-10-09 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative
2009-10-09 17:14 . 2009-10-09 17:14 -------- d--h--w- c:\documents and settings\All Users\Application Data\{615DB4DC-B7C1-4125-9858-78EF460B76D2}
2009-10-09 17:14 . 2009-10-09 17:14 -------- d-----w- c:\program files\Creative
2009-10-09 17:14 . 2009-10-09 17:14 2422433 ----a-w- c:\documents and settings\All Users\Application Data\{615DB4DC-B7C1-4125-9858-78EF460B76D2}\setup.exe
2009-10-09 17:14 . 2009-10-09 17:13 -------- d--h--w- c:\documents and settings\All Users\Application Data\{1620E93A-24E3-4D30-86CE-F7F1ABB9CD24}
2009-10-08 00:34 . 2008-07-07 04:26 -------- d-----w- c:\program files\Common Files\Real
2009-10-08 00:31 . 2009-10-08 00:31 452104 ----a-w- c:\documents and settings\Bruce\Application Data\Real\RealPlayer\setup\AU_setup9.exe
2009-10-06 04:14 . 2008-04-07 15:51 -------- d-----w- c:\documents and settings\Bruce\Application Data\LimeWire
2009-10-04 17:36 . 2009-10-04 17:32 -------- d-----w- c:\program files\Microsoft
2009-10-04 17:36 . 2009-10-04 17:36 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-10-04 17:35 . 2008-04-01 03:28 -------- d-----w- c:\program files\Windows Live
2009-10-04 17:35 . 2009-10-04 17:35 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-10-04 17:34 . 2009-10-04 17:34 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-02 08:30 . 2008-08-06 19:15 816392 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\Components\DownloadQB17\Patch\qbpatch2.exe
2009-09-30 22:23 . 2008-04-02 13:26 -------- d-----w- c:\program files\Dentrix
2009-09-24 22:59 . 2009-09-24 22:59 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-09-22 17:02 . 2008-07-29 22:32 3788 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2009-09-22 13:07 . 2009-09-22 13:07 -------- d-----w- c:\documents and settings\Bruce\Application Data\Canon Electronics
2009-09-11 17:08 . 2009-09-11 17:08 24744 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2009-09-11 14:03 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 12:38 . 2009-08-31 01:45 117760 ----a-w- c:\documents and settings\Bruce\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-04 20:45 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 01:30 . 2009-02-11 20:37 256 ----a-w- c:\documents and settings\Bruce\pool.bin
2009-08-29 07:36 . 2004-08-04 08:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 08:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 08:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-27 00:54 . 2009-10-09 17:14 2598110 ----a-w- c:\documents and settings\All Users\Application Data\{1620E93A-24E3-4D30-86CE-F7F1ABB9CD24}\Setup.exe
2009-08-26 08:16 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 11:00 . 2009-10-09 17:10 256512 ----a-w- c:\documents and settings\All Users\Application Data\{1620E93A-24E3-4D30-86CE-F7F1ABB9CD24}\offline\E629258\AD691181\MSCPlgu.dll
2009-08-25 09:37 . 2009-10-09 17:10 999424 ----a-w- c:\documents and settings\All Users\Application Data\{1620E93A-24E3-4D30-86CE-F7F1ABB9CD24}\offline\9E0A6A1D\7BA3E7CC\ZCTAUDU.dll
2009-08-21 02:43 . 2009-10-09 17:10 28672 ----a-w- c:\documents and settings\All Users\Application Data\{1620E93A-24E3-4D30-86CE-F7F1ABB9CD24}\offline\9A9B0F9F\F3743052\CTMSCaps.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-17 16:10 . 2008-03-31 16:34 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2008-03-31 16:34 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2008-03-31 16:34 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2008-04-04 12:26 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2008-04-04 12:26 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2008-03-31 16:34 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2008-03-31 16:34 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2008-03-31 16:34 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2008-03-31 16:34 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-17 10:16 . 2009-10-09 17:10 216576 ----a-w- c:\documents and settings\All Users\Application Data\{1620E93A-24E3-4D30-86CE-F7F1ABB9CD24}\offline\E629258\AD691181\CDRipPlg.dll
2009-08-17 10:16 . 2009-10-09 17:10 11264 ----a-w- c:\documents and settings\All Users\Application Data\{1620E93A-24E3-4D30-86CE-F7F1ABB9CD24}\offline\82935B84\9AB9D29D\CDPlgres.dll
2009-08-17 08:16 . 2009-10-09 17:10 53760 ----a-w- c:\documents and settings\All Users\Application Data\{1620E93A-24E3-4D30-86CE-F7F1ABB9CD24}\offline\1F1E6D86\7178692D\AVCMPS64.dll
2009-08-17 08:16 . 2009-10-09 17:10 61440 ----a-w- c:\documents and settings\All Users\Application Data\{1620E93A-24E3-4D30-86CE-F7F1ABB9CD24}\offline\9B8360E3\A3F1BD6D\AVCMPS32.dll
2009-08-17 08:15 . 2009-10-09 17:10 323584 ----a-w- c:\documents and settings\All Users\Application Data\{1620E93A-24E3-4D30-86CE-F7F1ABB9CD24}\offline\9B8360E3\A3F1BD6D\AVCManU.exe
2009-11-02 09:35 . 2008-07-29 16:44 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre0.dll" [2009-07-21 2215960]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2009-07-21 14:23 2215960 ----a-w- c:\program files\Freecorder\tbFre0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre0.dll" [2009-07-21 2215960]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFre0.dll" [2009-07-21 2215960]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2006-11-16 35368]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2008-02-01 439568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-21 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-09 12:36 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 15:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eSync Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eSync Reminder.lnk
backup=c:\windows\pss\eSync Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Button Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Button Manager.lnk
backup=c:\windows\pss\HP Button Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Magic-i.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Magic-i.lnk
backup=c:\windows\pss\Magic-i.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WebSync Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WebSync Reminder.lnk
backup=c:\windows\pss\WebSync Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bruce^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\Bruce\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bruce^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Bruce\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"USBDeviceService"=2 (0x2)
"stllssvr"=3 (0x3)
"SeaPort"=2 (0x2)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"QBFCService"=3 (0x3)
"pdfcDispatcher"=2 (0x2)
"PCPitstop Scheduling"=2 (0x2)
"PCA"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MgiSvr"=2 (0x2)
"MDM"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LVCOMSer"=2 (0x2)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IviRegMgr"=2 (0x2)
"ImapiService"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"hpqwmiex"=2 (0x2)
"HpFkCryptService"=2 (0x2)
"gusvc"=2 (0x2)
"GoogleDesktopManager-093009-130223"=3 (0x3)
"FreeAgentGoNext Service"=2 (0x2)
"FLCDLOCK"=3 (0x3)
"Diskeeper"=2 (0x2)
"CTUPnPSv"=3 (0x3)
"CTDevice_Srv"=2 (0x2)
"CCALib8"=2 (0x2)
"btwdins"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"AdobeActiveFileMonitor5.0"=2 (0x2)
"ACDaemon"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Bruce\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [4/26/2007 8:23 PM 100095]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/9/2006 2:31 PM 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [3/29/2007 5:54 PM 13696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/4/2008 6:26 AM 114768]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [4/26/2007 8:23 PM 5808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 11:53 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 10:39 AM 74480]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 2:00 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 2:00 AM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/4/2008 6:26 AM 20560]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/23/2007 2:13 PM 36608]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [7/16/2007 10:12 PM 47616]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [4/23/2007 2:13 PM 30008]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 3:51 PM 4096]
S4 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [5/21/2008 5:42 AM 64000]
S4 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [4/30/2007 9:28 AM 172131]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 3:42 PM 156968]
S4 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/29/2008 10:44 AM 30192]
S4 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [4/27/2007 11:58 AM 221184]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [6/8/2009 8:25 PM 90352]
S4 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [7/16/2007 10:50 PM 540448]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-28 16:02]

2009-10-28 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-06-01 18:51]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Bruce\Application Data\Mozilla\Firefox\Profiles\9lqe2f9c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.msn.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft Research\HDView for Firefox\nphdview.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-AVG Anti-Spyware Driver

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 19:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll
c:\windows\system32\DeviceNP.dll

- - - - - - - > 'lsass.exe'(1032)
c:\windows\SbHpNp.dll
c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
.
Completion time: 2009-11-10 19:19
ComboFix-quarantined-files.txt 2009-11-10 01:19

Pre-Run: 83,326,685,184 bytes free
Post-Run: 83,402,067,968 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 8CDFA7E25C7889F1DAB12AC44B1B4EE5

#27
hammerman

Posted 10 November 2009 - 06:15 AM

Member 4k

Member
4,183 posts

Hi,

Close all other programs and run OTS

Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Under the Custom Scans box at the bottom left paste the following in

%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

#28
goostar

Posted 10 November 2009 - 06:50 AM

Member

Topic Starter
Member
79 posts

OTS.Txt 334.81KB 265 downloads

#29
hammerman

Posted 10 November 2009 - 09:03 AM

Member 4k

Member
4,183 posts

Hi,

Please follow these steps.

-- Step 1 --

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eehtrfeo]

Driver::

Fcopy::
C:\Windows\System32\drivers\iaStor.sys | C:\SwSetup\HDD\iastor.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

-- Step 2 --

Click on start then Run...
In the Open: window, type msconfig and OK
Select Startup tab and click on Enable All
Select Services tab and click on Enable All
Click on OK and restart your computer

-- Step 3 --

Close all other programs and run OTS

Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Disabled MS Config Items
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Under the Custom Scans box at the bottom left paste the following in

%SYSTEMDRIVE%\iaStor.sys /s /md5
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.