Computer sending tons of spam behind the scenes

[littleEd]

[F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLOSE [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_INFORMATION [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_INFORMATION [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_EA [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_EA [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_VOLUME_INFORMATION [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_VOLUME_INFORMATION [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DIRECTORY_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FILE_SYSTEM_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_LOCK_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE_MAILSLOT [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_SECURITY [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_SECURITY [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CHANGE [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_QUOTA [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_QUOTA [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE_NAMED_PIPE [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLOSE [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_READ [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_WRITE [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_INFORMATION [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_INFORMATION [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_EA [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_EA [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FLUSH_BUFFERS [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_VOLUME_INFORMATION [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_VOLUME_INFORMATION [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DIRECTORY_CONTROL [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FILE_SYSTEM_CONTROL [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CONTROL [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_INTERNAL_DEVICE_CONTROL [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SHUTDOWN [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_LOCK_CONTROL [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLEANUP [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE_MAILSLOT [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_SECURITY [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_SECURITY [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_POWER [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SYSTEM_CONTROL [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CHANGE [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_QUOTA [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_QUOTA [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE_NAMED_PIPE [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLOSE [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_READ [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_WRITE [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_INFORMATION [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_INFORMATION [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_EA [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_EA [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FLUSH_BUFFERS [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_VOLUME_INFORMATION [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_VOLUME_INFORMATION [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DIRECTORY_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FILE_SYSTEM_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SHUTDOWN [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_LOCK_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLEANUP [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE_MAILSLOT [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_SECURITY [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_SECURITY [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_POWER [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SYSTEM_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CHANGE

 

[littleEd]

[F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_QUOTA [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_QUOTA [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CREATE [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CREATE_NAMED_PIPE [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CLOSE [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_READ [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_WRITE [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_QUERY_INFORMATION [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SET_INFORMATION [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_QUERY_EA [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SET_EA [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_FLUSH_BUFFERS [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_QUERY_VOLUME_INFORMATION [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SET_VOLUME_INFORMATION [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_DIRECTORY_CONTROL [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_FILE_SYSTEM_CONTROL [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_DEVICE_CONTROL [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_INTERNAL_DEVICE_CONTROL [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SHUTDOWN [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_LOCK_CONTROL [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CLEANUP [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CREATE_MAILSLOT [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_QUERY_SECURITY [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SET_SECURITY [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_POWER [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SYSTEM_CONTROL [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_DEVICE_CHANGE [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_QUERY_QUOTA [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SET_QUOTA [F70FA380] snapman.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CREATE [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CREATE_NAMED_PIPE [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CLOSE [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_READ [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_WRITE [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_QUERY_INFORMATION [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SET_INFORMATION [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_QUERY_EA [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SET_EA [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_FLUSH_BUFFERS [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_QUERY_VOLUME_INFORMATION [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SET_VOLUME_INFORMATION [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_DIRECTORY_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_FILE_SYSTEM_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_DEVICE_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SHUTDOWN [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_LOCK_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CLEANUP [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CREATE_MAILSLOT [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_QUERY_SECURITY [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SET_SECURITY
[F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_POWER [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SYSTEM_CONTROL [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_DEVICE_CHANGE [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_QUERY_QUOTA [F7119760] timntr.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SET_QUOTA [F7119760] timntr.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7A3685A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7A3685A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7A3685A] avgtdi.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F78A4A96] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F78A4958] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION

 

[littleEd]

[F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F78A4DA8] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F78A4306] SiWinAcc.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F79B2404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F726C1DE] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F726C1DE] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F726C454] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F726C1DE] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F725FF4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F725FF4C] fltMgr.sys

---- Registry - GMER 1.0.13 ----

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{18D6E519-4C27-E4AD-074C5D1F171B40FB}\{8D7A772B-93EE-6905-4C751BA1B544AFC9}\{7029C73E-0020-BA9C-F3FADF03D99AF0E6}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AB53ABC9-60C7-8B2C-A2AB126EB1F03A59}\{6511FF0A-0202-CA71-9BBA47A5377501DE}\{CE12CB05-B8C7-0E6B-6DC342F04A20B600}@1D1OWFM6WKF6TLM3S2BGKKUUDG1 0x01 0x00 0x01 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{B3A3A58F-967E-A40A-C7DDFB524B0CDFB3}\{B28E8422-363F-1C4B-CC056478281B7FCE}\{569EFB20-10B3-C9F5-895B6A19B8852344}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x31 0x98 0xED 0xA2 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{C9E2B393-56C9-49A0-E9536816E76F722D}\{C3EAC204-1FBE-55E0-B9FAECEF4AC48E44}\{36C3AF1D-C1DF-E2E1-C86849C42C7FDBDC}@1D1OWFM6WKF6TLM3S2BGKKUUDG1 0x01 0x00 0x01 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{CD33F05B-57D8-EB8D-1C637C8E18479BDE}\{4B66B287-DF55-8BF6-0C7A245C073DF874}\{2B094E66-D192-13E4-CB3BD0799FCAC2FC}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DCB42C02-2C7E-50EC-E2B5A792F7765BFB}\{38286259-1A12-EDE0-84E2CD6A1D76E8F7}\{2C2658AF-F73E-73C6-89D45D0D6FCCCFF2}@1D1OWFM6WKF6TLM3S2BGKKUUDG1 0x01 0x00 0x01 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EEC79885-4786-49D7-ED36B6E7637E50FF}\{25B171C9-78C7-18E7-FBBA7E6592C7CB70}\{6B8ADD0A-85A7-C5B5-191A2895BD30C6E1}@1D1OWFM6WKF6TLM3S2BGKKUUDG1 0x01 0x00 0x01 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FE8DBE89-D247-CDA0-331071706D351D5D}\{D7E03019-A44C-9829-6C33C3798CE56E87}\{A96D9761-82B1-07BB-8B5956B67D5931EC}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version@Version 0x31 0x98 0xED 0xA2 ...

---- EOF - GMER 1.0.13 ----

 

[Mr_JAk3]

Hello

It is looking quite good now. How is the computer running now? Any issues?

 

[littleEd]

things seem to look ok. is it possible to let me know how i could have got the malware? and what malware i actually had?
thank u for all your help

 

[littleEd]

i left my computer for a few hours and monitered port 25 to see if any mail was attempting to send. I got three entries all trying to connect to mailwasher23.pair.com is this something I should worry about.

 

[Mr_JAk3]

Hmm we may run additional scanners...

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:

• Restart your computer
• Start tapping the F8 key when the computer restarts.
• When the start menu opens, choose Safe mode
• Press Enter. The computer then begins to start in Safe mode.

Run a scan with Dr.Web CureIt

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, you should now mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can click next icon next to the files found
  
• If so, click it and then click the next icon right below and select Move incurable
• After the scan, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot the computer in Normal Mode,
• Post the Cure-it report and a fresh HijackThis log

 

[littleEd]

SUPER.exe;C:\Program Files\eRightSoft\SUPER;Probably DLOADER.Trojan;Incurable.Moved.;
A0063473.bat;C:\System Volume Information\_restore{9175CE8D-29DD-4391-85C9-92FE656C6059}\RP278;Probably SCRIPT.Virus;Incurable.Moved.;
A0063704.bat;C:\System Volume Information\_restore{9175CE8D-29DD-4391-85C9-92FE656C6059}\RP279;Probably SCRIPT.Virus;Incurable.Moved.;
pv.exe;E:\PortableApps\xampp\apache\bin;Program.PrcView.3725;Incurable.Moved.;
pv.exe;X:\servers\xampp\apache\bin;Program.PrcView.3725;Incurable.Moved.;

 

[littleEd]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:34 PM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
X:\servers\xampp\apache\bin\apache.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
X:\servers\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
X:\servers\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImageEnterpriseServer\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageEnterpriseServer\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\TopDesk\topdesk.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\MSN Messenger\usnsvc.exe
E:\PortableApps\FirefoxPortable\App\firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageEnterpriseServer\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageEnterpriseServer\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [TopDesk] C:\Program Files\TopDesk\topdesk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: CamTrack.lnk = C:\Program Files\DigitalPeers\CamTrack\camtrack.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Shortcut to SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Yahoo! Widget Engine.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172507809890
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E9C637C-0A68-4E49-835E-95B60DEAEA59}: NameServer = 64.71.255.198
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9F5821E-FF54-4F20-8018-2A2C8E54E5B2}: NameServer = 64.71.255.198
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Apache Software Foundation - X:\servers\xampp\apache\bin\apache.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: mysql - Unknown owner - X:\servers\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 11215 bytes

 

[Mr_JAk3]

Hi

Ok nothing bad.

Still strange behavior or issues?

 

[littleEd]

computer is running fine
monitered port 25...and no problems


thanks so much for your help.
are you able to tell me how I even got the malware.. and what its name is?

 

[Mr_JAk3]

Hello

The main infection which sent the spam was a variant of "rustock" rootkit. Hard to say how you got it, maybe downloaded something bad or visited a bad website.

You can remove the tools we used.

Then you should update your Java to the latest version (6u2)

• [*]Start
  [*]Control Panel
  [*]Add/Remove Programs
• Delete the old Java,
  J2SE Runtime Environment 5.0 Update 11
• Download the latest version of Java Runtime Environment (JRE) 6u2.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement."
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Install it

Now you can make your hidden files hidden again.

• Go to My Computer
• Select the Tools menu and click Folder Options
• Click the View tab.
• Checkmark the "Display the contents of system folders"
• Under the Hidden files and folders select "Show hidden files and folders"
• Check "Hide protected operating system files"
• Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:

• Clear your system restore
  This will clear the system restore folders from possible malware that was left behind during the cleaning process.
  
• Use ATF Cleaner
  Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  
• Use Ad-Aware
  Download and install Ad-Aware. Update it and scan your computer regularly with it.
  
• Use AVG Anti-Spyware
  Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
  
• Use Spybot S&D
  Download and install Spybot S&D. Update it and scan your computer regularly with it.
  
• Install SpywareBlaster
  SpywareBlaster will prevent spyware from being installed.
  
• Install MVPS Hosts file
  This prevents your computer from connecting to harmful sites.
  
• Use Firefox browser
  Firefox is faster and more secure browser than Internet Explorer.
  
• Keep your systen up-to-date
  Visit Windows Update regularly. How to enable Automatic Updates?
  
• Keep your antivirus and firewall up-to-date
  Scan your computer regularly with you antivirus software.
  
• Read this article by TonyKlein
  So how did I get infected in the first place?
  
• Stand Up and Be Counted !
  The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe

 

[littleEd]

Thanks again for all your help.:bigthumb:

 

[Mr_JAk3]

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: