PDA

View Full Version : Several Problems


jeffib
2010-11-03, 23:46
I've been working on a friends computer and she was a mess (the computer).

Problems:
Random re-directs from Yahoo and Google results. The results for Trend Micro always seem to experience this.

After Avast detects an attack, one of the svchost instances runs very high CPU. I have to restart to stop him.

IE8 won't open Windows Update. Gives a cannot display page error.

IE8 has the Sonic Drive Letter thing disabled but whenever the machine reboots, it tries to install.

After running IE8, a network connection stays open and when I disconnect the Sprint connection, I can't reconnect unless I reboot.


I've run Malwarebytes, Spybot S&D and Avast scans multiple times. Combined they identified and removed over 300 baddies. Now the scans run clean but some problems remain.

Firefox is her browser of choice but to do Windows updates...

Attached is the zipped Attach data.

Here is the DDS:


DDS (Ver_10-11-01.01) - NTFSx86
Run by The Funk Master at 17:19:17.14 on Wed 11/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.192 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe
C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
C:\Program Files\Sprint\Sprint SmartView\bmctl.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Sprint\Sprint SmartView\SwiApiMuxCdma.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\The Funk Master\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: bmnet.dll
Trusted Zone: yahoo.com\music
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thefun~1\applic~1\mozilla\firefox\profiles\cdww7abl.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-10-31 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-10-31 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-31 40384]
R2 NvtlService;NovaCore SDK Service;c:\program files\novatel wireless\novacore\server\NvtlSrvr.exe [2010-1-11 82944]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-31 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-31 40384]
R3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [2010-2-11 319488]
R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2010-2-11 51456]
S1 ncyqnhqq;ncyqnhqq;\??\c:\windows\system32\drivers\ncyqnhqq.sys --> c:\windows\system32\drivers\ncyqnhqq.sys [?]
S2 gupdate1ca9d6e302236f4;Google Update Service (gupdate1ca9d6e302236f4);c:\program files\google\update\GoogleUpdate.exe [2010-1-24 133104]
S2 gzqzholvx;jzlnnvn;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
S2 McAfee HackerWatch Service;McAfee HackerWatch Service;"c:\program files\common files\mcafee\hackerwatch\hwapi.exe" --> c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [?]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe --> c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [?]
S2 McRedirector;McAfee Redirector Service;c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe --> c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe [?]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys --> c:\windows\system32\drivers\mfeavfk.sys [?]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys --> c:\windows\system32\drivers\mfebopk.sys [?]
S3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys --> c:\windows\system32\drivers\mfehidk.sys [?]
S3 mferkdk;McAfee Inc.;c:\windows\system32\drivers\mferkdk.sys --> c:\windows\system32\drivers\mferkdk.sys [?]
S3 mfesmfk;McAfee Inc.;c:\windows\system32\drivers\mfesmfk.sys --> c:\windows\system32\drivers\mfesmfk.sys [?]
S3 vvtpa;vvtpa;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]

=============== Created Last 30 ================

2010-11-02 18:04:21 -------- d-----w- c:\program files\Novatel Wireless
2010-11-02 14:09:50 -------- d-----w- c:\docume~1\thefun~1\applic~1\Malwarebytes
2010-11-01 21:49:43 388096 ----a-r- c:\docume~1\thefun~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-11-01 21:49:42 -------- d-----w- c:\program files\Trend Micro
2010-10-31 22:43:08 38848 ----a-w- c:\windows\avastSS.scr
2010-10-31 22:42:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-10-31 03:09:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-31 03:09:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-10-31 00:11:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-31 00:11:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-31 00:11:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-31 00:11:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-30 23:41:32 29 ----a-w- c:\docume~1\thefun~1\applic~1\boot.bat
2010-10-30 23:07:44 242 ----a-w- c:\docume~1\thefun~1\applic~1\dkfjasdfshd.bat
2010-10-09 16:36:41 26112 ----a-w- c:\windows\system32\stu2.exe

==================== Find3M ====================

2010-10-30 23:38:16 0 ----a-w- c:\windows\system32\msadrtua.dll
2010-09-09 19:01:19 86016 ----a-w- c:\windows\system32\gxnajdbi.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2100AH rev.00000096 -> \Device\Ide\IdePort0

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x83347C56]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8334e4f4]; MOV EAX, [0x8334e570]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x833D3AB8]
3 CLASSPNP[0xF8624FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x833204D8]
\Driver\atapi[0x83357B70] -> IRP_MJ_CREATE -> 0x83347C56
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected hooks:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskFUJITSU_MHV2100AH_______________________00000096#5&17ce0675&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\atapi DriverStartIo -> 0x83347A9F
user != kernel MBR !!!
sectors 195371566 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

Filesystem trace:
called modules: ntkrnlpa.exe hal.dll aswMon2.SYS fltmgr.sys aswFsBlk.SYS sr.sys aswSP.SYS Ntfs.sys
1 ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8304A020]
3 ntkrnlpa[0x80578683] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82FAB550]
5 fltmgr[0xF840CE95] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x833E36B8]
7 sr[0xF83FC870] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x83396020]
9 ntkrnlpa[0x80578DA9] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82FAB550]
11 fltmgr[0xF840D098] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x833E36B8]
13 sr[0xF83FBBB9] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x83396020]
15 ntkrnlpa[0x80578F57] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82FAB550]
17 fltmgr[0xF840D098] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x833E36B8]
19 sr[0xF83F7453] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x83396020]
21 aswMon2[0xB53D29DD] -> ntkrnlpa!IofCallDriver[0x804EE130]
23 fltmgr[0xF840CE95] -> ntkrnlpa!IofCallDriver[0x804EE130]
25 sr[0xF83FC870] -> ntkrnlpa!IofCallDriver[0x804EE130]
27 ntkrnlpa[0x80574DCB] -> ntkrnlpa!IofCallDriver[0x804EE130]
29 aswMon2[0xB53D29DD] -> ntkrnlpa!IofCallDriver[0x804EE130]
31 fltmgr[0xF840D098] -> ntkrnlpa!IofCallDriver[0x804EE130]
33 sr[0xF83F7453] -> ntkrnlpa!IofCallDriver[0x804EE130]

Registry trace:
called modules: ntkrnlpa.exe aswSP.SYS hal.dll

============= FINISH: 17:22:16.34 ===============


Thanks!
Jeff
ken545
2010-11-11, 18:41
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Sorry for the delay but we get very busy most times, but I am linked to you now.

You may have some Rootkit type of activity going on, we need to check further.



Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click GMER.exe.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.







Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
jeffib
2010-11-12, 01:42
Thanks very much for helping with this!

Included here is the OTL output, Extras and the ark files are attached.
Thanks again,
Jeff

OTL logfile created on: 11/11/2010 5:47:38 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\The Funk Master\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 134.00 Mb Available Physical Memory | 26.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 89.00 Gb Total Space | 27.62 Gb Free Space | 31.03% Space Free | Partition Type: NTFS

Computer Name: AMANDA | User Name: The Funk Master | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\The Funk Master\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe (C-motech Co.,Ltd)
PRC - C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe ()
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe ()
PRC - C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (IntelŪ Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
PRC - C:\Program Files\Intel\Wireless\Bin\1XConfig.exe (Intel)
PRC - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
PRC - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (America Online, Inc.)
PRC - C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
PRC - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe (OLYMPUS Corporation)
PRC - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe (OLYMPUS Corporation.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\The Funk Master\Desktop\OTL.exe (OldTimer Tools)


========== Win32 Services (SafeList) ==========

SRV - (MSK80Service) -- C:\Program Files\McAfee\MSK\MskSrver.exe File not found
SRV - (MPS9) -- C:\PROGRA~1\McAfee\MPS\mps.exe File not found
SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe File not found
SRV - (McSysmon) -- C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe File not found
SRV - (McShield) -- C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe File not found
SRV - (McRedirector) -- c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe File not found
SRV - (McProxy) -- c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe File not found
SRV - (McODS) -- C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe File not found
SRV - (McNASvc) -- c:\program files\common files\mcafee\mna\mcnasvc.exe File not found
SRV - (mcmscsvc) -- C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe File not found
SRV - (McAfee HackerWatch Service) -- C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe File not found
SRV - (Emproxy) -- C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe File not found
SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV - (SprintRcAppSvc) -- C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe (SmithMicro Inc.)
SRV - (NvtlService) -- C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe ()
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe ()
SRV - (WLANKEEPER) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (IntelŪ Corporation)
SRV - (S24EventMonitor) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
SRV - (EvtEng) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
SRV - (RegSrvc) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
SRV - (AOL ACS) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (America Online, Inc.)
SRV - (DM1Service) -- C:\Program Files\Olympus\DeviceDetector\DM1Service.exe (OLYMPUS Corporation)


