Suspected Infection

Magnesium · Jun 3, 2011

.
DDS (Ver_2011-06-02.03) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_24
Run by Administrator at 21:45:02 on 2011-06-02
.
============== Running Processes ===============
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: SFCDisable=4 (0x4)
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~2\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\Msmsgs.exe" /background
uRun: [Aim] "c:\program files\aim7\aim.exe" /d locale=en-US
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall\feedback.exe" /dump

s_startup
mRun: [hello.exe] c:\windows\system32\hey.exe
mRun: [Serviço de Rede] c:\windows\system\Downloads_E.CPL
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: EnableLUA = 0 (0x0)
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\docume~1\admini~1\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~2\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
TCP: Interfaces\{7492278A-097E-49BD-B5CA-96AB647DB0D1} : DhcpNameServer = 192.168.1.1 68.237.161.12
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ssqpp.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\3zort4s4.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R? hwmobile;Huawei CDMA Handset USB Modem and USB Serial
R? MBAMSwissArmy;MBAMSwissArmy
S? acssrv;Agnitum Client Security Service
S? afw;Agnitum firewall driver
S? afwcore;afwcore
S? IHA_MessageCenter;IHA_MessageCenter
S? SandBox;SandBox
S? sp_rsdrv2;Spyware Terminator Driver 2
.
=============== File Associations ===============
.
regfile=regedit.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-06-03 00:08:06 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-06-02 23:58:48 -------- d--h--w- C:\$AVG
2011-06-02 22:58:35 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-06-01 21:03:12 0 ----a-w- c:\documents and settings\administrator\ntuser.tmp
2011-06-01 20:30:19 260 ----a-w- c:\windows\system32\cmdVBS.vbs
2011-06-01 20:30:19 256 ----a-w- c:\windows\system32\MSIevent.bat
2011-06-01 19:16:49 -------- d-----w- c:\program files\Verizon
2011-06-01 19:06:14 -------- d-----w- c:\documents and settings\administrator\application data\TechWizard
2011-05-07 18:54:22 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-05-07 18:54:20 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-05-07 18:54:18 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-05-07 18:54:07 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
.
==================== Find3M ====================
.
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 21:46:38.73 ===============

I made this post in order to see if there are any problems on this machine. I also switched my ISP from Time Warner Cable high speed to Verizon FiOS. The latter is slower then the former on this machine but, on the other machine which shares the same network, is much quicker. Sometimes the connection just drops out of nowhere. So it has made me suspect that it is the machine rather then the internet connection itself.

Blade81 · Jun 11, 2011

Download GMER here by clicking download exe -button and then saving it your desktop:

Double-click .exe that you downloaded
Click rootkit-tab, uncheck files option and then click scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply. Post fresh dds logs contents too.

Magnesium · Jun 11, 2011

Hey Blade thanks, here is the GMER and fresh DDS logs as you requested

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-11 13:57:38
Windows 5.1.2600 Service Pack 2
Running: i5er980i.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kgrdqpow.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAssignProcessToJobObject [0xF610AA60]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwClose [0xF60EFBF0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwConnectPort [0xF610C920]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateFile [0xF60EBF60]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateKey [0xF60F7090]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcess [0xF61032B0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcessEx [0xF6103BB0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSection [0xF60EAD10]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSymbolicLinkObject [0xF60F6E40]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateThread [0xF6101D70]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDebugActiveProcess [0xF610FF30]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteFile [0xF60F5B20]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteKey [0xF60F8900]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteValueKey [0xF60FF3A0]
SSDT spgq.sys ZwEnumerateKey [0xF86F6CA2]
SSDT spgq.sys ZwEnumerateValueKey [0xF86F7030]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwLoadDriver [0xF6100BB0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwMakeTemporaryObject [0xF60F66B0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenFile [0xF60EEC10]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenKey [0xF60F7FC0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenProcess [0xF6105CA0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenSection [0xF60EB580]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenThread [0xF6105060]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwProtectVirtualMemory [0xF610BDA0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xF60F08A0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryKey [0xF60FA750]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryValueKey [0xF60FAFA0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueueApcThread [0xF6109ED0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRenameKey [0xF60FE590]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwReplaceKey [0xF60FC500]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestPort [0xF610EA50]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestWaitReplyPort [0xF610ED70]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRestoreKey [0xF60FDD20]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKey [0xF60FCC80]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKeyEx [0xF60FD4D0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSecureConnectPort [0xF610D480]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetContextThread [0xF6109440]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationDebugObject [0xF6110520]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationFile [0xF60F1BF0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetSystemInformation [0xF61001C0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetValueKey [0xF60FB820]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendProcess [0xF6108190]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendThread [0xF6108AC0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSystemDebugControl [0xF610F770]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateProcess [0xF6106790]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateThread [0xF6107620]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwUnloadDriver [0xF6101530]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwWriteVirtualMemory [0xF610B2B0]

INT 0x62 ? 8336BBF8
INT 0x63 ? 831E7BF8
INT 0x63 ? 831E7BF8
INT 0x82 ? 8336BBF8
INT 0x94 ? 831E7BF8
INT 0xA4 ? 831E7BF8
INT 0xB4 ? 831E7BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 392 804E4BCC 8 Bytes JMP ED70F610
.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CA4 12 Bytes [90, 81, 10, F6, C0, 8A, 10, ...] {NOP ; ADC DWORD [EAX], 0x108ac0f6; DIV BYTE [EAX-0x9]; ADC DH, DH}
? spgq.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F78AF62C 4 Bytes JMP 831E71D8

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[140] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0059EB4C C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[140] kernel32.dll!LoadResource 7C80A065 5 Bytes JMP 0059E828 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[140] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 0059EA88 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[140] USER32.dll!EnableWindow 77D4BE71 5 Bytes JMP 00F7944C C:\PROGRA~1\Agnitum\OUTPOS~1\op_cmn.dll (Outpost Common Controls Library/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[140] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 0059EB20 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[140] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 0059EAF4 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[192] USER32.dll!SetWindowPos 77D4C01B 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[192] USER32.dll!SetForegroundWindow 77D54795 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[192] USER32.dll!ChangeDisplaySettingsExA 77D5D2DE 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[192] USER32.dll!ChangeDisplaySettingsExW 77D89175 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\ctfmon.exe[204] USER32.dll!SetWindowPos 77D4C01B 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\ctfmon.exe[204] USER32.dll!SetForegroundWindow 77D54795 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\ctfmon.exe[204] USER32.dll!ChangeDisplaySettingsExA 77D5D2DE 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\ctfmon.exe[204] USER32.dll!ChangeDisplaySettingsExW 77D89175 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Messenger\Msmsgs.exe[232] USER32.dll!SetWindowPos 77D4C01B 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Messenger\Msmsgs.exe[232] USER32.dll!SetForegroundWindow 77D54795 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Messenger\Msmsgs.exe[232] USER32.dll!ChangeDisplaySettingsExA 77D5D2DE 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Messenger\Msmsgs.exe[232] USER32.dll!ChangeDisplaySettingsExW 77D89175 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe[596] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 00522570 C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe (Agnitum Outpost Service/Agnitum Ltd.)
.text C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe[664] USER32.dll!SetWindowPos 77D4C01B 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe[664] USER32.dll!SetForegroundWindow 77D54795 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe[664] USER32.dll!ChangeDisplaySettingsExA 77D5D2DE 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe[664] USER32.dll!ChangeDisplaySettingsExW 77D89175 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Java\jre6\bin\jqs.exe[792] USER32.dll!SetWindowPos 77D4C01B 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Java\jre6\bin\jqs.exe[792] USER32.dll!SetForegroundWindow 77D54795 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Java\jre6\bin\jqs.exe[792] USER32.dll!ChangeDisplaySettingsExA 77D5D2DE 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Java\jre6\bin\jqs.exe[792] USER32.dll!ChangeDisplaySettingsExW 77D89175 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\winlogon.exe[872] USER32.dll!SetWindowPos 77D4C01B 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\winlogon.exe[872] USER32.dll!SetForegroundWindow 77D54795 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\winlogon.exe[872] USER32.dll!ChangeDisplaySettingsExA 77D5D2DE 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\winlogon.exe[872] USER32.dll!ChangeDisplaySettingsExW 77D89175 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\services.exe[916] USER32.dll!SetWindowPos 77D4C01B 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\services.exe[916] USER32.dll!SetForegroundWindow 77D54795 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\services.exe[916] USER32.dll!ChangeDisplaySettingsExA 77D5D2DE 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\services.exe[916] USER32.dll!ChangeDisplaySettingsExW 77D89175 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\SpywareGuard\sgmain.exe[1396] USER32.dll!SetWindowPos 77D4C01B 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\SpywareGuard\sgmain.exe[1396] USER32.dll!SetForegroundWindow 77D54795 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\SpywareGuard\sgmain.exe[1396] USER32.dll!ChangeDisplaySettingsExA 77D5D2DE 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\SpywareGuard\sgmain.exe[1396] USER32.dll!ChangeDisplaySettingsExW 77D89175 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\SpywareGuard\sgbhp.exe[1472] USER32.dll!SetWindowPos 77D4C01B 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\SpywareGuard\sgbhp.exe[1472] USER32.dll!SetForegroundWindow 77D54795 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\SpywareGuard\sgbhp.exe[1472] USER32.dll!ChangeDisplaySettingsExA 77D5D2DE 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\SpywareGuard\sgbhp.exe[1472] USER32.dll!ChangeDisplaySettingsExW 77D89175 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\spoolsv.exe[1700] USER32.dll!SetWindowPos 77D4C01B 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\spoolsv.exe[1700] USER32.dll!SetForegroundWindow 77D54795 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\spoolsv.exe[1700] USER32.dll!ChangeDisplaySettingsExA 77D5D2DE 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\spoolsv.exe[1700] USER32.dll!ChangeDisplaySettingsExW 77D89175 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1844] USER32.dll!SetWindowPos 77D4C01B 5 Bytes JMP 00D8A1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1844] USER32.dll!SetForegroundWindow 77D54795 5 Bytes JMP 00D8A174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1844] USER32.dll!ChangeDisplaySettingsExA 77D5D2DE 5 Bytes JMP 00D8A1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1844] USER32.dll!ChangeDisplaySettingsExW 77D89175 5 Bytes JMP 00D8A224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1844] USER32.dll!TrackPopupMenu 77D94ED6 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\Explorer.EXE[1928] USER32.dll!SetWindowPos 77D4C01B 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\Explorer.EXE[1928] USER32.dll!SetForegroundWindow 77D54795 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\Explorer.EXE[1928] USER32.dll!ChangeDisplaySettingsExA 77D5D2DE 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\Explorer.EXE[1928] USER32.dll!ChangeDisplaySettingsExW 77D89175 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2712] USER32.dll!SetWindowPos 77D4C01B 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2712] USER32.dll!SetForegroundWindow 77D54795 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2712] USER32.dll!ChangeDisplaySettingsExA 77D5D2DE 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2712] USER32.dll!ChangeDisplaySettingsExW 77D89175 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3468] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3468] USER32.dll!SetWindowPos 77D4C01B 5 Bytes JMP 00E8A1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3468] USER32.dll!SetForegroundWindow 77D54795 5 Bytes JMP 00E8A174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3468] USER32.dll!ChangeDisplaySettingsExA 77D5D2DE 5 Bytes JMP 00E8A1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3468] USER32.dll!ChangeDisplaySettingsExW 77D89175 5 Bytes JMP 00E8A224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Documents and Settings\Administrator\Desktop\i5er980i.exe[3488] USER32.dll!SetWindowPos 77D4C01B 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Documents and Settings\Administrator\Desktop\i5er980i.exe[3488] USER32.dll!SetForegroundWindow 77D54795 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Documents and Settings\Administrator\Desktop\i5er980i.exe[3488] USER32.dll!ChangeDisplaySettingsExA 77D5D2DE 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Documents and Settings\Administrator\Desktop\i5er980i.exe[3488] USER32.dll!ChangeDisplaySettingsExW 77D89175 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8336E5E0
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F870993C] spgq.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F8709990] spgq.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F86DA040] spgq.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F86DA13C] spgq.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F86DA0BE] spgq.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F86DA7FC] spgq.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F86DA6D2] spgq.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 831E72D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F86E9D92] spgq.sys
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F7545906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F7545906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F7545906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F7545906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F7545906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F7545906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F7545906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F7545906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F6100190] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F60ED130] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8336A1F8
Device \FileSystem\Fastfat \FatCdrom 82C601F8
Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\NetBT \Device\NetBT_Tcpip_{7492278A-097E-49BD-B5CA-96AB647DB0D1} 82D77500
Device \Driver\usbuhci \Device\USBPDO-0 831E61F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 833DD1F8
Device \Driver\dmio \Device\DmControl\DmConfig 833DD1F8
Device \Driver\dmio \Device\DmControl\DmPnP 833DD1F8
Device \Driver\dmio \Device\DmControl\DmInfo 833DD1F8
Device \Driver\usbuhci \Device\USBPDO-1 831E61F8
Device \Driver\usbuhci \Device\USBPDO-2 831E61F8
Device \Driver\usbuhci \Device\USBPDO-3 831E61F8
Device \Driver\usbehci \Device\USBPDO-4 831B31F8
Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\usbstor \Device\00000070 82D711F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8336C1F8
Device \Driver\usbstor \Device\00000071 82D711F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8336C1F8
Device \Driver\Cdrom \Device\CdRom0 8316E1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 8336B1F8
Device \Driver\atapi \Device\Ide\IdePort0 8336B1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8336B1F8
Device \Driver\atapi \Device\Ide\IdePort1 8336B1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 8336B1F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8336C1F8
Device \Driver\Cdrom \Device\CdRom1 8316E1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 82D77500
Device \Driver\NetBT \Device\NetbiosSmb 82D77500
Device \Driver\Tcpip \Device\Udp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\RawIp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\usbuhci \Device\USBFDO-0 831E61F8
Device \Driver\usbstor \Device\0000006c 82D711F8
Device \Driver\usbuhci \Device\USBFDO-1 831E61F8
Device \Driver\usbstor \Device\0000006e 82D711F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 829A11F8
Device \Driver\Tcpip \Device\IPMULTICAST afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\usbuhci \Device\USBFDO-2 831E61F8
Device \Driver\usbstor \Device\0000006f 82D711F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 829A11F8
Device \Driver\usbuhci \Device\USBFDO-3 831E61F8
Device \Driver\usbehci \Device\USBFDO-4 831B31F8
Device \Driver\Ftdisk \Device\FtControl 8336C1F8
Device \FileSystem\Fastfat \Fat 82C601F8
Device \FileSystem\Cdfs \Cdfs 8315C1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9F 0x70 0x29 0xAC ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7F 0x71 0x75 0x6D ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x44 0x38 0xEA 0x0E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9F 0x70 0x29 0xAC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7F 0x71 0x75 0x6D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x44 0x38 0xEA 0x0E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9F 0x70 0x29 0xAC ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7F 0x71 0x75 0x6D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x44 0x38 0xEA 0x0E ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9F 0x70 0x29 0xAC ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7F 0x71 0x75 0x6D ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x44 0x38 0xEA 0x0E ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9F 0x70 0x29 0xAC ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7F 0x71 0x75 0x6D ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x44 0x38 0xEA 0x0E ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9F 0x70 0x29 0xAC ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7F 0x71 0x75 0x6D ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x44 0x38 0xEA 0x0E ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9F 0x70 0x29 0xAC ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7F 0x71 0x75 0x6D ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x44 0x38 0xEA 0x0E ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9F 0x70 0x29 0xAC ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7F 0x71 0x75 0x6D ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x44 0x38 0xEA 0x0E ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9F 0x70 0x29 0xAC ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7F 0x71 0x75 0x6D ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x44 0x38 0xEA 0x0E ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9F 0x70 0x29 0xAC ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7F 0x71 0x75 0x6D ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x44 0x38 0xEA 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xEC 0x8E 0x2D 0xAE ...
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xEC 0x8E 0x2D 0xAE ...

---- EOF - GMER 1.0.15 ----

.
DDS (Ver_2011-06-02.03) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_24
Run by Administrator at 14:02:11 on 2011-06-11
.
============== Running Processes ===============
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: SFCDisable=4 (0x4)
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~2\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\Msmsgs.exe" /background
uRun: [Aim] "c:\program files\aim7\aim.exe" /d locale=en-US
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall\feedback.exe" /dump

s_startup
mRun: [hello.exe] c:\windows\system32\hey.exe
mRun: [Serviço de Rede] c:\windows\system\Downloads_E.CPL
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: EnableLUA = 0 (0x0)
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\docume~1\admini~1\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~2\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
TCP: Interfaces\{7492278A-097E-49BD-B5CA-96AB647DB0D1} : DhcpNameServer = 192.168.1.1 68.237.161.12
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ssqpp.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\3zort4s4.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R? hwmobile;Huawei CDMA Handset USB Modem and USB Serial
R? MBAMSwissArmy;MBAMSwissArmy
S? acssrv;Agnitum Client Security Service
S? afw;Agnitum firewall driver
S? afwcore;afwcore
S? IHA_MessageCenter;IHA_MessageCenter
S? SandBox;SandBox
S? sp_rsdrv2;Spyware Terminator Driver 2
.
=============== File Associations ===============
.
regfile=regedit.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-06-11 01:50:16 -------- d-sh--w- C:\found.001
2011-06-03 00:08:06 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-06-02 23:58:48 -------- d--h--w- C:\$AVG
2011-06-02 22:58:35 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-06-01 21:03:12 0 ----a-w- c:\documents and settings\administrator\ntuser.tmp
2011-06-01 20:30:19 260 ----a-w- c:\windows\system32\cmdVBS.vbs
2011-06-01 20:30:19 256 ----a-w- c:\windows\system32\MSIevent.bat
2011-06-01 19:16:49 -------- d-----w- c:\program files\Verizon
2011-06-01 19:06:14 -------- d-----w- c:\documents and settings\administrator\application data\TechWizard
.
==================== Find3M ====================
.
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 14:03:32.93 ===============

Blade81 · Jun 11, 2011

Hi

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Magnesium · Jun 12, 2011

here are the Combo Fix Logs and the new DDS log as requested:

ComboFix 11-06-11.01 - Administrator 06/11/2011 20:58:21.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.261 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
FW: Outpost Firewall *Disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Media
c:\documents and settings\Administrator\Media\cagcat10\Thumbs.db
c:\temp\1cb
c:\temp\fCOe
c:\temp\fCOe\tOasF.log
c:\temp\xOe
c:\temp\xOe\tOasF.log
C:\Thumbs.db
c:\windows\curity~1
c:\windows\system32\k1
c:\windows\system32\k1\IKtzudll2.exe
c:\windows\system32\Thumbs.db
c:\windows\system32\vMW02a
c:\windows\system32\ymbols~1
H:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-05-12 to 2011-06-12 )))))))))))))))))))))))))))))))
.
.
2011-06-11 01:50 . 2011-06-11 01:50 -------- d-----w- C:\found.001
2011-06-03 00:08 . 2011-06-03 00:08 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-06-02 23:58 . 2011-06-02 23:58 -------- d-----w- C:\$AVG
2011-06-02 22:58 . 2011-06-03 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-06-01 21:03 . 2011-06-01 21:03 0 ----a-w- c:\documents and settings\Administrator\ntuser.tmp
2011-06-01 20:30 . 2011-06-01 20:30 260 ----a-w- c:\windows\system32\cmdVBS.vbs
2011-06-01 20:30 . 2011-06-01 20:30 256 ----a-w- c:\windows\system32\MSIevent.bat
2011-06-01 19:16 . 2011-06-01 20:30 -------- d-----w- c:\program files\Verizon
2011-06-01 19:06 . 2011-06-01 19:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\TechWizard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 13:11 . 2008-07-23 02:29 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2008-06-15 23:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM7\aim.exe" [2011-01-05 4321112]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [N/A]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Officexp\Office10\OSA.EXE [2001-2-13 83360]
Microsoft Office.lnk.disabled [2007-9-12 1692]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2010-06-01 15:17 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"WinAble"=c:\program files\WinAble\winable.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"AIM"=c:\program files\AIM\aim.exe -cnetwait.odl
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AlcxMonitor"=ALCXMNTR.EXE
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect
"rtasks"=c:\program files\SpyGuardPro\rtasks.exe
"Salestart"="c:\program files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com; ad=http://spyguardpro.com
"SpyGuardPro"=c:\program files\SpyGuardPro\pgs.exe
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\windows\system32\igxdfmls.exe"= c:\windows\system32\igx
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/20/2008 8:03 AM 716272]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [9/13/2009 1:41 PM 704384]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [9/10/2007 1:53 PM 141312]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [5/24/2011 4:02 PM 143360]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [9/13/2009 1:39 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [9/13/2009 1:41 PM 257432]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [9/13/2009 1:39 PM 1195008]
S3 hwmobile;Huawei CDMA Handset USB Modem and USB Serial;c:\windows\system32\drivers\hwusbser.sys [11/8/2009 8:05 PM 101376]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/22/2008 10:29 PM 39984]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\docume~1\ADMINI~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3zort4s4.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
HKLM-Run-hello.exe - c:\windows\system32\hey.exe
HKLM-Run-Serviço de Rede - c:\windows\system\Downloads_E.CPL
MSConfigStartUp-AlcoholAutomount - c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-11 21:05
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
hello.exe = c:\windows\system32\hey.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2011-06-11 21:09:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-12 01:09
.
Pre-Run: 15,254,417,408 bytes free
Post-Run: 20,617,150,464 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - F2CE5AFDE60A6C8B3904F24A0BF54BE5

.
DDS (Ver_2011-06-02.03) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_24
Run by Administrator at 21:13:12 on 2011-06-11
.
============== Running Processes ===============
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\REGSVR32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~2\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Aim] "c:\program files\aim7\aim.exe" /d locale=en-US
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall\feedback.exe" /dump

s_startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\docume~1\admini~1\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~2\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
TCP: Interfaces\{7492278A-097E-49BD-B5CA-96AB647DB0D1} : DhcpNameServer = 192.168.1.1 68.237.161.12
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\3zort4s4.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
============= SERVICES / DRIVERS ===============
.
R? acssrv;Agnitum Client Security Service
R? hwmobile;Huawei CDMA Handset USB Modem and USB Serial
R? MBAMSwissArmy;MBAMSwissArmy
S? afw;Agnitum firewall driver
S? afwcore;afwcore
S? IHA_MessageCenter;IHA_MessageCenter
S? SandBox;SandBox
S? sp_rsdrv2;Spyware Terminator Driver 2
.
=============== Created Last 30 ================
.
2011-06-12 00:55:37 98816 ----a-w- c:\windows\sed.exe
2011-06-12 00:55:37 518144 ----a-w- c:\windows\SWREG.exe
2011-06-12 00:55:37 256512 ----a-w- c:\windows\PEV.exe
2011-06-12 00:55:37 208896 ----a-w- c:\windows\MBR.exe
2011-06-11 01:50:16 -------- d-----w- C:\found.001
2011-06-03 00:08:06 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-06-02 23:58:48 -------- d-----w- C:\$AVG
2011-06-02 22:58:35 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-06-01 21:03:12 0 ----a-w- c:\documents and settings\administrator\ntuser.tmp
2011-06-01 20:30:19 260 ----a-w- c:\windows\system32\cmdVBS.vbs
2011-06-01 20:30:19 256 ----a-w- c:\windows\system32\MSIevent.bat
2011-06-01 19:16:49 -------- d-----w- c:\program files\Verizon
2011-06-01 19:06:14 -------- d-----w- c:\documents and settings\administrator\application data\TechWizard
.
==================== Find3M ====================
.
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 21:13:51.39 ===============

One weird thing that happened was that an Internet Explorer icon appeared on my desktop, after Combofix automatically rebooted. i never use internet explorer and i deleted the iconn from my desktop a long time ago. is that normal?

Blade81 · Jun 12, 2011

Hi again,

One weird thing that happened was that an Internet Explorer icon appeared on my desktop, after Combofix automatically rebooted. i never use internet explorer and i deleted the iconn from my desktop a long time ago. is that normal?

Yes, that's normal leave the icon untouched this time.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"rtasks"=-
"Salestart"=-
"SpyGuardPro"=-

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

If you still use Firefox then better update it to the latest of 4. version.

Uninstall old Adobe Reader versions and get the latest one ((Adobe Reader X + 10.0.1 update for it)) here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall your current Adobe shockwave player and get the fresh one here if needed.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 26.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u26-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

* Go here to run an online scanner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked.
Click Scan
Wait for the scan to finish.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Magnesium · Jun 12, 2011

Ok i updated and did everything you requested. here are the logs

ComboFix 11-06-11.01 - Administrator 06/12/2011 9:45.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.276 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
FW: Outpost Firewall *Disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-12 to 2011-06-12 )))))))))))))))))))))))))))))))
.
.
2011-06-11 01:50 . 2011-06-11 01:50 -------- d-----w- C:\found.001
2011-06-03 00:08 . 2011-06-03 00:08 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-06-02 23:58 . 2011-06-02 23:58 -------- d-----w- C:\$AVG
2011-06-02 22:58 . 2011-06-03 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-06-01 21:03 . 2011-06-01 21:03 0 ----a-w- c:\documents and settings\Administrator\ntuser.tmp
2011-06-01 20:30 . 2011-06-01 20:30 260 ----a-w- c:\windows\system32\cmdVBS.vbs
2011-06-01 20:30 . 2011-06-01 20:30 256 ----a-w- c:\windows\system32\MSIevent.bat
2011-06-01 19:16 . 2011-06-01 20:30 -------- d-----w- c:\program files\Verizon
2011-06-01 19:06 . 2011-06-01 19:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\TechWizard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 13:11 . 2008-07-23 02:29 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2008-06-15 23:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM7\aim.exe" [2011-01-05 4321112]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [N/A]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Officexp\Office10\OSA.EXE [2001-2-13 83360]
Microsoft Office.lnk.disabled [2007-9-12 1692]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2010-06-01 15:17 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"WinAble"=c:\program files\WinAble\winable.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"AIM"=c:\program files\AIM\aim.exe -cnetwait.odl
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AlcxMonitor"=ALCXMNTR.EXE
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\windows\system32\igxdfmls.exe"= c:\windows\system32\igx
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/20/2008 8:03 AM 716272]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [9/13/2009 1:41 PM 704384]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [9/10/2007 1:53 PM 141312]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [5/24/2011 4:02 PM 143360]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [9/13/2009 1:39 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [9/13/2009 1:41 PM 257432]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [9/13/2009 1:39 PM 1195008]
S3 hwmobile;Huawei CDMA Handset USB Modem and USB Serial;c:\windows\system32\drivers\hwusbser.sys [11/8/2009 8:05 PM 101376]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/22/2008 10:29 PM 39984]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\docume~1\ADMINI~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3zort4s4.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-12 09:50
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-06-12 09:53:03
ComboFix-quarantined-files.txt 2011-06-12 13:53
ComboFix2.txt 2011-06-12 01:09
.
Pre-Run: 20,624,691,200 bytes free
Post-Run: 20,614,782,976 bytes free
.
- - End Of File - - 199A292F74757413B0E2C3572F0C96D1

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6526
# api_version=3.0.2
# EOSSerial=c2372485390ff642a8c1ae0d91d3c001
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-12 04:43:46
# local_time=2011-06-12 12:43:46 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 94680678 94680678 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=6912 16777215 100 0 54110007 54110007 0 0
# compatibility_mode=7937 16777214 85 100 93775259 102323635 0 0
# compatibility_mode=8192 67108863 100 0 54189264 54189264 0 0
# scanned=74903
# found=3
# cleaned=0
# scan_time=1837
C:\Documents and Settings\Administrator\Desktop\Shockwave_Installer_Slim.exe probably a variant of Win32/Genetik trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinKoobface.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\system32\Adobe\Shockwave 11\gt.exe probably a variant of Win32/Genetik trojan (unable to clean) 00000000000000000000000000000000 I

.
DDS (Ver_2011-06-02.03) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_26
Run by Administrator at 12:48:57 on 2011-06-12
.
============== Running Processes ===============
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
mURLSearchHooks: H - No File
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~2\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
uRun: [Aim] "c:\program files\aim7\aim.exe" /d locale=en-US
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall\feedback.exe" /dump

s_startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\docume~1\admini~1\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~2\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
TCP: Interfaces\{7492278A-097E-49BD-B5CA-96AB647DB0D1} : DhcpNameServer = 192.168.1.1 68.237.161.12
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\3zort4s4.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
============= SERVICES / DRIVERS ===============
.
R? hwmobile;Huawei CDMA Handset USB Modem and USB Serial
R? MBAMSwissArmy;MBAMSwissArmy
S? acssrv;Agnitum Client Security Service
S? afw;Agnitum firewall driver
S? afwcore;afwcore
S? IHA_MessageCenter;IHA_MessageCenter
S? SandBox;SandBox
S? sp_rsdrv2;Spyware Terminator Driver 2
.
=============== Created Last 30 ================
.
2011-06-12 15:59:13 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-12 13:58:36 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-06-12 13:58:35 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-06-12 13:58:35 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-06-12 13:58:35 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-06-12 13:58:35 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-06-12 13:58:35 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-06-12 13:58:35 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-06-12 13:58:35 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-06-12 00:55:37 98816 ----a-w- c:\windows\sed.exe
2011-06-12 00:55:37 518144 ----a-w- c:\windows\SWREG.exe
2011-06-12 00:55:37 256512 ----a-w- c:\windows\PEV.exe
2011-06-12 00:55:37 208896 ----a-w- c:\windows\MBR.exe
2011-06-11 01:50:16 -------- d-----w- C:\found.001
2011-06-03 00:08:06 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-06-02 23:58:48 -------- d-----w- C:\$AVG
2011-06-02 22:58:35 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-06-01 21:03:12 0 ----a-w- c:\documents and settings\administrator\ntuser.tmp
2011-06-01 20:30:19 260 ----a-w- c:\windows\system32\cmdVBS.vbs
2011-06-01 20:30:19 256 ----a-w- c:\windows\system32\MSIevent.bat
2011-06-01 19:16:49 -------- d-----w- c:\program files\Verizon
2011-06-01 19:06:14 -------- d-----w- c:\documents and settings\administrator\application data\TechWizard
.
==================== Find3M ====================
.
2011-06-12 15:58:56 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 12:50:46.31 ===============

On thing i forgot to mention and i should have ever since i made this thread, but everytime i start up my comp[uter right after the Windows XP logo screen some option in a blue screen comes up asking if it wants to do a scan on my disk to check for consistency? is this like real or fake or part of a infection?

Blade81 · Jun 12, 2011

Hi,

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\Documents and Settings\Administrator\Desktop\Shockwave_Installer_Slim.exe
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinKoobface.zip
C:\WINDOWS\system32\Adobe\Shockwave 11\gt.exe

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Download and install Internet Explorer 8. You told earlier that you don't use IE. However, there're programs that use IE's components.

Post fresh dds logs when done.

On thing i forgot to mention and i should have ever since i made this thread, but everytime i start up my comp[uter right after the Windows XP logo screen some option in a blue screen comes up asking if it wants to do a scan on my disk to check for consistency? is this like real or fake or part of a infection?

That's likely real.

Magnesium · Jun 12, 2011

Ok i updated the IE and here are all the logs

ComboFix 11-06-11.01 - Administrator 06/12/2011 15:42:01.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.310 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
FW: Outpost Firewall *Disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.
FILE ::
"c:\documents and settings\Administrator\Desktop\Shockwave_Installer_Slim.exe"
"c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinKoobface.zip"
"c:\windows\system32\Adobe\Shockwave 11\gt.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Desktop\Shockwave_Installer_Slim.exe
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinKoobface.zip
c:\windows\system32\Adobe\Shockwave 11\gt.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-05-12 to 2011-06-12 )))))))))))))))))))))))))))))))
.
.
2011-06-12 18:13 . 2011-06-12 18:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2011-06-12 16:08 . 2011-06-12 16:08 -------- d-----w- c:\windows\LastGood
2011-06-12 15:59 . 2011-06-12 15:59 -------- d-----w- c:\program files\Common Files\Java
2011-06-12 15:59 . 2011-06-12 15:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-12 14:39 . 2011-06-12 14:40 -------- d-----w- c:\program files\Common Files\Adobe
2011-06-12 13:58 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-06-12 13:58 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-06-12 13:58 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-06-12 13:58 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-06-12 13:58 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-06-12 13:58 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-06-12 13:58 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-06-12 13:58 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-06-11 01:50 . 2011-06-11 01:50 -------- d-----w- C:\found.001
2011-06-03 00:08 . 2011-06-03 00:08 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-06-02 23:58 . 2011-06-02 23:58 -------- d-----w- C:\$AVG
2011-06-02 22:58 . 2011-06-03 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-06-01 21:03 . 2011-06-01 21:03 0 ----a-w- c:\documents and settings\Administrator\ntuser.tmp
2011-06-01 20:30 . 2011-06-01 20:30 260 ----a-w- c:\windows\system32\cmdVBS.vbs
2011-06-01 20:30 . 2011-06-01 20:30 256 ----a-w- c:\windows\system32\MSIevent.bat
2011-06-01 19:16 . 2011-06-01 20:30 -------- d-----w- c:\program files\Verizon
2011-06-01 19:06 . 2011-06-01 19:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\TechWizard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-12 15:58 . 2010-05-20 19:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-29 13:11 . 2008-07-23 02:29 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2008-06-15 23:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-14 16:26 . 2011-06-12 13:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-06-12_01.05.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-06-12 15:36 . 2011-06-12 15:36 87699 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
+ 2011-04-26 06:51 . 2011-04-26 06:51 98304 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2011-04-26 06:07 . 2011-04-26 06:07 73408 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2011-04-26 06:07 . 2011-04-26 06:07 64512 c:\windows\system32\Adobe\Shockwave 11\gcapi_dll.dll
+ 2011-04-26 07:00 . 2011-04-26 07:00 68536 c:\windows\system32\Adobe\Director\SWDNLD.EXE
+ 2010-11-16 01:02 . 2010-11-16 01:02 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\ViewerPS.dll
+ 2010-11-16 01:02 . 2010-11-16 01:02 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\reader_sl.exe
+ 2010-11-16 01:02 . 2010-11-16 01:02 16808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\piaglbreakfinder.dll
+ 2010-11-16 01:02 . 2010-11-16 01:02 84896 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\PDFPrevHndlr.dll
+ 2010-11-16 01:02 . 2010-11-16 01:02 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\eula.exe
+ 2010-11-16 01:02 . 2010-11-16 01:02 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\acrotextextractor.exe
+ 2010-11-16 01:02 . 2010-11-16 01:02 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AcroRd32Info.exe
+ 2010-11-16 01:02 . 2010-11-16 01:02 62376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\acroiehelpershim.dll
+ 2010-11-16 01:02 . 2010-11-16 01:02 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AcroIEHelper.dll
+ 2010-11-16 01:02 . 2010-11-16 01:02 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\Acrofx32.dll
- 2008-04-10 14:37 . 2008-03-19 23:24 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2011-04-26 06:52 . 2011-04-26 06:52 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2011-06-12 15:59 . 2011-06-12 15:58 157472 c:\windows\system32\javaws.exe
- 2011-02-27 13:17 . 2011-02-03 02:40 157472 c:\windows\system32\javaws.exe
+ 2011-06-12 15:59 . 2011-06-12 15:58 145184 c:\windows\system32\javaw.exe
- 2011-02-27 13:17 . 2011-02-03 02:40 145184 c:\windows\system32\javaw.exe
+ 2011-06-12 15:59 . 2011-06-12 15:58 145184 c:\windows\system32\java.exe
- 2011-02-27 13:17 . 2011-02-03 02:40 145184 c:\windows\system32\java.exe
+ 2011-04-26 06:51 . 2011-04-26 06:51 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2011-04-26 07:00 . 2011-04-26 07:00 469944 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1159620.exe
+ 2011-04-26 06:07 . 2011-04-26 06:07 136568 c:\windows\system32\Adobe\Shockwave 11\SCC.dll
+ 2011-04-26 06:53 . 2011-04-26 06:53 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2011-04-26 06:52 . 2011-04-26 06:52 372736 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2011-04-26 06:53 . 2011-04-26 06:53 880640 c:\windows\system32\Adobe\Shockwave 11\gi.dll
+ 2011-04-26 06:51 . 2011-04-26 06:51 503808 c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2011-04-26 07:00 . 2011-04-26 07:00 215992 c:\windows\system32\Adobe\Director\SwDir.dll
+ 2011-04-26 06:52 . 2011-04-26 06:52 135168 c:\windows\system32\Adobe\Director\np32dsw.dll
+ 2011-06-12 15:59 . 2011-06-12 15:59 203776 c:\windows\Installer\446ee.msi
+ 2011-06-12 15:58 . 2011-06-12 15:58 677376 c:\windows\Installer\446dc.msi
+ 2010-11-16 01:02 . 2010-11-16 01:02 390552 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\pdfshell.dll
+ 2010-11-16 01:02 . 2010-11-16 01:02 101288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\PDFPrevHndlrShim.exe
+ 2010-11-16 01:02 . 2010-11-16 01:02 135568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\nppdf32.dll
+ 2010-11-16 01:02 . 2010-11-16 01:02 681872 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\JP2KLib.dll
+ 2010-11-16 01:02 . 2010-11-16 01:02 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AiodLite.dll
+ 2010-11-16 01:02 . 2010-11-16 01:02 702352 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AcroPDF.dll
+ 2010-11-16 01:02 . 2010-11-16 01:02 294808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\acrobroker.exe
+ 2010-11-16 01:02 . 2010-11-16 01:02 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\a3dutils.dll
+ 2011-04-26 06:44 . 2011-04-26 06:44 1019904 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
+ 2011-04-26 06:46 . 2011-04-26 06:46 1802240 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2011-06-12 14:41 . 2011-06-12 14:41 2519552 c:\windows\Installer\200a49.msi
+ 2010-11-16 01:02 . 2010-11-16 01:02 2207632 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\rt3d.dll
+ 2010-11-16 01:02 . 2010-11-16 01:02 6222744 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\authplay.dll
+ 2010-11-16 01:02 . 2010-11-16 01:02 5503368 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AGM.dll
+ 2010-11-16 01:02 . 2010-11-16 01:02 1216416 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AdobeCollabSync.exe
+ 2010-11-16 01:02 . 2010-11-16 01:02 1289624 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AcroRd32.exe
+ 2011-06-12 15:04 . 2011-06-12 15:04 12425728 c:\windows\Installer\3aa0c7.msp
+ 2010-11-16 01:02 . 2010-11-16 01:02 23724952 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010\10.0.0\AcroRd32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM7\aim.exe" [2011-01-05 4321112]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-16 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [N/A]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Officexp\Office10\OSA.EXE [2001-2-13 83360]
Microsoft Office.lnk.disabled [2007-9-12 1692]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2010-06-01 15:17 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"WinAble"=c:\program files\WinAble\winable.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"AIM"=c:\program files\AIM\aim.exe -cnetwait.odl
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AlcxMonitor"=ALCXMNTR.EXE
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\windows\system32\igxdfmls.exe"= c:\windows\system32\igx
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/20/2008 8:03 AM 716272]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [9/13/2009 1:41 PM 704384]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [9/10/2007 1:53 PM 141312]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [5/24/2011 4:02 PM 143360]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [9/13/2009 1:39 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [9/13/2009 1:41 PM 257432]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [9/13/2009 1:39 PM 1195008]
S3 hwmobile;Huawei CDMA Handset USB Modem and USB Serial;c:\windows\system32\drivers\hwusbser.sys [11/8/2009 8:05 PM 101376]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/22/2008 10:29 PM 39984]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\docume~1\ADMINI~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3zort4s4.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-12 15:47
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-06-12 15:49:25
ComboFix-quarantined-files.txt 2011-06-12 19:49
ComboFix2.txt 2011-06-12 13:53
ComboFix3.txt 2011-06-12 01:09
.
Pre-Run: 19,843,481,600 bytes free
Post-Run: 19,844,886,528 bytes free
.
- - End Of File - - DBCF8A6B77C859DB547C38AA0BE092B8

.
DDS (Ver_2011-06-02.03) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Administrator at 16:30:42 on 2011-06-12
.
============== Running Processes ===============
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
mURLSearchHooks: H - No File
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~2\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
uRun: [Aim] "c:\program files\aim7\aim.exe" /d locale=en-US
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall\feedback.exe" /dump

s_startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\docume~1\admini~1\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~2\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
TCP: Interfaces\{7492278A-097E-49BD-B5CA-96AB647DB0D1} : DhcpNameServer = 192.168.1.1 68.237.161.12
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\3zort4s4.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
============= SERVICES / DRIVERS ===============
.
R? hwmobile;Huawei CDMA Handset USB Modem and USB Serial
R? MBAMSwissArmy;MBAMSwissArmy
S? acssrv;Agnitum Client Security Service
S? afw;Agnitum firewall driver
S? afwcore;afwcore
S? IHA_MessageCenter;IHA_MessageCenter
S? SandBox;SandBox
S? sp_rsdrv2;Spyware Terminator Driver 2
.
=============== Created Last 30 ================
.
2011-06-12 20:29:55 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2011-06-12 20:26:44 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2011-06-12 20:24:41 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2011-06-12 20:24:01 -------- dc-h--w- c:\windows\ie8
2011-06-12 18:13:34 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Temp
2011-06-12 15:59:13 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-12 13:58:36 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-06-12 13:58:35 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-06-12 13:58:35 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-06-12 13:58:35 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-06-12 13:58:35 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-06-12 13:58:35 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-06-12 13:58:35 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-06-12 13:58:35 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-06-12 00:55:37 98816 ----a-w- c:\windows\sed.exe
2011-06-12 00:55:37 518144 ----a-w- c:\windows\SWREG.exe
2011-06-12 00:55:37 256512 ----a-w- c:\windows\PEV.exe
2011-06-12 00:55:37 208896 ----a-w- c:\windows\MBR.exe
2011-06-11 01:50:16 -------- d-----w- C:\found.001
2011-06-03 00:08:06 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-06-02 23:58:48 -------- d-----w- C:\$AVG
2011-06-02 22:58:35 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-06-01 21:03:12 0 ----a-w- c:\documents and settings\administrator\ntuser.tmp
2011-06-01 20:30:19 260 ----a-w- c:\windows\system32\cmdVBS.vbs
2011-06-01 20:30:19 256 ----a-w- c:\windows\system32\MSIevent.bat
2011-06-01 19:16:49 -------- d-----w- c:\program files\Verizon
2011-06-01 19:06:14 -------- d-----w- c:\documents and settings\administrator\application data\TechWizard
.
==================== Find3M ====================
.
2011-06-12 15:58:56 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 16:31:51.23 ===============

Blade81 · Jun 13, 2011

Hi,

How's the system running now?

Magnesium · Jun 13, 2011

yeah its pretty good. although for some reason yahoo takes longer to start up whenever i click the icon, before the sign in window would pop up right away. the internet connection is runnin much slower. im startin to think this comp is just old, even though that wasnt an issue with my last ISP.

Blade81 · Jun 13, 2011

Hi,

Go to Windows Update site and install all important updates (service pack 3 included) there. Post fresh dds logs when ready.

Magnesium · Jun 14, 2011

hey Blade, I tried to download the updates but it doesnt want to. Whenever the activeX window pops up i click "install", after that nothing happens and it tells me an error occurred.

Blade81 · Jun 14, 2011

Does the message contain any specific error code?

Magnesium · Jun 14, 2011

yeah it does here it is right here:

"Read more about steps you can take to resolve this problem (error number 0x8DDD0004) yourself."

Blade81 · Jun 14, 2011

Hi,

1. Download Dial-a-Fix archive file here.
2. Extract contents to suitable place (e.g. your desktop) and navigate to that location.
3. Double-click Dial-a-Fix.exe file to execute the program.
4. Checkmark Fix Windows Update -checkbox. It's possible that the program checks some options automatically after that. Leave those untouched and click GO -button.

When tool has finished, reboot and see if you're able to access Windows Update.

Magnesium · Jun 17, 2011

Hey blade i ran Dial A Fix and attempted to access windows update again, but i still receive the same error number.

Blade81 · Jun 17, 2011

Hi,

Please make sure your firewall is not blocking Windows Update.

Magnesium · Jun 17, 2011

I closed down my firewall this time. but still the same problem, i let the ActiveX control install but then afterwards nothing happens and i get the same error screen.

Blade81 · Jun 17, 2011

Hi,

Please download Windows Update Agent installer. Install it and see if the error still appears.

Suspected Infection

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus