Whatever it is is won't even let HJT run

[jskyer]

This is the most evil bug I have ever encountered. Came from a website. Immediately Google started sending me to random places. Then AVG, S&D, and Ad-Aware all failed. Even the Windows backup program says that it's not installed. I came here and followed the Before You Post instructions as far as I could. ERUNT appears to have completed it's task. But HJT, after install, ran for a minute then closed without creating a file. All attemps to start it again only gives me the message: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item". What can I say but Help!

 

[km2357]

Hello and welcome to Safer Networking.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


Step # 1 Download and Run exeHelper

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).



Step # 2 Download and run DDS

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

Step # 3 Download and run RootRepeal


We Need to check for Rootkits with RootRepeal

1. Download RootRepeal from the following location and save it to your desktop.
   • Direct Download (Recommended)
     • Primary Mirror
     • Secondary Mirror
     • Secondary Mirror
     • Secondary Mirror
   • Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
     • Primary Mirror
       
     • Secondary Mirror
       
     • Secondary Mirror
   • Rar Mirrors - Only if you know what a RAR is and can extract it.
     • Primary Mirror
       
     • Secondary Mirror
       
     • Secondary Mirror
2. Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
3. Open
   
   on your desktop.
4. Click the
   
   tab.
5. Click the
   
   button.
6. Check all seven boxes:
   
7. Push Ok
8. Check the box for your main system drive (Usually C, and press Ok.
9. Allow RootRepeal to run a scan of your system. This may take some time.
10. Once the scan completes, push the
    
    button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

In your next post/reply, I need to see the following:

1. exeHelper Log
2. The two DDS Logs (DDS and Attach.txt)
3. RootRepeal Log

Use multiple posts if you can't fit everything into one post.

 

[jskyer]

Cannot download exeHelper from raktor.net. The following two errors occur on two different machines. The infected one and my laptop which is not infected.

First message is from Windows: "Cannot copy exeHelper[1]: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use."

Second message is from AVG:
"File Name: C:\Documents and Settings\<name>\Local Settings\Temporary Internet Files\Content.IE5\A6EF19YK\exeHelper[1].com
Threat Name: Virus found Downloader.Banload"

RE DDS (fyi): First link brings up a page that says "Page not found". Second link worked OK and downloaded dds.scr. Third link failed twice with a runtime error before it finally downloaded dds with no extension.

RootRepeal.exe downloaded with no problems.

Since I could not download exeHelper I have not done anything but download the remaining files.

Pressing question: I use both ACT! 11 (a SQL database CRM tool), and Outlook 2007 extensively in my business. I have been afraid to use either of these since this bug took hold. Are either of these programs, or their data, in danger?

Thank you for your help. I am eagerly awaiting your response.

 

[km2357]

Cannot download exeHelper from raktor.net. The following two errors occur on two different machines. The infected one and my laptop which is not infected.

First message is from Windows: "Cannot copy exeHelper[1]: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use."

Second message is from AVG:
"File Name: C:\Documents and Settings\<name>\Local Settings\Temporary Internet Files\Content.IE5\A6EF19YK\exeHelper[1].com
Threat Name: Virus found Downloader.Banload"

Hmmm..that's strange, never had that happen before with exeHelper. Did the first message happen when you tried to download it to the Desktop (on either the clean or infected computer)? Or did it happen when you tried to copy it to a USB/Flash Drive on the clean computer to transfer it over to the infected computer?

exeHelper.com is not a malicious file, don't know why AVG is saying it is. I see that AVG says that exeHelper was saved in the Temporary Internet Files. Make sure that its saved on the Desktop when you download it. If you're able to copy exeHelper over successfully make sure that AVG is disabled (you can disconnect the infected comp from the 'Net, if it isn't already) so it won't pick up exeHelper.

See if you get exeHelper to download and run, if you can't we'll go ahead and skip it for now.

Pressing question: I use both ACT! 11 (a SQL database CRM tool), and Outlook 2007 extensively in my business. I have been afraid to use either of these since this bug took hold. Are either of these programs, or their data, in danger?

The bug you have can stop .exe files from runnning, saying that you don't have the proper permissions to run them, like HJT. I would stay away from running those two programs for now. Their data should be safe, but I'd stay away until we've cleaned up your machine.

=====================

Go ahead and run DDS and RootRepeal and post their logs in your next post. Also post exeHelper's log, if you can.

 

[jskyer]

The first error message appears to be generated by Windows. As I understand it, when Windows downloads a file it downloads it first to the temp directory and then when completed it writes it to the designated folder. I interpret the error message Windows is giving me as meaning that Windows is not being allowed copy that temp download file to the destination desktop. Subsequently the download fails and the temp downloaded file is deleted.

The second message is generated by AVG. It has obviously tracked the download, found that the file contained a virus named Downloader.Banload and subsequently banished it to the virus vault. But since the download never completes the file, exeHelper.com, is nowhere to be found on my computer.

What is Downloader.Banload?


NEXT: I attempted to run dds.scr. All it does is open a cmd prompt window and give me the following message.

"As per the instruction you would have received, kindly ensure any onboard script blocking tools have been disabled for they shall interfere with DDS.

DDS is a non-invasive diagnostic tool.

-- DDs makes no registry writes/changes
-- DDS does not create any permanent files/folders.

This scan should not take longer than three minutes to complete.
When the scan is complete, a logfile/report shall pop open.
Post the contents of the logfiel to the forum where it was requested
We only require it to run just once. Dispose after use.
-- "

This stays open for several seconds then closes. No logfile is ever generated that I can find.

What is a script blocking tool and where would I go to disable it?

NEXT: I ran RootRepeal as per your instructions. After clickin OK in step 8 the program ran for about ten seconds and then quit and disappeared from the screen. It never reached step 10. It did, however, generate a settings.dat file, but it is empty. Also, I am unable to run the program a second time. Neither can I delete it, rename it or move it.

 

[km2357]

It looks this infection is blocking our tools from running. :sad: Don't worry, we'll get it. And since RootRepeal didn't work, we'll try another Rootkit scanner as well.

What is Downloader.Banload?

http://www.pctools.com/mrc/infections/id/Trojan-Downloader.Banload

I still think its strange that AVG is picking up exeHelper as downloader.banload. I still think its a False Positive. It's possible that AVG is picking up part of exeHelper as malcious, even though its intended use is not.

What is a script blocking tool and where would I go to disable it?

Script blocking tools are your Anti-Virus and Anti-Spyware tools. In your first post, you mention AVG, S&D, and Ad-Aware.

To disable AVG, do the following:

If you have AVG 7
Please open the AVG7 Control Center.

• Double-click on the "AVG Resident Shield" component (looks like this:
  
  ).
• Deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
• When you need to enable the AVG Resident Shield, reopen the AVG Control Center.
• Double-click on the "AVG Resident Shield" component, select the "Turn on AVG Resident Shield" checkmark and save the setting.

If you have AVG 8
Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar.

• Click on Tools.
• Select Advanced.
• In the left hand pane, scroll down to "Resident Shield".
• In the main pane, deselect the option to "Enable Resident Shield."
• To re-enable AVG 8, please select "Enable Resident Shield" again.

If you have AVG 8.5
Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.

• Click on Open AVG Interface.
• Double click on Resident Shield
• Deselect the option to "Enable Resident Shield."
• Save changes, and exit the application.
• To re-enable AVG 8.5, please select "Enable Resident Shield" again.

For Ad-Aware, if you have Ad-Watch running, do the following:

Disable Ad-Aware Ad-Watch until the computer is clean

Ad-Aware's Ad-Watch normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

- Right click on the Ad-Watch icon in the system tray.
- At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
- Uncheck both of those boxes.

2007:

To turn off Ad-Watch please right click the system tray icon and click the "Close Ad-Watch" selection and the
select "Yes" when the confirmation window appears.


If you have Teatimer running with Spybot S&D, do the following:

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

After you've disabled what you can, try running DDS again.

I'd like also for you to do this as well:


Step # 1 Download and run Win32kDiag

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


Step # 2 Download and run SysProt

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
• In the Write to log box select the following items only:
  • Process
    Kernel Modes
    SSDT
    Kernel Hooks
    Hidden Files
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

In your next post/reply, I need to see the following:

1. The two DDS Logs, if available
2. Win32kdiag Log
3. SysProt Log

 

[jskyer]

After turning off everything like you suggested I went and downloaded exehelper.com again. This time successfully. Below are results from every one of your recommended tools that I could actually get to run, and the results from those that I could not. I'm really pleased that I could finally get any of them to run. Whew! I am encouraged.

I'm feeling confident that my data is safe, and the more I get into this and think about how much damage has likely been done to an untold number of programs that I'm about ready to bite the bullet and just rebuild. But not until I've completed your program. Thanks for this help. Seriously!

================================

::: Results of exehelper.com :::
exeHelper by Raktor - 09
Build 20090919
Run at 20:14:49 on 09/23/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


::: Results of dds.scr :::
DDS still does not run.


::: Results of RootRepeal :::
Original version would not run. Downloaded it a second time, to a different location.
Results were the same. It ran for about 10 seconds, closed and created an empty settings.dat file.
Will not run a second time.


::: Results of Win32Diag :::
Running from: C:\Documents and Settings\Geoff\Desktop\SaferNetworking\Win32kDiag.exe

Log file at : C:\Documents and Settings\Geoff\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP354.tmp\ZAP354.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP37F.tmp\ZAP37F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP413.tmp\ZAP413.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

[1] 2004-08-04 00:56:52 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 17:12:21 744448 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe ()

[1] 2008-04-13 17:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\repair\Backup\BootableSystemState\BootableSystemState

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 00:56:44 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\ntbackup.exe

[1] 2004-08-04 00:56:56 1200128 C:\WINDOWS\$NtServicePackUninstall$\ntbackup.exe (Microsoft Corporation)

[1] 2008-04-13 17:12:30 1200640 C:\WINDOWS\ServicePackFiles\i386\ntbackup.exe (Microsoft Corporation)

[1] 2008-04-13 17:12:30 1200640 C:\WINDOWS\system32\ntbackup.exe ()



Found mount point : C:\WINDOWS\Temp\ActInst\ActInst

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\ACTInstLog\ACTInstLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\cs\cs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\da\da

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\de\de

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\el\el

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\en\en

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\en-gb\en-gb

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\es\es

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\fi\fi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\fr\fr

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\HTML\HTML

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\it\it

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\ja\ja

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\ko\ko

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\nl\nl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\no\no

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\pl\pl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\pt-br\pt-br

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\ru\ru

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\sv\sv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\th\th

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\tr\tr

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\zh-cn\zh-cn

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\zh-tw\zh-tw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Vbox\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Vbox\Installers\Installers

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Vbox\PackingSlips\PackingSlips

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!



::: Results of Sysprot.exe :::
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 444
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 500
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 524
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 568
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 580
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 732
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 816
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 912
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 964
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1020
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1152
Hidden: No
Window Visible: No

Name: C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PID: 1172
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1452
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\kmw_run.exe
PID: 1732
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgtray.exe
PID: 1752
Hidden: No
Window Visible: No

Name: C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
PID: 1764
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\kmw_show.exe
PID: 1784
Hidden: No
Window Visible: No

Name: C:\Program Files\ACT\Act for Windows\Act.Scheduler.UI.exe
PID: 1820
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jusched.exe
PID: 1856
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\tbctray.exe
PID: 1864
Hidden: No
Window Visible: No

Name: C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
PID: 1888
Hidden: No
Window Visible: Yes

Name: C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
PID: 1896
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PID: 1916
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 1940
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\MICROS~4\rapimgr.exe
PID: 2008
Hidden: No
Window Visible: No

Name: C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
PID: 368
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 472
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 852
Hidden: No
Window Visible: No

Name: C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
PID: 1316
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
PID: 1396
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\CTSVCCDA.EXE
PID: 1560
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 1676
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgam.exe
PID: 1836
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG8\avgrsx.exe
PID: 1216
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
PID: 1904
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PID: 2256
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PID: 2520
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PID: 2544
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PID: 2592
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 2660
Hidden: No
Window Visible: No

Name: C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PID: 2708
Hidden: No
Window Visible: No

Name: C:\Program Files\UPHClean\uphclean.exe
PID: 2736
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\searchindexer.exe
PID: 2800
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 3884
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\find.exe
PID: 1580
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\searchprotocolhost.exe
PID: 3508
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\searchfilterhost.exe
PID: 1668
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Geoff\Desktop\SaferNetworking\SysProt\SysProt\SysProt\SysProt.exe
PID: 3832
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Geoff\Desktop\SaferNetworking\SysProt\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: B17B6000
Module End: B17C1000
Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806FF000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806FF000
Module End: 8071FD00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7CEE000
Module End: F7CF0000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F7BFE000
Module End: F7C01000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F779F000
Module End: F77CD000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7CF0000
Module End: F7CF2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F778E000
Module End: F779F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F77EE000
Module End: F77F8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: F7C02000
Module End: F7C05000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: F7C06000
Module End: F7C0A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7DB6000
Module End: F7DB7000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F7A6E000
Module End: F7A75000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: F7CF2000
Module End: F7CF4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F77FE000
Module End: F7809000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F776F000
Module End: F778E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F7749000
Module End: F776F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F7A76000
Module End: F7A7B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F780E000
Module End: F781B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F7731000
Module End: F7749000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F781E000
Module End: F7827000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F782E000
Module End: F783B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F7711000
Module End: F7731000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F76FF000
Module End: F7711000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F7A7E000
Module End: F7A83000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F76E8000
Module End: F76FF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\WudfPf.sys
Service Name: WudfPf
Module Base: F76D5000
Module End: F76E8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F7648000
Module End: F76D5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F761B000
Module End: F7648000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F7601000
Module End: F761B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\avgrkx86.sys
Service Name: AvgRkx86
Module Base: F7CF6000
Module End: F7CF8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agp440.sys
Service Name: agp440
Module Base: F783E000
Module End: F7849000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F787E000
Module End: F7887000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: F74DE000
Module End: F75B9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F74CA000
Module End: F74DE000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F7AB6000
Module End: F7ABC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F74A6000
Module End: F74CA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F7ABE000
Module End: F7AC6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\tbcspud.sys
Service Name: tbcspud
Module Base: F7482000
Module End: F74A6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\tbcos.sys
Service Name: ---
Module Base: F7CFA000
Module End: F7CFC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ks.sys
Service Name: ---
Module Base: F745F000
Module End: F7482000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USR_BSC2.sys
Service Name: HSFHWBS2
Module Base: F742C000
Module End: F745F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USR_MDM.sys
Service Name: HSF_DP
Module Base: F732D000
Module End: F742C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSF_USR.sys
Service Name: winachsf
Module Base: F7285000
Module End: F732D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F7ADE000
Module End: F7AE6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RTL8139.SYS
Service Name: rtl8139
Module Base: F7AE6000
Module End: F7AEC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F788E000
Module End: F789E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F7C9A000
Module End: F7C9E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F7271000
Module End: F7285000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F789E000
Module End: F78AB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys
Service Name: KMW_SYS
Module Base: F725A000
Module End: F7271000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\KMW_Lib.sys
Service Name: ---
Module Base: F7CFE000
Module End: F7D00000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F7B0E000
Module End: F7B14000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7ED7000
Module End: F7ED8000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F78AE000
Module End: F78BB000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F7CA6000
Module End: F7CA9000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F7243000
Module End: F725A000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F78BE000
Module End: F78C9000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F78CE000
Module End: F78DA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F7B2E000
Module End: F7B33000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F7232000
Module End: F7243000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F78DE000
Module End: F78E7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F7B3E000
Module End: F7B43000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F7B4E000
Module End: F7B53000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F7202000
Module End: F7232000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F78EE000
Module End: F78F8000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F7B5E000
Module End: F7B64000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F7D04000
Module End: F7D06000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\update.sys
Service Name: Update
Module Base: F717C000
Module End: F71DA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F7CCA000
Module End: F7CCE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F78FE000
Module End: F7908000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F792E000
Module End: F793D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F7D0A000
Module End: F7D0C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\tbcwdm.sys
Service Name: tbcwdm
Module Base: B2E52000
Module End: B2ED8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: B2E2E000
Module End: B2E52000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F793E000
Module End: F794D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\gameenum.sys
Service Name: gameenum
Module Base: F75D1000
Module End: F75D4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Service Name: Flpydisk
Module Base: F7B8E000
Module End: F7B93000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7F17000
Module End: F7F18000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F7D14000
Module End: F7D16000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F7BAE000
Module End: F7BB5000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F7BB6000
Module End: F7BBC000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F7D18000
Module End: F7D1A000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F7D1C000
Module End: F7D1E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F7BD6000
Module End: F7BDE000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F7C8E000
Module End: F7C91000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: B2D5B000
Module End: B2D6E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: B2D02000
Module End: B2D5B000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgtdix.sys
Service Name: AvgTdiX
Module Base: B2CC1000
Module End: B2CDA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: B2C9B000
Module End: B2CC1000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F798E000
Module End: F7997000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: B2C73000
Module End: B2C9B000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Service Name: WS2IFSL
Module Base: F71FA000
Module End: F71FD000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: B2C51000
Module End: B2C73000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F799E000
Module End: F79A7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: B2C26000
Module End: B2C51000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: B2BB6000
Module End: B2C26000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F79DE000
Module End: F79E9000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Service Name: AvgMfx86
Module Base: F7A8E000
Module End: F7A94000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys
Service Name: AvgLdx86
Module Base: B2B65000
Module End: B2BB6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: F7AC6000
Module End: F7ACE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Service Name: usbprint
Module Base: F7AD6000
Module End: F7ADD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: F71E2000
Module End: F71E5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F79FE000
Module End: F7A07000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: F71DA000
Module End: F71DE000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys
Service Name: KMW_KBD
Module Base: F7D26000
Module End: F7D28000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B2B4D000
Module End: B2B65000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7D2A000
Module End: F7D2C000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: F75D5000
Module End: F75D8000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F7B1E000
Module End: F7B23000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F7EC1000
Module End: F7EC2000
Hidden: No

Module Name: \systemroot\win32k.sys:1
Service Name: ---
Module Base: F7B76000
Module End: F7B7B000
Hidden: Yes

Module Name: \systemroot\win32k.sys:2
Service Name: ---
Module Base: B2D8E000
Module End: B2D9D000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: B23B8000
Module End: B23CD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: B27ED000
Module End: B27FC000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: B21AE000
Module End: B21D2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: B2181000
Module End: B21AE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: B206D000
Module End: B2070000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\srv.sys
Service Name: Srv
Module Base: B1EAF000
Module End: B1F01000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
Service Name: ---
Module Base: F7D12000
Module End: F7D14000
Hidden: Yes

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: B196E000
Module End: B19AF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: B1300000
Module End: B132B000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\rootrepeal.sys
Service Name: rootrepeal
Module Base: B1AEF000
Module End: B1AFB000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: F7CF4000
Module End: F7CF6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: F7AF6000
Module End: F7AFD000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F7D50000
Module End: F7D52000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F7BC6000
Module End: F7BCB000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwUnloadKey
Address: F7D1263C
Driver Base: F7D12000
Driver End: F7D14000
Driver Name: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: PsGetProcessWin32WindowStation
At Address: 804F41EC
Jump To: FD806070
Module Name: _unknown_

Hooked Function: PsGetProcessJob
At Address: 804F41EC
Jump To: FD806070
Module Name: _unknown_

******************************************************************************************
******************************************************************************************
No hidden files/folders found

 

[km2357]

Step # 1: Download and Run ComboFix

Download ComboFix from any of the links below. You must rename it to jskyer.exe before saving it. Save it to your Desktop.

Link 1
Link 2

--------------------------------------------------------------------

Double click on jskyer.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please include the C:\ComboFix.txt in your next reply so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

 

[jskyer]

Here are the results from ComboFix:
==========================

ComboFix 09-09-23.02 - Geoff 09/24/2009 13:14.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.487 [GMT -7:00]
Running from: c:\documents and settings\Geoff\Desktop\SaferNetworking\JakeBird.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\66b49.msp
c:\windows\Installer\66b5e.msp
c:\windows\Installer\66bc3.msp
c:\windows\Installer\66bd2.msp
c:\windows\Installer\ef22c.msi
c:\windows\run.log

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-08-24 to 2009-09-24 )))))))))))))))))))))))))))))))
.

2009-09-21 03:57 . 2009-09-24 03:01 -------- d-----w- c:\program files\oldspybot~2
2009-09-20 04:02 . 2009-09-20 04:02 -------- d-----w- c:\program files\Trend Micro
2009-09-20 03:58 . 2009-09-20 03:58 -------- d-----w- c:\program files\ERUNT
2009-09-20 01:46 . 2009-09-21 03:55 -------- d-----w- c:\program files\OLD-2Spybot - Search & Destroy
2009-09-18 07:45 . 2009-09-18 07:45 -------- d-----w- c:\program files\STOPzilla!
2009-09-18 07:37 . 2009-09-18 07:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-18 07:36 . 2009-09-18 07:36 -------- d-----w- c:\program files\Common Files\iS3
2009-09-18 07:36 . 2009-09-18 07:45 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-18 06:46 . 2009-09-24 19:25 0 ----a-r- c:\windows\win32k.sys
2009-09-05 03:56 . 2009-09-05 03:56 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-04 06:56 . 2009-09-04 07:29 -------- d-----w- c:\program files\SpyZooka
2009-08-27 03:22 . 2009-08-27 03:22 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-24 20:21 . 2005-04-10 03:19 7304 ----a-w- c:\windows\TMP0001.TMP
2009-09-24 19:28 . 2009-06-24 20:31 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-09-24 04:40 . 2008-06-16 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-24 03:00 . 2005-04-24 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-20 01:45 . 2005-04-24 00:48 -------- d-----w- c:\program files\old_spybot~1
2009-09-18 06:47 . 2008-05-23 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-30 20:20 . 2008-12-25 20:37 -------- d-----w- c:\program files\Freecorder
2009-08-16 03:56 . 2009-08-16 03:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-16 03:56 . 2007-02-25 01:40 -------- d-----w- c:\program files\Java
2009-08-04 22:19 . 2005-04-11 00:33 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-02 23:12 . 2009-06-24 20:17 -------- d-----w- c:\program files\Microsoft SQL Server
2009-08-02 01:21 . 2009-08-02 01:21 -------- d-----w- c:\program files\QuickTime
2009-08-02 01:21 . 2005-05-05 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-02 01:20 . 2009-08-02 01:20 -------- d-----w- c:\program files\Apple Software Update
2009-08-02 01:20 . 2009-08-02 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-29 02:23 . 2008-05-23 00:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-29 02:23 . 2008-05-23 00:52 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-29 02:23 . 2006-11-23 22:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-20 21:57 . 2009-07-20 21:57 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-07-20 21:56 . 2009-07-20 21:56 311296 ----a-r- c:\windows\system32\SZBase5.dll
2009-07-20 21:56 . 2009-07-20 21:56 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-07-09 22:52 . 2009-07-09 22:52 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-07-09 22:52 . 2009-07-09 22:52 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-07-09 22:51 . 2009-07-09 22:51 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-07-09 22:51 . 2009-07-09 22:51 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-07-09 22:51 . 2009-07-09 22:51 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-07-09 22:50 . 2009-07-09 22:50 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-07-09 22:50 . 2009-07-09 22:50 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-07-09 22:50 . 2009-07-09 22:50 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-07-09 22:47 . 2009-07-09 22:47 724992 ----a-r- c:\windows\system32\IS3Base5.dll
2009-07-03 17:09 . 2002-08-29 10:41 915456 ----a-w- c:\windows\system32\wininet.dll
2008-12-25 20:35 . 2008-12-25 20:35 2788800 ------w- c:\program files\FLV PlayerFCSetup.exe
2005-09-16 02:26 . 2005-06-25 06:01 44153 ------w- c:\program files\mozilla firefox\components\inspector.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 20:38 1004800 ------w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-08 251240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-16 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-17 2022680]
"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2008-08-01 28672]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2008-08-01 393216]
"ACTSchedulerUI"="c:\program files\ACT\Act for Windows\Act.Scheduler.UI.exe" [2008-08-01 499712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-16 149280]
"TraySantaCruz"="c:\windows\system32\tbctray.exe" [2002-04-17 290816]
"kmw_run.exe"="kmw_run.exe" - c:\windows\system32\kmw_run.exe [2006-08-03 106496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-10-15 221295]
Windows Search.lnk.disabled [2009-3-1 1798]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-29 02:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe"
"MSWheel"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\Act8.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\Act11.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [5/22/2008 5:52 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/22/2008 5:52 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/22/2008 5:52 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/8/2009 10:26 AM 297752]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 3:38 AM 92008]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [4/9/2005 5:30 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [4/9/2005 5:30 PM 545088]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Geoff\Desktop\SaferNetworking\SysProt\SysProt\SysProt\SysProtDrv.sys [9/23/2009 8:37 PM 44288]
S4 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [7/31/2008 9:02 PM 81920]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-25 02:43]

2009-09-24 c:\windows\Tasks\User_Feed_Synchronization-{0E74C5E3-16AD-40A6-86AA-AE2E70CED442}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Geoff\Application Data\Mozilla\Firefox\Profiles\wrnsupub.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Geoff\Application Data\Mozilla\Firefox\Profiles\wrnsupub.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08 .
- - - - ORPHANS REMOVED - - - -

BHO-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\Freecorder\tbFre0.dll__BHODemonDisabled
Toolbar-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\Freecorder\tbFre0.dll__BHODemonDisabled
WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - c:\program files\Freecorder\tbFre0.dll__BHODemonDisabled
AddRemove-AudibleManager - c:\program files\Audible\Bin\Upgrade.exe
AddRemove-BitTorrent DNA - c:\program files\DNA\btdna.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-24 13:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-706699826-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9F697F2E-8BCA-DBDF-35BF-AC7D3CC7CA18}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"dacofhgn"=hex:62,61,61,6c,00,06
"fapnalbjfplb"=hex:63,61,62,6c,6b,66,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(584)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll

- - - - - - - > 'explorer.exe'(2872)
c:\windows\system32\WININET.dll
c:\windows\system32\kmw_dll.dll
c:\windows\system32\WOW32.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\kmw_show.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\windows\system32\CTSVCCDA.EXE
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-24 13:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-24 20:26

Pre-Run: 86,949,539,840 bytes free
Post-Run: 87,266,082,816 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

281

 

[km2357]

Go ahead and delete DDS and redownload it and see if you can get it to run and get its two logs:



Step # 1 Download and run DDS

Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

Step # 2 Run Win32kDiag

Make sure that Win32kDiag.exe is located on your Desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r



Step # 3: Run CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  KILLALL::
  
  Folder::
  
  c:\program files\DNA
  
  Registry::
  
  [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
  "BitTorrent DNA"=-
  
  RegNull::
  
  [HKEY_USERS\S-1-5-21-2052111302-706699826-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9F697F2E-8BCA-DBDF-35BF-AC7D3CC7CA18}*]

  
  
• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
  
  
  
  
  Note: This CFScript is for use on jskyer's computer only! Do not use it on your computer.
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


In your next post/reply, I need to see the following:

1. The two DDS Logs, if availble (DDS and Attach.txt)
2. The Win32kDiag Log
3. The ComboFix Log that appears after Step 3 has been completed.

 

[jskyer]

Everthing ran OK this time. Makes me think fantastic things are being accomplished. Yay!

Here are the files you requested:

::: DDS.txt :::

DDS (Ver_09-07-30.01) - NTFSx86
Run by Geoff at 23:10:30.70 on Thu 09/24/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.460 [GMT -7:00]

AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\ACT\Act for Windows\Act.Scheduler.UI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Geoff\Desktop\SaferNetworking\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [kmw_run.exe] kmw_run.exe
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [ACTSchedulerUI] "c:\program files\act\act for windows\Act.Scheduler.UI.exe" -Dfalse
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TraySantaCruz] c:\windows\system32\tbctray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Windows Search.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235942706406
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\geoff\applic~1\mozilla\firefox\profiles\wrnsupub.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\geoff\application data\mozilla\firefox\profiles\wrnsupub.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08
============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-5-22 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-22 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-23 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-22 108552]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-8 297752]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2005-4-9 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2005-4-9 545088]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\geoff\desktop\safernetworking\sysprot\sysprot\sysprot\SysProtDrv.sys [2009-9-23 44288]
S4 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2008-7-31 81920]

=============== Created Last 30 ================

2009-09-24 13:12 <DIR> a-dshr-- C:\cmdcons
2009-09-24 13:11 229,888 a------- c:\windows\PEV.exe
2009-09-24 13:11 161,792 a------- c:\windows\SWREG.exe
2009-09-24 13:11 98,816 a------- c:\windows\sed.exe
2009-09-20 20:57 <DIR> --d----- c:\program files\oldspybot~2
2009-09-19 21:02 <DIR> --d----- c:\program files\Trend Micro
2009-09-19 18:46 <DIR> --d----- c:\program files\OLD-2Spybot - Search & Destroy
2009-09-18 00:45 <DIR> --d----- c:\program files\STOPzilla!
2009-09-18 00:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-09-18 00:36 <DIR> --d----- c:\program files\common files\iS3
2009-09-18 00:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-09-17 23:46 0 a----r-- c:\windows\win32k.sys
2009-09-04 20:56 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-09-03 23:56 <DIR> --d----- c:\program files\SpyZooka

==================== Find3M ====================

2009-09-24 22:06 952 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-09-24 19:41 7,304 a------- c:\windows\TMP0001.TMP
2009-08-15 20:56 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-28 19:23 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-28 19:23 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-20 14:57 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-07-20 14:56 311,296 a----r-- c:\windows\system32\SZBase5.dll
2009-07-20 14:56 540,672 a----r-- c:\windows\system32\SZComp5.dll
2009-07-09 15:52 126,976 a----r-- c:\windows\system32\IS3HTUI5.dll
2009-07-09 15:52 393,216 a----r-- c:\windows\system32\IS3DBA5.dll
2009-07-09 15:51 385,024 a----r-- c:\windows\system32\IS3UI5.dll
2009-07-09 15:51 61,440 a----r-- c:\windows\system32\IS3Hks5.dll
2009-07-09 15:51 23,040 a----r-- c:\windows\system32\IS3XDat5.dll
2009-07-09 15:50 225,280 a----r-- c:\windows\system32\IS3Win325.dll
2009-07-09 15:50 94,208 a----r-- c:\windows\system32\IS3Inet5.dll
2009-07-09 15:50 90,112 a----r-- c:\windows\system32\IS3Svc5.dll
2009-07-09 15:47 724,992 a----r-- c:\windows\system32\IS3Base5.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-24 13:31 88 ---shr-- c:\docume~1\alluse~1\applic~1\E18EE82E7A.sys
2008-12-25 13:35 2,788,800 -------- c:\program files\FLV PlayerFCSetup.exe
2008-06-02 14:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060220080603\index.dat

============= FINISH: 23:11:11.29 ===============


::: Attach.txt :::

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/9/2005 4:36:05 PM
System Uptime: 9/24/2009 7:41:14 PM (4 hours ago)

Motherboard: | | 848P-ICH5
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Socket 478 | 3192/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 128 GiB total, 81.284 GiB free.
D: is FIXED (NTFS) - 37 GiB total, 3.84 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_18751019&REV_02\3&13C0B0C5&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_18751019&REV_02\3&13C0B0C5&0&FD
Service:

==== System Restore Points ===================

RP3: 9/24/2009 1:19:47 PM - System Checkpoint
RP4: 9/24/2009 8:16:25 PM - System Checkpoint

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 2 (SP2)
Acoustica Effects Pack
ACT!
ACT! by Sage 2009 (11.0)
Ad-Aware
Adobe Acrobat 4.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 6.0
Adobe Product/Adobe Studio Update 10/2001
Adobe Reader 7.0
Adobe SVG Viewer 3.0
Amazon MP3 Downloader 1.0.0+6
APC PowerChute Personal Edition
Apple Software Update
Applet_App
Applet_Copy
Applet_Creativity
Applet_Email
Applet_Epp
Applet_File
Applet_OCR
Applet_Web
Applian FLV Player
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATT-AACE
Audacity 1.2.6
Audacity 1.3.7 (Unicode)
AutoUpdate
AVG 8.5
BadCopy Pro
CompanionLink
Copy Utility
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Creative ZEN Vision M Series
Critical Update for Windows Media Player 11 (KB959772)
DBF Viewer 2000
DiscWizard for Windows
DivX
DivX Web Player
EPSON Print CD
EPSON Printer Software
EPSON Smart Panel
EPSON SP R200 Reference Guide
EPSON TWAIN 5
ERUNT 1.1j
ffdshow (remove only)
FileZilla (remove only)
FileZilla Client 3.2.3.1
Freecorder Toolbar
Freecorder Toolbar 3.02 Application
Google Earth
Google Toolbar for Internet Explorer
Google Updater
Google Video Player
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Icon Edit 2.1.9
J2SE Runtime Environment 5.0 Update 11
JagoClient Version 5.0
Java(TM) 6 Update 15
Kensington MouseWorks
Macromedia Flash MX 2004
Macromedia Shockwave Player
Mapopolis
Microsearch Color Picker
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 5.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Outlook Personal Folders Backup
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (ACT7)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Windows XP Video Decoder Checkup Utility
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser
Musicnotes Player V1.23.1 and Viewer
NTI CD-Maker 2000
PC Inspector smart recovery
PF1250-1650 Guide
Pocket GNU Go
QuickTime
Real Alternative 1.51
RecordPad Sound Recorder Uninstall
ScanToWeb
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Spin It Again
STOPzilla
Switch Uninstall
TomTom HOME 2.6.2.1586
TomTom HOME Visual Studio Merge Modules
Turtle Beach Santa Cruz Driver
U.S. Robotics V.92 PCI Faxmodem
UltraEdit-32
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
User Profile Hive Cleanup Service
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WavePad Uninstall
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Mobile Daylight Saving Time 2007 Updates
Windows Search 4.0
Windows XP Service Pack 3
Yahoo! Install Manager
ZENcast Organizer

==== Event Viewer Messages From Past Week ========

9/24/2009 1:19:48 PM, error: PlugPlayManager [11] - The device Root\LEGACY_ROOTREPEAL\0000 disappeared from the system without first being prepared for removal.
9/24/2009 1:19:46 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file 'KB912812' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
9/24/2009 1:14:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
9/24/2009 1:11:34 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 1:10:55 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
9/20/2009 9:05:33 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
9/20/2009 8:57:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/20/2009 8:53:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
9/20/2009 8:52:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
9/20/2009 8:51:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/19/2009 6:54:56 PM, error: Service Control Manager [7000] - The STOPzilla Service service failed to start due to the following error: Access is denied.
9/19/2009 6:46:42 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
9/19/2009 6:35:32 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
9/19/2009 6:35:32 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
9/19/2009 6:35:32 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/19/2009 6:35:32 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/19/2009 6:35:32 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
9/18/2009 12:37:34 AM, error: Service Control Manager [7034] - The STOPzilla Service service terminated unexpectedly. It has done this 1 time(s).
9/17/2009 11:47:37 PM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).

==== End Of File ===========================


::: Win32KDiag.txt :::
Running from: C:\Documents and Settings\Geoff\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Geoff\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

Cannot access: C:\WINDOWS\system32\ntbackup.exe

Attempting to restore permissions of : C:\WINDOWS\system32\ntbackup.exe



Finished!


::: ComboFix log :::
ComboFix 09-09-23.02 - Geoff 09/24/2009 23:21.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.440 [GMT -7:00]
Running from: c:\documents and settings\Geoff\Desktop\SaferNetworking\JakeBird.exe
Command switches used :: c:\documents and settings\Geoff\Desktop\SaferNetworking\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\DNA
c:\program files\DNA\DNAcpl.cpl
c:\program files\DNA\plugins\npbtdna.dll

.
((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 )))))))))))))))))))))))))))))))
.

2009-09-21 03:57 . 2009-09-24 03:01 -------- d-----w- c:\program files\oldspybot~2
2009-09-20 04:02 . 2009-09-20 04:02 -------- d-----w- c:\program files\Trend Micro
2009-09-20 03:58 . 2009-09-20 03:58 -------- d-----w- c:\program files\ERUNT
2009-09-20 01:46 . 2009-09-21 03:55 -------- d-----w- c:\program files\OLD-2Spybot - Search & Destroy
2009-09-18 07:45 . 2009-09-18 07:45 -------- d-----w- c:\program files\STOPzilla!
2009-09-18 07:37 . 2009-09-18 07:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-18 07:36 . 2009-09-18 07:36 -------- d-----w- c:\program files\Common Files\iS3
2009-09-18 07:36 . 2009-09-18 07:45 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-18 06:46 . 2009-09-24 19:25 0 ----a-r- c:\windows\win32k.sys
2009-09-05 03:56 . 2009-09-05 03:56 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-04 06:56 . 2009-09-04 07:29 -------- d-----w- c:\program files\SpyZooka
2009-08-27 03:22 . 2009-08-27 03:22 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-25 06:27 . 2005-04-10 03:19 7304 ----a-w- c:\windows\TMP0001.TMP
2009-09-25 05:41 . 2008-06-16 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-25 05:06 . 2009-06-24 20:31 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-09-24 03:00 . 2005-04-24 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-20 01:45 . 2005-04-24 00:48 -------- d-----w- c:\program files\old_spybot~1
2009-09-18 06:47 . 2008-05-23 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-30 20:20 . 2008-12-25 20:37 -------- d-----w- c:\program files\Freecorder
2009-08-16 03:56 . 2009-08-16 03:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-16 03:56 . 2007-02-25 01:40 -------- d-----w- c:\program files\Java
2009-08-04 22:19 . 2005-04-11 00:33 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-02 23:12 . 2009-06-24 20:17 -------- d-----w- c:\program files\Microsoft SQL Server
2009-08-02 01:21 . 2009-08-02 01:21 -------- d-----w- c:\program files\QuickTime
2009-08-02 01:21 . 2005-05-05 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-02 01:20 . 2009-08-02 01:20 -------- d-----w- c:\program files\Apple Software Update
2009-08-02 01:20 . 2009-08-02 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-29 02:23 . 2008-05-23 00:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-29 02:23 . 2008-05-23 00:52 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-29 02:23 . 2006-11-23 22:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-20 21:57 . 2009-07-20 21:57 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-07-20 21:56 . 2009-07-20 21:56 311296 ----a-r- c:\windows\system32\SZBase5.dll
2009-07-20 21:56 . 2009-07-20 21:56 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-07-09 22:52 . 2009-07-09 22:52 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-07-09 22:52 . 2009-07-09 22:52 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-07-09 22:51 . 2009-07-09 22:51 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-07-09 22:51 . 2009-07-09 22:51 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-07-09 22:51 . 2009-07-09 22:51 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-07-09 22:50 . 2009-07-09 22:50 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-07-09 22:50 . 2009-07-09 22:50 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-07-09 22:50 . 2009-07-09 22:50 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-07-09 22:47 . 2009-07-09 22:47 724992 ----a-r- c:\windows\system32\IS3Base5.dll
2009-07-03 17:09 . 2002-08-29 10:41 915456 ------w- c:\windows\system32\wininet.dll
2008-12-25 20:35 . 2008-12-25 20:35 2788800 ------w- c:\program files\FLV PlayerFCSetup.exe
2005-09-16 02:26 . 2005-06-25 06:01 44153 ------w- c:\program files\mozilla firefox\components\inspector.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-24_20.22.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-25 06:29 . 2009-09-25 06:29 16384 c:\windows\temp\Perflib_Perfdata_634.dat
+ 2009-09-25 06:29 . 2009-09-25 06:29 16384 c:\windows\temp\Perflib_Perfdata_3cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 20:38 1004800 ------w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-08 251240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-16 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-17 2022680]
"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2008-08-01 28672]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2008-08-01 393216]
"ACTSchedulerUI"="c:\program files\ACT\Act for Windows\Act.Scheduler.UI.exe" [2008-08-01 499712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-16 149280]
"TraySantaCruz"="c:\windows\system32\tbctray.exe" [2002-04-17 290816]
"kmw_run.exe"="kmw_run.exe" - c:\windows\system32\kmw_run.exe [2006-08-03 106496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-10-15 221295]
Windows Search.lnk.disabled [2009-3-1 1798]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-29 02:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe"
"MSWheel"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\Act8.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\Act11.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [5/22/2008 5:52 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/22/2008 5:52 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/22/2008 5:52 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/8/2009 10:26 AM 297752]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 3:38 AM 92008]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [4/9/2005 5:30 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [4/9/2005 5:30 PM 545088]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Geoff\Desktop\SaferNetworking\SysProt\SysProt\SysProt\SysProtDrv.sys [9/23/2009 8:37 PM 44288]
S4 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [7/31/2008 9:02 PM 81920]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-25 02:43]

2009-09-25 c:\windows\Tasks\User_Feed_Synchronization-{0E74C5E3-16AD-40A6-86AA-AE2E70CED442}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Geoff\Application Data\Mozilla\Firefox\Profiles\wrnsupub.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Geoff\Application Data\Mozilla\Firefox\Profiles\wrnsupub.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08 .

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-24 23:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(588)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll

- - - - - - - > 'explorer.exe'(3272)
c:\windows\system32\WININET.dll
c:\windows\system32\kmw_dll.dll
c:\windows\system32\WOW32.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-25 23:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-25 06:34
ComboFix2.txt 2009-09-24 20:27

Pre-Run: 87,258,251,264 bytes free
Post-Run: 87,214,821,376 bytes free

257

 

[km2357]

Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6u16.
• Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Remove the following old versions of Java:
  
  
• J2SE Runtime Environment 5.0 Update 11
  
  Java(TM) 6 Update 15
  
  
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
  
• From your desktop double-click on the download to install the newest version.

Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Step # 3 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Post the MalwareBytes' Log in your next post/reply.

 

[jskyer]

Everything ran as described. Below is the log from Malwarebytes' Anti-Malware.

Two questions:

1) Right after we started this explore and repair endeavor I started receiving the following Windows message every time the machine boots up. After completing Step #3 in this recent set, when I rebooted the machine this message still comes up:

"Windows cannot open this file
Windows search.lnk.disabled"

There is the request to search for the program to open this file and I have simply been clicking on Cancel.

What is it, and what should I do.

2) Everytime I start Outlook 2007, the first time I click on Send/Receive, the Send/Receive dialog box opens up for about a second then Outlook closes entirely. Starting it up a second time and this does not happen. This is still happening after completing the recent set of instructions.


Here is the log from Malwarebytes ---


Malwarebytes' Anti-Malware 1.41
Database version: 2861
Windows 5.1.2600 Service Pack 3

9/25/2009 10:29:35 PM
mbam-log-2009-09-25 (22-29-35).txt

Scan type: Quick Scan
Objects scanned: 106167
Time elapsed: 3 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.

 

[km2357]

1) Right after we started this explore and repair endeavor I started receiving the following Windows message every time the machine boots up. After completing Step #3 in this recent set, when I rebooted the machine this message still comes up:

"Windows cannot open this file
Windows search.lnk.disabled"

There is the request to search for the program to open this file and I have simply been clicking on Cancel.

What is it, and what should I do.

.lnk files are shortcuts to files and folders. Windows can't find this file/folder, so let's get rid of this so the message doesn't come up again. We'll do it with HJT.

Remove Hijackthis Entries

• Run HijackThis
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  
  O4 - Global Startup: Windows Search.lnk.disabled
  
  
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Then reboot your computer, the message should be gone when your computer boots back up.

2) Everytime I start Outlook 2007, the first time I click on Send/Receive, the Send/Receive dialog box opens up for about a second then Outlook closes entirely. Starting it up a second time and this does not happen. This is still happening after completing the recent set of instructions.

Not sure what is happening here. Looking it up on Google, doesn't give many results. Did this ever happen before? Before you came here for help? You can try going into Add/Remove Programs, selecting Outlook 2007 and seeing if you can select Repair (if its there) to see if you can fix it.


==================

I'd also like for you to do the following:


Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)

• First, go to Add/Remove Programs and uninstall Adobe Reader 7.0.
• Please go to this link Adobe Acrobat Reader Download Link
• On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
• Click the Continue button
• Click Run, and click Run again
• Next click the Install Now button and follow the on screen prompts

Note: Adobe 9.1.3 is a large program and if you prefer a smaller program you can get Foxit 3.1 instead from http://www.foxitsoftware.com/pdf/rd_intro.php

If you decide to install Foxit 3.1 instead of Adobe, do the following during Foxit's Setup/Installation process:

Uncheck the following boxes:

I accept the License Terms and want to install Foxit Toolbar

Make Ask.com my default search

Create desktop, quick launch and start menu icon to eBay



Step # 2: Run Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

In your next post/reply, I need to see the following:

1. Kaspersky Log
2. A fresh DDS Log
3. Besides what you posted at the beginning of your last post, how is your computer doing? Any problems?

 

[jskyer]

Dinner and a movie later, here are the reports you requested. But first, I get the feeling that the computer is happier than it was. IE and Google appear to be cooperating again, and the thing may actually be running faster, but that's only a feeling. Certainly a lot less continuous hard disc activity.

I have left Ad-Aware turned off. Spybot was so wrecked I uninstalled it, as much as I could. I have left the Windows firewall turned off and I have been disabling AVG whenever I download something you ask me to and for the duration of it's running. But then I enable it again. So, this morning I booted up the machine and after it sat there for several minutes, unused, AVG popped up the following message:

Resident Shield alert

File name: C:\System Volume Information\_restore{3D2F4BBA-EAB6-4978-9EBA-5CDE82BEBE2A}\RP4\A0000774.com

Threat name: Virus found Downloader.Banload
Detected on open.

Process name: C:\WINDOWS\SYSTEM32\svchost.exe
Process ID: 888



Here are the reports you requested:

::: Kaspersky log :::
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, September 26, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, September 27, 2009 05:17:13
Records in database: 2926943
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 128276
Threats found: 8
Infected objects found: 22
Suspicious objects found: 0
Scan duration: 02:22:58


File name / Threat / Threats count
C:\Documents and Settings\All Users\Documents\outlook.pst Infected: Trojan-Downloader.Win32.FraudLoad.fpw 5
C:\Documents and Settings\All Users\Documents\Outlook2007\outlook.pst Infected: Backdoor.Win32.Bredolab.wh 1
C:\Documents and Settings\All Users\Documents\Outlook2007\outlook.pst Infected: Backdoor.Win32.Bredolab.wj 1
C:\Documents and Settings\All Users\Documents\Outlook2007\outlook.pst Infected: Backdoor.Win32.Bredolab.xd 1
C:\Documents and Settings\All Users\Documents\Outlook2007\outlook.pst Infected: Backdoor.Win32.Bredolab.wr 1
C:\Documents and Settings\All Users\Documents\Outlook2007\outlook.pst Infected: Backdoor.Win32.UltimateDefender.yw 1
C:\Documents and Settings\Geoff\Desktop\Downloads\SBC_SST_Installer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 2
C:\Documents and Settings\Geoff\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Infected: Trojan-Downloader.Win32.FraudLoad.fpw 7
C:\Documents and Settings\Geoff\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Infected: Trojan-Downloader.Win32.FraudLoad.wspk 3

Selected area has been scanned.


::: DDS.txt :::

DDS (Ver_09-07-30.01) - NTFSx86
Run by Geoff at 23:54:57.23 on Sat 09/26/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.698 [GMT -7:00]

AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\kmw_run.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\ACT\Act for Windows\Act.Scheduler.UI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Geoff\Desktop\SaferNetworking\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [kmw_run.exe] kmw_run.exe
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [ACTSchedulerUI] "c:\program files\act\act for windows\Act.Scheduler.UI.exe" -Dfalse
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TraySantaCruz] c:\windows\system32\tbctray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235942706406
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\geoff\applic~1\mozilla\firefox\profiles\wrnsupub.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\geoff\application data\mozilla\firefox\profiles\wrnsupub.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08
============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-5-22 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-22 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-23 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-22 108552]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-8 297752]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2005-4-9 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2005-4-9 545088]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\geoff\desktop\safernetworking\sysprot\sysprot\sysprot\SysProtDrv.sys [2009-9-23 44288]
S4 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2008-7-31 81920]

=============== Created Last 30 ================

2009-09-25 22:23 <DIR> --d----- c:\docume~1\geoff\applic~1\Malwarebytes
2009-09-25 22:23 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-25 22:23 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-25 22:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-25 22:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-25 22:17 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-24 13:12 <DIR> a-dshr-- C:\cmdcons
2009-09-24 13:11 229,888 a------- c:\windows\PEV.exe
2009-09-24 13:11 161,792 a------- c:\windows\SWREG.exe
2009-09-24 13:11 98,816 a------- c:\windows\sed.exe
2009-09-20 20:57 <DIR> --d----- c:\program files\oldspybot~2
2009-09-19 21:02 <DIR> --d----- c:\program files\Trend Micro
2009-09-19 18:46 <DIR> --d----- c:\program files\OLD-2Spybot - Search & Destroy
2009-09-18 00:45 <DIR> --d----- c:\program files\STOPzilla!
2009-09-18 00:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-09-18 00:36 <DIR> --d----- c:\program files\common files\iS3
2009-09-18 00:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-09-04 20:56 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-09-03 23:56 <DIR> --d----- c:\program files\SpyZooka

==================== Find3M ====================

2009-09-26 20:56 952 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-09-26 20:54 7,304 a------- c:\windows\TMP0001.TMP
2009-09-25 22:16 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-28 19:23 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-20 14:57 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-07-20 14:56 311,296 a----r-- c:\windows\system32\SZBase5.dll
2009-07-20 14:56 540,672 a----r-- c:\windows\system32\SZComp5.dll
2009-07-09 15:52 126,976 a----r-- c:\windows\system32\IS3HTUI5.dll
2009-07-09 15:52 393,216 a----r-- c:\windows\system32\IS3DBA5.dll
2009-07-09 15:51 385,024 a----r-- c:\windows\system32\IS3UI5.dll
2009-07-09 15:51 61,440 a----r-- c:\windows\system32\IS3Hks5.dll
2009-07-09 15:51 23,040 a----r-- c:\windows\system32\IS3XDat5.dll
2009-07-09 15:50 225,280 a----r-- c:\windows\system32\IS3Win325.dll
2009-07-09 15:50 94,208 a----r-- c:\windows\system32\IS3Inet5.dll
2009-07-09 15:50 90,112 a----r-- c:\windows\system32\IS3Svc5.dll
2009-07-09 15:47 724,992 a----r-- c:\windows\system32\IS3Base5.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-24 13:31 88 ---shr-- c:\docume~1\alluse~1\applic~1\E18EE82E7A.sys
2008-12-25 13:35 2,788,800 -------- c:\program files\FLV PlayerFCSetup.exe
2008-06-02 14:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060220080603\index.dat

============= FINISH: 23:55:18.71 ===============



::: Attach.txt :::

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/9/2005 4:36:05 PM
System Uptime: 9/26/2009 8:54:32 PM (3 hours ago)

Motherboard: | | 848P-ICH5
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Socket 478 | 3192/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 128 GiB total, 80.753 GiB free.
D: is FIXED (NTFS) - 37 GiB total, 3.828 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_18751019&REV_02\3&13C0B0C5&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_18751019&REV_02\3&13C0B0C5&0&FD
Service:

==== System Restore Points ===================

RP3: 9/24/2009 1:19:47 PM - System Checkpoint
RP4: 9/24/2009 8:16:25 PM - System Checkpoint
RP5: 9/25/2009 10:09:40 PM - Removed J2SE Runtime Environment 5.0 Update 11
RP6: 9/25/2009 10:10:31 PM - Removed Java(TM) 6 Update 15
RP7: 9/25/2009 10:16:41 PM - Installed Java(TM) 6 Update 16
RP8: 9/26/2009 8:52:12 PM - Removed Adobe Reader 7.0
RP9: 9/26/2009 8:52:32 PM - Installed Adobe Reader 9.1.

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 2 (SP2)
Acoustica Effects Pack
Acrobat.com
ACT!
ACT! by Sage 2009 (11.0)
Ad-Aware
Adobe Acrobat 4.0
Adobe AIR
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 6.0
Adobe Product/Adobe Studio Update 10/2001
Adobe Reader 9.1
Adobe SVG Viewer 3.0
Amazon MP3 Downloader 1.0.0+6
APC PowerChute Personal Edition
Apple Software Update
Applet_App
Applet_Copy
Applet_Creativity
Applet_Email
Applet_Epp
Applet_File
Applet_OCR
Applet_Web
Applian FLV Player
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATT-AACE
Audacity 1.2.6
Audacity 1.3.7 (Unicode)
AutoUpdate
AVG 8.5
BadCopy Pro
CompanionLink
Copy Utility
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Creative ZEN Vision M Series
Critical Update for Windows Media Player 11 (KB959772)
DBF Viewer 2000
DiscWizard for Windows
DivX
DivX Web Player
EPSON Print CD
EPSON Printer Software
EPSON Smart Panel
EPSON SP R200 Reference Guide
EPSON TWAIN 5
ERUNT 1.1j
ffdshow (remove only)
FileZilla (remove only)
FileZilla Client 3.2.3.1
Freecorder Toolbar
Freecorder Toolbar 3.02 Application
Google Earth
Google Toolbar for Internet Explorer
Google Updater
Google Video Player
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Icon Edit 2.1.9
JagoClient Version 5.0
Java(TM) 6 Update 16
Kensington MouseWorks
Macromedia Flash MX 2004
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Mapopolis
Microsearch Color Picker
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 5.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Outlook Personal Folders Backup
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (ACT7)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Windows XP Video Decoder Checkup Utility
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser
Musicnotes Player V1.23.1 and Viewer
NTI CD-Maker 2000
PC Inspector smart recovery
PF1250-1650 Guide
Pocket GNU Go
QuickTime
Real Alternative 1.51
RecordPad Sound Recorder Uninstall
ScanToWeb
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Spin It Again
STOPzilla
Switch Uninstall
TomTom HOME 2.6.2.1586
TomTom HOME Visual Studio Merge Modules
Turtle Beach Santa Cruz Driver
U.S. Robotics V.92 PCI Faxmodem
UltraEdit-32
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
User Profile Hive Cleanup Service
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WavePad Uninstall
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Mobile Daylight Saving Time 2007 Updates
Windows Search 4.0
Windows XP Service Pack 3
Yahoo! Install Manager
ZENcast Organizer

==== Event Viewer Messages From Past Week ========

9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The User Profile Hive Cleanup service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The SQL Server (ACT7) service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Protexis Licensing V2 service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The APC UPS Service service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
9/24/2009 11:21:24 PM, error: Service Control Manager [7031] - The SQL Server Browser service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/24/2009 11:21:24 PM, error: Service Control Manager [7031] - The AVG8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/24/2009 1:19:48 PM, error: PlugPlayManager [11] - The device Root\LEGACY_ROOTREPEAL\0000 disappeared from the system without first being prepared for removal.
9/24/2009 1:19:46 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file 'KB912812' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
9/24/2009 1:14:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
9/24/2009 1:11:34 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 1:10:55 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
9/20/2009 9:06:05 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
9/20/2009 8:57:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/20/2009 8:53:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
9/20/2009 8:52:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
9/20/2009 8:51:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/19/2009 6:54:56 PM, error: Service Control Manager [7000] - The STOPzilla Service service failed to start due to the following error: Access is denied.
9/19/2009 6:46:42 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
9/19/2009 6:35:32 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
9/19/2009 6:35:32 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
9/19/2009 6:35:32 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/19/2009 6:35:32 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/19/2009 6:35:32 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

==== End Of File ===========================

 

[km2357]

What AVG found is in System Restore. It is harmless where it is. I'll be having you remove your old System Restore points and setting up a new, clean one in an upcoming post.

Based on what Kaspersky found, go ahead and go into Outlook 2007 and delete all e-mails in your Junk/Spam/Bulk folder(s) and go into your Inbox and delete any e-mails you no longer need as well.

 

[jskyer]

OK, I got rid of almost everything. Even managed to close a duplicate Personal Folders collection. Then I compacted the real Personal Folders.

I took a look at the Kaspersky report and tried to locate the .pst files it's talking about, and I cannot. So I did a search and found seven Outlook.pst files, all in different locations, including on my D drive where I have a very old version of outlook that hasn't been run in years. Strangely they all have date/time stamps within the last 24 hours. And again, I can't find the directory where these files are supposedly located. For example: C:\Documents and Settings\All Users\Documents\ doesnt' exist on my machine but both search and Kaspersky say that I have .pst files located there.

 

[jskyer]

Thank Ghawd and Praise "Bob" for System Restore points. After sending you the above reply I tried to open ACT! 11, and it wouldn't. The SQL server was disabled. Fortunately I had a system restore point from one of yesterdays assignments and for the first time in weeks it actually worked. All the stuff in Outlook you asked me to delete had been deleted. Probably including some that several months from now I'm going to miss, but what can you do? The mysterious duplicate Personal Folders has been restored but somehow I think that is tied in to my problem with SQL and ACT! Don't ask me how but after the restore that's the only thing that's different. Anyway, I'm back on track and ready for symptom six, I mean your next reply. Thank you, seriously, for your help here.

 

[km2357]

If there are no more problems, then you are good to go. :bigthumb:

You can reenable both Ad-Aware and the Windows Firewall.

You can delete the following off of your computer:

DDS.scr
The two DDS Logs
exeHelper.com
The exeHelper Log
RootRepeal.exe
Win32kDiag.exe
The Win32kDiag Log(s)
SysProt.exe
The SysProt Log


To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /u & click OK


Empty your Recycle Bin.


Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point

• Go to Start > All Programs > Accessories > System Tools > System Restore
• Select Create a restore point, and Ok it.
• Next, go to Start > Run and type in cleanmgr
• Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
• Select the More options tab
• Choose the option to clean up system restore and OK it.
• This will remove all restore points except the new one you just created.

.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.


Make your Internet Explorer more secure This can be done by following these simple instructions:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it asks you if you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Set correct settings for files that should be hidden in Windows XP

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please checkHide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

• Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
• Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
• Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
  Computer Safety on line Anti Malware
• Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  • Click the start button on the task bar at the bottom of your screen
  • Click run
  • In the dialog box, type services.msc
  • hit enter, then locate dns client
  • Highlight it, then doubleclick it.
  • On the dropdown box, change the setting from automatic to manual.
  • Click ok..
• Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
• Please read Tony Klein's excellent article: How I got Infected in the First Place
• Please read Understanding Spyware, Browser Hijackers, and Dialers
• Please read Simple and easy ways to keep your computer safe and secure on the Internet
• If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
  Opera.
  If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
• Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
• If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.

Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

If your computer is running slow, click here for instructions on how to help speed up your computer.

Good luck!

Please reply one last time so that I know you have read my post and this thread can be closed.

 

[jskyer]

I'm going to need a day or so to complete everything you talk about in your last reply so please don't close this case yet.

Also, I still have a couple of issues. Outlook 2007 still occaisionally closes on first use of Send/Receive, and the SQL database associated with ACT 11 occaisionally will not load at all, generating four red warnings in the Windows event viewer under applications.

Is there one last scan we can do that will let us know that we actually caught everything?

And/or will I simply need to go in and run some of the Windows repair routines and possibly just reinstall specific programs that are behaving strangely?