========== Driver Services (SafeList) ==========

DRV - (vvtpa) -- C:\WINDOWS\System32\02.tmp File not found
DRV - (ncyqnhqq) -- C:\WINDOWS\System32\drivers\ncyqnhqq.sys File not found
DRV - (MPFP) -- C:\WINDOWS\System32\Drivers\Mpfp.sys File not found
DRV - (mfesmfk) -- C:\WINDOWS\System32\drivers\mfesmfk.sys File not found
DRV - (mferkdk) -- C:\WINDOWS\System32\drivers\mferkdk.sys File not found
DRV - (mfehidk) -- C:\WINDOWS\System32\drivers\mfehidk.sys File not found
DRV - (mfebopk) -- C:\WINDOWS\System32\drivers\mfebopk.sys File not found
DRV - (mfeavfk) -- C:\WINDOWS\System32\drivers\mfeavfk.sys File not found
DRV - (DSXUSB) -- C:\WINDOWS\System32\DRIVERS\DSXUSB.sys File not found
DRV - (aswTdi) -- C:\WINDOWS\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswSP) -- C:\WINDOWS\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswRdr) -- C:\WINDOWS\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswMon2) -- C:\WINDOWS\System32\drivers\aswmon2.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (Aavmker4) -- C:\WINDOWS\System32\drivers\aavmker4.sys (AVAST Software)
DRV - (SWNC5E00) Sierra Wireless MUX NDIS Driver (#00) -- C:\WINDOWS\system32\drivers\SWNC5E00.sys (Sierra Wireless Inc.)
DRV - (swmx00) Sierra Wireless USB MUX Driver (#00) -- C:\WINDOWS\system32\drivers\swmx00.sys (Sierra Wireless Inc.)
DRV - (swmsflt) -- C:\WINDOWS\system32\drivers\swmsflt.sys ()
DRV - (NWADI) -- C:\WINDOWS\system32\drivers\NWADIenum.sys (Novatel Wireless Inc)
DRV - (tcpipBM) -- C:\WINDOWS\system32\drivers\tcpipBM.sys (Bytemobile, Inc.)
DRV - (Nmea) -- C:\WINDOWS\system32\drivers\pctnullport.sys (PCTEL Inc.)
DRV - (PCTINDIS5) -- C:\WINDOWS\system32\PCTINDIS5.sys (Smith Micro Inc.)
DRV - (bcm) -- C:\WINDOWS\system32\drivers\drxvi314.sys (Beceem communications pvt ltd.)
DRV - (bcmbusctr) -- C:\WINDOWS\system32\drivers\BcmBusCtr.sys (Beceem communications pvt ltd.)
DRV - (PCASp50) -- C:\WINDOWS\system32\drivers\PCASp50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (dsunidrv) -- C:\WINDOWS\system32\drivers\dsunidrv.sys (Gteko Ltd.)
DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)
DRV - (tfsnudfa) -- C:\WINDOWS\system32\dla\tfsnudfa.sys (Sonic Solutions)
DRV - (tfsnudf) -- C:\WINDOWS\system32\dla\tfsnudf.sys (Sonic Solutions)
DRV - (tfsnifs) -- C:\WINDOWS\system32\dla\tfsnifs.sys (Sonic Solutions)
DRV - (tfsncofs) -- C:\WINDOWS\system32\dla\tfsncofs.sys (Sonic Solutions)
DRV - (tfsnboio) -- C:\WINDOWS\system32\dla\tfsnboio.sys (Sonic Solutions)
DRV - (tfsnopio) -- C:\WINDOWS\system32\dla\tfsnopio.sys (Sonic Solutions)
DRV - (tfsnpool) -- C:\WINDOWS\system32\dla\tfsnpool.sys (Sonic Solutions)
DRV - (tfsndrct) -- C:\WINDOWS\system32\dla\tfsndrct.sys (Sonic Solutions)
DRV - (tfsndres) -- C:\WINDOWS\system32\dla\tfsndres.sys (Sonic Solutions)
DRV - (sscdbhk5) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys (Sonic Solutions)
DRV - (ssrtln) -- C:\WINDOWS\system32\drivers\ssrtln.sys (Sonic Solutions)
DRV - (drvmcdb) -- C:\WINDOWS\system32\drivers\drvmcdb.sys (Sonic Solutions)
DRV - (drvnddm) -- C:\WINDOWS\system32\drivers\drvnddm.sys (Sonic Solutions)
DRV - (STAC97) -- C:\WINDOWS\system32\drivers\STAC97.sys (SigmaTel, Inc.)
DRV - (Tosrfbd) -- C:\WINDOWS\system32\drivers\TosRfbd.sys (TOSHIBA CORPORATION)
DRV - (Tosrfusb) -- C:\WINDOWS\system32\drivers\tosrfusb.sys (TOSHIBA CORPORATION)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (Tosrfhid) -- C:\WINDOWS\system32\drivers\TosRfhid.sys (TOSHIBA Corporation.)
DRV - (w29n51) Intel(R) -- C:\WINDOWS\system32\drivers\w29n51.sys (IntelŪ Corporation)
DRV - (Tosrfcom) -- C:\WINDOWS\System32\drivers\tosrfcom.sys (TOSHIBA Corporation)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (APPDRV) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc)
DRV - (IWCA) -- C:\WINDOWS\system32\drivers\iwca.sys (Intel Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (HSFHWICH) -- C:\WINDOWS\system32\drivers\HSFHWICH.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (FTSER2K) -- C:\WINDOWS\system32\drivers\ftser2k.sys (FTDI Ltd.)
DRV - (FTDIBUS) -- C:\WINDOWS\system32\drivers\ftdibus.sys (FTDI Ltd.)
DRV - (omci) -- C:\WINDOWS\system32\drivers\omci.sys (Dell Inc)
DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.startup.homepage: "http://mail.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.1.20091029021655
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.12
FF - prefs.js..network.proxy.no_proxies_on: "*.local"


FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/08/21 08:32:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/03 16:53:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/03 16:53:48 | 000,000,000 | ---D | M]

[2009/09/15 20:38:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Funk Master\Application Data\Mozilla\Extensions
[2009/09/15 20:38:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\The Funk Master\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010/11/11 17:12:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Funk Master\Application Data\Mozilla\Firefox\Profiles\cdww7abl.default\extensions
[2010/07/19 19:51:37 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\The Funk Master\Application Data\Mozilla\Firefox\Profiles\cdww7abl.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/11/03 16:58:03 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/03 16:53:48 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2010/04/01 11:45:53 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/07/22 08:14:00 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/11/03 16:53:18 | 000,025,048 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2010/11/03 16:53:18 | 000,140,248 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2010/04/12 16:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/11/13 18:47:38 | 000,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
[2009/02/06 11:44:28 | 001,447,296 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
[2010/11/03 16:53:32 | 000,066,520 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2009/12/07 11:38:18 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2009/12/07 11:38:18 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2009/12/07 11:38:18 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2009/12/07 11:38:18 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2009/12/07 11:38:19 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2009/12/07 11:38:19 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2009/12/07 11:38:19 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2010/01/13 16:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll
[2010/11/03 16:53:36 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2010/11/03 16:53:36 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2010/11/03 16:53:36 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2010/11/03 16:53:36 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2010/11/03 16:53:36 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2010/11/03 16:53:36 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2010/11/03 16:53:36 | 000,001,096 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2010/11/02 14:11:02 | 000,424,195 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14621 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AOL Toolbar Launcher) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask .exe (Apple Inc.)
O4 - HKLM..\Run: [RDVCHG] C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe (C-motech Co.,Ltd)
O4 - HKLM..\Run: [Sprint SmartView] C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe (Sprint)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe File not found
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe File not found
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe File not found
O4 - HKCU..\Run: [Skype] C:\Program Files\Skype\Phone\Skype.exe File not found
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe (OLYMPUS Corporation.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &AOL Toolbar Search - c:\Program Files\AOL\AOL Toolbar 2.0\resources\en-us\local\search.html ()
O9 - Extra Button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra Button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
O9 - Extra Button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000033 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000034 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000035 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000036 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000037 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000038 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000039 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000040 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000041 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000042 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O15 - HKCU\..Trusted Domains: yahoo.com ([music] https in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1005.cab (MySpace Uploader Control)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/FacebookPhotoUploader2.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\WINDOWS\Rhododendron.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Rhododendron.bmp
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 16:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{06af7afd-9778-11df-99e1-00a0d5ffff85}\Shell - "" = AutoRun
O33 - MountPoints2\{06af7afd-9778-11df-99e1-00a0d5ffff85}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{06af7afd-9778-11df-99e1-00a0d5ffff85}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\shell32.dll -- [2008/06/17 13:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/11 17:17:25 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\The Funk Master\Desktop\OTL.exe
[2010/11/02 15:00:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/11/02 14:59:59 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/11/02 12:04:21 | 000,000,000 | ---D | C] -- C:\Program Files\Novatel Wireless
[2010/11/02 08:09:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Funk Master\Application Data\Malwarebytes
[2010/11/01 15:49:42 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/10/31 16:44:09 | 000,017,744 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/10/31 16:44:08 | 000,165,584 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/10/31 16:44:06 | 000,023,376 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/10/31 16:44:04 | 000,046,672 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/10/31 16:44:02 | 000,100,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/10/31 16:44:02 | 000,094,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/10/31 16:44:01 | 000,028,880 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/10/31 16:43:08 | 000,038,848 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2010/10/31 16:43:07 | 000,167,592 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/10/31 16:42:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/10/31 14:02:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Yahoo
[2010/10/31 14:01:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Google
[2010/10/31 14:01:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
[2010/10/30 21:09:37 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/10/30 21:09:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/10/30 19:12:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
[2010/10/30 18:11:14 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/10/30 18:11:13 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/10/30 18:11:13 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/10/30 18:11:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/10/30 17:04:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Temp
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/11 17:23:22 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\The Funk Master\Desktop\gmer.exe
[2010/11/11 17:17:30 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\The Funk Master\Desktop\OTL.exe
[2010/11/11 17:17:01 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\The Funk Master\Desktop\gmer.zip
[2010/11/11 17:15:21 | 000,382,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/11 17:15:20 | 000,053,838 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/11 17:11:27 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/11 17:10:51 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/11 17:10:46 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/11 17:10:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/11 17:10:13 | 536,309,760 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/10 07:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/11/10 06:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010/11/10 05:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010/11/10 04:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010/11/10 03:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/11/10 02:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/11/10 01:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/11/10 00:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/11/09 23:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/11/09 22:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/11/09 21:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/11/09 20:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/11/09 19:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/11/09 18:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/11/09 17:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/11/09 16:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/11/09 15:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/11/09 14:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/11/09 13:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/11/03 16:44:56 | 000,005,845 | ---- | M] () -- C:\Documents and Settings\The Funk Master\Desktop\Attach.zip
[2010/11/02 15:00:01 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\The Funk Master\Desktop\ERUNT.lnk
[2010/11/02 14:11:02 | 000,424,195 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/11/02 12:59:59 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/11/02 12:58:47 | 000,012,621 | ---- | M] () -- C:\Documents and Settings\The Funk Master\Desktop\hijackthis4
[2010/11/02 12:57:21 | 000,002,467 | ---- | M] () -- C:\Documents and Settings\The Funk Master\Desktop\HiJackThis.lnk
[2010/11/02 12:05:30 | 000,001,763 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Sprint SmartView.lnk
[2010/11/02 11:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/11/02 10:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/11/02 09:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/11/02 08:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/11/02 07:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/11/01 09:42:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/11/01 03:51:03 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\X71E12BE.dat
[2010/10/31 16:44:10 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/10/31 16:44:02 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/10/31 13:07:52 | 000,000,029 | ---- | M] () -- C:\Documents and Settings\The Funk Master\Application Data\boot.bat
[2010/10/31 11:10:23 | 000,001,076 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/10/30 19:18:11 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/10/30 18:11:16 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/30 17:54:52 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\The Funk Master\Desktop\Microsoft Word.lnk
[2010/10/30 17:38:16 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\msadrtua.dll
[2010/10/30 17:07:44 | 000,000,242 | ---- | M] () -- C:\Documents and Settings\The Funk Master\Application Data\dkfjasdfshd.bat
[2010/10/30 16:56:32 | 000,000,888 | ---- | M] () -- C:\Documents and Settings\The Funk Master\Application Data\FeatureManagerSettingsBackup.xml.RC4
[2010/10/30 16:56:32 | 000,000,888 | ---- | M] () -- C:\Documents and Settings\The Funk Master\Application Data\FeatureManagerSettings.xml.RC4
[2010/10/30 16:56:32 | 000,000,204 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\FeatureManagerBackup.xml.RC4
[2010/10/30 16:56:32 | 000,000,204 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\FeatureManager.xml.RC4
[2010/10/29 17:30:00 | 000,000,370 | ---- | M] () -- C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (THEBIGSHIZNIT-The Funk Master).job
[2010/10/22 19:16:27 | 000,000,719 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/11 17:16:59 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\The Funk Master\Desktop\gmer.zip
[2010/11/08 10:32:38 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\The Funk Master\Desktop\gmer.exe
[2010/11/03 16:44:56 | 000,005,845 | ---- | C] () -- C:\Documents and Settings\The Funk Master\Desktop\Attach.zip
[2010/11/02 15:00:01 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\The Funk Master\Desktop\ERUNT.lnk
[2010/11/02 12:58:47 | 000,012,621 | ---- | C] () -- C:\Documents and Settings\The Funk Master\Desktop\hijackthis4
[2010/11/02 12:05:30 | 000,001,763 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Sprint SmartView.lnk
[2010/11/01 15:49:43 | 000,002,467 | ---- | C] () -- C:\Documents and Settings\The Funk Master\Desktop\HiJackThis.lnk
[2010/10/31 16:44:10 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/10/30 18:14:50 | 536,309,760 | -HS- | C] () -- C:\hiberfil.sys
[2010/10/30 18:11:16 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/30 17:41:32 | 000,000,029 | ---- | C] () -- C:\Documents and Settings\The Funk Master\Application Data\boot.bat
[2010/10/30 17:07:44 | 000,000,242 | ---- | C] () -- C:\Documents and Settings\The Funk Master\Application Data\dkfjasdfshd.bat
[2010/10/30 17:06:09 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\X71E12BE.dat
[2010/10/09 11:10:30 | 000,000,204 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\FeatureManagerSettingsBackup.xml.RC4
[2010/10/09 11:10:30 | 000,000,204 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\FeatureManagerSettings.xml.RC4
[2010/09/15 21:20:12 | 000,000,138 | ---- | C] () -- C:\Documents and Settings\The Funk Master\Application Data\Profiles.xml
[2010/09/15 21:20:12 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\The Funk Master\Application Data\permanentevents.txt
[2010/09/15 21:20:11 | 000,000,888 | ---- | C] () -- C:\Documents and Settings\The Funk Master\Application Data\FeatureManagerSettingsBackup.xml.RC4
[2010/09/15 21:20:11 | 000,000,888 | ---- | C] () -- C:\Documents and Settings\The Funk Master\Application Data\FeatureManagerSettings.xml.RC4
[2010/09/15 21:20:11 | 000,000,204 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\FeatureManagerBackup.xml.RC4
[2010/09/15 21:20:11 | 000,000,204 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\FeatureManager.xml.RC4
[2010/09/14 10:10:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\msadrtua.dll
[2009/10/18 11:41:46 | 000,000,384 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/05/26 16:38:12 | 000,037,248 | ---- | C] () -- C:\WINDOWS\System32\drivers\swmsflt.sys
[2007/04/30 09:21:52 | 001,138,688 | ---- | C] () -- C:\WINDOWS\System32\BII_V1100.dll
[2007/04/30 09:21:52 | 000,143,446 | ---- | C] () -- C:\WINDOWS\System32\telenorcom.dll
[2007/04/30 09:21:52 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\tjpegcodec.dll
[2007/04/30 09:21:50 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ITCC.dll
[2007/04/30 09:21:48 | 000,450,560 | ---- | C] () -- C:\WINDOWS\System32\bii_dll.dll
[2007/04/30 09:21:42 | 000,024,064 | ---- | C] () -- C:\WINDOWS\System32\StringParser.dll
[2007/04/30 09:21:42 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\ImageProc.dll
[2007/04/30 09:20:24 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\CCUREIDFPCapture.dll
[2007/01/06 22:53:04 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/06/20 07:36:05 | 000,000,092 | R--- | C] () -- C:\WINDOWS\System32\ftdiun2k.ini
[2006/01/18 18:08:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Dssole.INI
[2006/01/18 18:08:23 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\DM1USBAPIVB.dll
[2006/01/05 11:09:54 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RBRegEx350.dll
[2006/01/05 11:09:54 | 000,067,072 | ---- | C] () -- C:\WINDOWS\System32\LP0310.dll
[2006/01/05 11:09:54 | 000,061,952 | ---- | C] () -- C:\WINDOWS\System32\rbap350.dll
[2006/01/05 11:09:54 | 000,041,472 | ---- | C] () -- C:\WINDOWS\System32\MBSPlugin.DLL
[2006/01/05 11:09:54 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\RBShell400.dll
[2006/01/05 11:09:54 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\MBSRegistryPlugin.DLL
[2006/01/05 11:09:54 | 000,035,328 | ---- | C] () -- C:\WINDOWS\System32\MBSFolderPlugin.DLL
[2006/01/05 11:09:54 | 000,031,744 | ---- | C] () -- C:\WINDOWS\System32\MBSMacTTPlugin.DLL
[2006/01/05 11:09:54 | 000,029,184 | ---- | C] () -- C:\WINDOWS\System32\LP0301Gestalt.dll
[2006/01/05 11:09:54 | 000,028,160 | ---- | C] () -- C:\WINDOWS\System32\MBSRegPlugin.DLL
[2006/01/05 11:09:54 | 000,028,160 | ---- | C] () -- C:\WINDOWS\System32\LP0301ResFork.dll
[2006/01/05 11:09:54 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\LP0301LinkFile.dll
[2006/01/02 10:22:11 | 000,001,401 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/12/29 14:58:09 | 000,000,110 | ---- | C] () -- C:\WINDOWS\DOORKING.INI
[2005/10/18 19:41:52 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS69.DLL
[2005/10/17 17:19:21 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\The Funk Master\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/10/10 21:17:13 | 000,024,792 | ---- | C] () -- C:\Documents and Settings\The Funk Master\Application Data\wklnhst.dat
[2005/09/18 09:19:19 | 000,000,066 | ---- | C] () -- C:\WINDOWS\vmreg32.dll
[2005/09/16 16:21:06 | 000,005,392 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2005/09/14 06:59:24 | 000,002,022 | ---- | C] () -- C:\WINDOWS\download.ini
[2005/09/06 20:47:48 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/09/06 20:42:22 | 000,001,076 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/09/06 20:36:45 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/09/06 20:31:41 | 000,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2005/09/06 20:06:08 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
[2005/09/06 20:04:48 | 000,000,372 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/04/09 16:04:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/12/03 07:20:12 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2004/09/23 02:09:06 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004/08/12 07:44:10 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\iwca.dll
[2004/08/11 16:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 16:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/11 16:07:24 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/07/21 09:04:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/16 06:43:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
[2003/07/30 07:33:26 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\TosHidAPI.dll

========== LOP Check ==========

[2010/10/31 16:42:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2006/05/07 21:30:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2010/11/02 11:55:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sprint
[2007/04/25 08:24:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/12/07 11:43:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/09/01 22:18:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2005/09/13 18:43:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Funk Master\Application Data\Aim
[2010/09/23 12:06:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Funk Master\Application Data\Bytemobile
[2005/09/16 16:30:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Funk Master\Application Data\Leadertech
[2005/10/09 17:24:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Funk Master\Application Data\Musicmatch
[2007/04/30 13:26:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Funk Master\Application Data\My Games
[2005/09/14 17:36:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Funk Master\Application Data\OurPictures
[2009/08/20 16:57:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Funk Master\Application Data\Sierra Wireless
[2010/09/23 12:06:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Funk Master\Application Data\Sprint
[2007/04/25 08:25:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Funk Master\Application Data\Viewpoint
[2010/11/10 00:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2010/11/02 08:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
[2010/11/02 09:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job
[2010/11/02 10:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job
[2010/11/02 11:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job
[2010/11/09 13:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job
[2010/11/09 14:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job
[2010/11/09 15:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job
[2010/11/09 16:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job
[2010/11/09 17:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job
[2010/11/09 18:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job
[2010/11/10 01:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2010/11/09 19:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job
[2010/11/09 20:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job
[2010/11/09 21:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job
[2010/11/09 22:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job
[2010/11/09 23:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job
[2010/11/10 02:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2010/11/10 03:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2010/11/10 04:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
[2010/11/10 05:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
[2010/11/10 06:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
[2010/11/10 07:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
[2010/11/02 07:10:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job

========== Purity Check ==========

< End of report >
ken545
2010-11-12, 02:13
Hi, I am posting the log, its easier for me to see and analyze

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-11 17:44:54
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 FUJITSU_MHV2100AH rev.00000096
Running: gmer.exe; Driver: C:\DOCUME~1\THEFUN~1\LOCALS~1\Temp\pwtdrpog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xB664ACF0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xB664ABAC] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xB664B160] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xB664B08A] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xB664A782] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xB664AC86] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xB664A6C2] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xB664A726] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xB664ADA6] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xB664B22E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xB664AD66] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xB664AEE6] <-- ROOTKIT !!!

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB6657BAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xB66579D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xB6657B0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 805795FA 7 Bytes JMP B6657B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!NtCreateSection 805A075C 7 Bytes JMP B66579D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1CE0 5 Bytes JMP B66535D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 805B8B58 5 Bytes JMP B6654FFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP B6657BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[624] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\WINDOWS\Explorer.EXE[1064] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D3000A
.text C:\WINDOWS\Explorer.EXE[1064] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D4000A
.text C:\WINDOWS\Explorer.EXE[1064] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C3000C
.text C:\WINDOWS\System32\svchost.exe[1804] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1804] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\svchost.exe[1804] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006D000C
.text C:\WINDOWS\System32\svchost.exe[1804] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0068000A
.text C:\WINDOWS\System32\svchost.exe[1804] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00FD000A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.sys (Bytemobile Kernel Network Provider/Bytemobile, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 83347A9F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 83347A9F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 83347A9F

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \FileSystem\Fastfat \Fat B2A20D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskFUJITSU_MHV2100AH_______________________00000096#5&17ce0675&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] gzqzholvx <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm@imagepath \systemroot\system32\drivers\kbiwkmtdmxdnso.sys
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm\main@aid 20025
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm\main\injector@* kbiwkmwsp8.dll
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmtdmxdnso.sys
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmojdpjwsk.dll
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmyicttmvo.dat
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmmxjpodsm.dll
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm\modules@kbiwkm.dat \systemroot\system32\kbiwkmlerkrcih.dat
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmdeetpynm\modules@kbiwkmwsp8.dll \systemroot\system32\kbiwkmlkrxvnps.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACixwwruwkip.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm@imagepath \systemroot\system32\drivers\kbiwkmtdmxdnso.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm\main@aid 20025
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm\main\injector@* kbiwkmwsp8.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmtdmxdnso.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmojdpjwsk.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmyicttmvo.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmmxjpodsm.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm\modules@kbiwkm.dat \systemroot\system32\kbiwkmlerkrcih.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmdeetpynm\modules@kbiwkmwsp8.dll \systemroot\system32\kbiwkmlkrxvnps.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACixwwruwkip.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf
Reg HKLM\SYSTEM\ControlSet003\Services\gzqzholvx@DisplayName jzlnnvn
Reg HKLM\SYSTEM\ControlSet003\Services\gzqzholvx@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\gzqzholvx@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\gzqzholvx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\gzqzholvx@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\gzqzholvx@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\gzqzholvx@Description Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet003\Services\gzqzholvx\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gzqzholvx\Parameters@ServiceDll C:\WINDOWS\system32\tpdbrkk.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gzqzholvx@DisplayName jzlnnvn
Reg HKLM\SYSTEM\CurrentControlSet\Services\gzqzholvx@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\gzqzholvx@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\gzqzholvx@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\gzqzholvx@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\gzqzholvx@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\gzqzholvx@Description Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\gzqzholvx\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\gzqzholvx\Parameters@ServiceDll C:\WINDOWS\system32\tpdbrkk.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@ČāA\nm\5\x2018|\1\ImageUploader4.ocx 1
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ C:\Program Files\Common Files\System\ado\msado15.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ThreadingModel both
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\ProgID@ ADODB.ErrorLookup.2.8
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\VersionIndependentProgID@ ADODB.ErrorLookup
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ C:\WINDOWS\system32\scrobj.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\ProgID@ Scriptlet.Constructor

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 195371312 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----
ken545
2010-11-12, 02:14
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
jeffib
2010-11-12, 14:35
Here is the ComboFix log:

ComboFix 10-11-11.01 - The Funk Master 11/11/2010 22:40:49.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.244 [GMT -6:00]
Running from: c:\documents and settings\The Funk Master\Desktop\Combo-Fix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\The Funk Master\Application Data\dkfjasdfshd.bat
c:\documents and settings\The Funk Master\Recent\Thumbs.db
c:\program files\Common Files\Uninstall
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\bszip.dll
c:\windows\system32\fsc.txt
c:\windows\system32\ide.txt
c:\windows\system32\lpe.txt
c:\windows\system32\msadrtua.dll
c:\windows\system32\ndisapi.dll
c:\windows\system32\qks.txt
c:\windows\system32\xef.txt

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_NDISRD
-------\Service_NDISRD


((((((((((((((((((((((((( Files Created from 2010-10-12 to 2010-11-12 )))))))))))))))))))))))))))))))
.

2010-11-03 22:53 . 2010-11-03 22:53 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2010-11-03 22:53 . 2010-11-03 22:53 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2010-11-02 20:59 . 2010-11-02 21:00 -------- d-----w- c:\program files\ERUNT
2010-11-02 18:04 . 2010-11-02 18:04 -------- d-----w- c:\program files\Novatel Wireless
2010-11-02 14:09 . 2010-11-02 14:09 -------- d-----w- c:\documents and settings\The Funk Master\Application Data\Malwarebytes
2010-11-01 21:49 . 2010-11-01 21:49 388096 ----a-r- c:\documents and settings\The Funk Master\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-01 21:49 . 2010-11-01 21:49 -------- d-----w- c:\program files\Trend Micro
2010-10-31 22:44 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-10-31 22:44 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-10-31 22:44 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-10-31 22:44 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-10-31 22:44 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-10-31 22:44 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-10-31 22:44 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-10-31 22:43 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-10-31 22:43 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-10-31 22:42 . 2010-10-31 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-10-31 20:02 . 2010-10-31 20:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Yahoo
2010-10-31 20:01 . 2010-10-31 20:01 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-10-31 16:00 . 2010-10-31 16:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-10-31 03:09 . 2010-11-01 00:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-31 03:09 . 2010-10-31 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-10-31 01:12 . 2010-10-31 01:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-10-31 01:03 . 2010-10-31 01:03 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2010-10-31 00:25 . 2010-10-31 00:25 -------- d-sh--w- c:\documents and settings\Dor\PrivacIE
2010-10-31 00:25 . 2010-10-31 00:25 -------- d-sh--w- c:\documents and settings\Dor\IECompatCache
2010-10-31 00:11 . 2010-10-31 00:11 -------- d-----w- c:\documents and settings\Dor\Application Data\Malwarebytes
2010-10-31 00:11 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-31 00:11 . 2010-10-31 00:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-31 00:11 . 2010-10-31 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-31 00:11 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-31 00:04 . 2010-10-31 00:04 -------- d-----w- c:\documents and settings\Dor\Local Settings\Application Data\Mozilla
2010-10-30 23:41 . 2010-10-31 19:07 29 ----a-w- c:\documents and settings\The Funk Master\Application Data\boot.bat
2010-10-30 23:04 . 2010-10-30 23:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-09 19:01 . 2010-09-09 19:01 86016 ----a-w- c:\windows\system32\gxnajdbi.dll
.

<pre>
c:\program files\Apoint\Apoint .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\CyberLink\PowerDVD\DVDLauncher .exe
c:\program files\Dell\Media Experience\PCMService .exe
c:\program files\Dell\QuickSet\quickset .exe
c:\program files\DellSupport\DSAgnt .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mimboot .exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Skype\Phone\Skype .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\program files\SymplisIT\DriverMagic\dmschedule .exe
c:\program files\Yahoo!\Messenger\YahooMessenger .exe
c:\windows\system32\rundll32 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [N/A]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [N/A]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [N/A]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2010-05-17 75072]
"RDVCHG"="c:\program files\Sprint\Sprint SmartView\RDVCHG.exe" [2010-05-17 316736]

c:\documents and settings\Dor\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2006-2-16 81920]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-22 45056]
Device Detector 2.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2006-1-18 106496]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-9-6 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\SymplisIT\\DriverMagic\\DriverMagic.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype .exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3000:TCP"= 3000:TCP:lgmslms

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/31/2010 4:44 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/31/2010 4:44 PM 17744]
R2 NvtlService;NovaCore SDK Service;c:\program files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [1/11/2010 1:10 PM 82944]
R3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [2/11/2010 8:03 PM 319488]
R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2/11/2010 8:02 PM 51456]
S1 ncyqnhqq;ncyqnhqq;\??\c:\windows\system32\drivers\ncyqnhqq.sys --> c:\windows\system32\drivers\ncyqnhqq.sys [?]
S2 gupdate1ca9d6e302236f4;Google Update Service (gupdate1ca9d6e302236f4);c:\program files\Google\Update\GoogleUpdate.exe [1/24/2010 9:26 PM 133104]
S2 gzqzholvx;jzlnnvn;c:\windows\system32\svchost.exe -k netsvcs [8/11/2004 4:00 PM 14336]
S3 vvtpa;vvtpa;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - BMLoad

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
gzqzholvx
.
Contents of the 'Scheduled Tasks' folder

2010-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 03:26]

2010-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 03:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
LSP: bmnet.dll
Trusted Zone: yahoo.com\music
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\The Funk Master\Application Data\Mozilla\Firefox\Profiles\cdww7abl.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ScreensaversInstaller - c:\program files\Screensavers.com\Installer\bin\siuninst.exe
AddRemove-Silent Knight Software Suite - c:\progra~1\SKSS\UNWISE.EXE
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-11 23:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2100AH rev.00000096 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x83316C56]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8331d4f4]; MOV EAX, [0x8331d570]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x833D5AB8]
3 CLASSPNP[0xF864DFD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8335A490]
\Driver\atapi[0x833ADF38] -> IRP_MJ_CREATE -> 0x83316C56
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskFUJITSU_MHV2100AH_______________________00000096#5&17ce0675&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x83316A9F
user != kernel MBR !!!
copy of MBR has been found in sector 9 !
sectors 195371566 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vvtpa]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,08,8f,af,0a,52,7f,48,8f,91,1f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,08,8f,af,0a,52,7f,48,8f,91,1f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1436)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(1496)
c:\windows\system32\WININET.dll
c:\windows\system32\bmnet.dll

- - - - - - - > 'explorer.exe'(3344)
c:\windows\system32\WININET.dll
c:\windows\system32\bmnet.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Olympus\DeviceDetector\DM1Service.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-11-11 23:11:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-12 05:11

Pre-Run: 29,521,522,688 bytes free
Post-Run: 29,773,754,368 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=1 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - E64CC1DFFB6A5F769924916BBCD93647


Thanks!
ken545
2010-11-12, 17:01
Hi,

You have some major major infections on this system, some have been removed by Combofix, I need some time to look over your Combofix log as there is much more to remove. I have been at this for a long time and sometimes I scratch my head in bewilderment wondering what people do to get so infected.

LimeWire <-- Last I read that this company was closed down by a judge for copyright infringement. But using File Sharing programs like this is most likely how you got infected, your downloading that file ( most illegally ) from an unknown source and most contain some sort of malware. The scum that write all this junk are in tune to this and using programs like this to infect computers. I am going to ask you to go to your add remove programs in the control panel and uninstall Limewire.

Be back in a bit
ken545
2010-11-12, 18:22
Hello Jeff,

I want to let you know where were at with this computer. Like I said in my previous post , its very heavily infected.

Its infected by the TDL4 version of the TDSS Rootkit, which is very dangerous and nasty.

Its also infected with the Vundo File Infector, if you look at the log you posted for Combofix. All the programs in the blue code box under (((((((((((((( Find3M Report )))))))))))))))))))) are infected by this virus. We can attempt to have Combofix fix those but the ones that cant be fixed will have to be uninstalled and reinstalled.


It also looks like the Master Boot Record is infected by the rootkit, this means that everytime you boot up your computer the infection is activated.


There are also a bunch of other infections that need to be removed also.

With the dangerous rootkit, I would urge you to use a known clean computer and change all your passwords for any online shopping sites or online banking.


If this was my computer, I would not think twice to reformat and do a clean install of windows, this will guarantee a 100% clean computer, we can attempt to clean all this but I have to let you know that when were done I cant guarantee a 100% clean computer and working as it did prior to getting infected.

Before I start posting instructions, let me know your decision as far as progressing with the cleaning as the amount of work we have to do will take some time and i dont want to start working up a fix if you decide to reinstall windows. If reinstalling windows is what you want to do then I can link you to a good windows forum that can guide you through the process.
jeffib
2010-11-12, 19:57
WOW! That's impressive. She's not opposed to reinstalling Windows but se doesn't have the original disc's that came with the machine. Do you know if there is some way to get new disc's from like Microsoft or Dell?

Thanks for your efforts,
Jeff
ken545
2010-11-12, 21:16
Jeff,

The only thing you can do with Microsoft is buy a new XP disk. Right now you can find them on eBay real cheap. I have no information on your system as far as the age of it so I dont know if it has enough fire power to upgrade to windows 7.

You can run this program to see if your computer will accept Windows 7
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1b544e90-7659-4bd9-9e51-2497c146af15

What I would do is to contact Dell
http://support.dell.com/support/index.aspx?c=us&cs=19&l=en&s=dhs

Tell them that your infected and it has been advised to reinstall windows and you need to order the disks for your system. You will need a Service Tag number for your system that will be on a sticky most likely on the rear of your computer along with the windows keycode.

Then you can post here for help and guidance with the reinstall, like SaferNetworking the service is free but you will need to register and create an account.
http://forums.whatthetech.com/index.php?showforum=119

Let me know for sure if this is what you want to do
jeffib
2010-11-13, 04:19
Ok, well hey, thanks very very much for your help! We'll see what we can do about getting her a new XP, but I think I may steer her in the direction of Ubuntu Linux.

Again, thanks, y'all provide a great service.

Jeff
ken545
2010-11-13, 06:16
Your very welcome Jeff.

What I am going to do is close this thread and if you decide that you want to proceed with the cleaning you can just send me a PM or start a new post and I will reopen it for you.

Ken :)