Virtumonde...and other problems!

[justwayne]

Hi,

I must confess that I have neglected my machine and didn't act quickly enough. My system has become incredibly slow to start (it takes up to 10 minutes to get to my homepage!), it stalls often, it freezes often and I get false warnings, which I suspect are due to FakeAlert. I was looking at the screen the other day as I was running Spybot and notices that a whole bunch of files containing the word "Virtumonde" were being scanned. I hope someone is nice enough to help me, if I promise to be more vigilent in the future!! Here's my first HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:46 AM, on 25/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioReader.exe /autostart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 8567 bytes

Thanks!
Christian

 

[km2357]

Hello and welcome to Safer Networking.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


Step # 1: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

Step # 2 Download and run DDS

Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

Step # 3: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.

• Click the Scan button and let the program do its work. GMER will produce a log.
  
• Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
  
• GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


In your next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log

Use multiple posts if you can't fit everything into one post.

 

[justwayne]

ok

Hello and thank you for taking the time to help me!
I will follow your instructions, but I have one quick and silly question first: should I avoid using my computer until this is resolved?! In other words, when I post the logs you asked for, should I do it from a different computer?

 

[justwayne]

Oh, one more thing!

Well, two more things, actually:

1-Do you also need a new HJT log, once I'm done?
2-I'm on XP and share my computer with someone, so we each have two users on it, with each his own preferences. I don't know if this is relevant, but thought I would let you know, in case.

Thanks!

 

[justwayne]

Results

Hi,
Well, I was able to disable Teatimer. I then ran DDS and got the two logs. When I ran "Gmer", I got the Blue Screen of Death within 5 minutes. At the top, it said "Page_in_nonpages_area" and at the bottom, it said "STOP: 0x00000050......"

I am attaching the two DDS logs, as you requested:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Christian at 17:43:27.70 on 27/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.154 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Christian.CATSEYE2\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Zinio DLM] c:\program files\zinio\ZinioReader.exe /autostart
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-8-9 12552]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-20 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-9 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-9 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-9 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-10 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-10 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-8-9 1370488]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-8-9 29208]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-27 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-8-9 29208]

=============== Created Last 30 ================


==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 23:22:35 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-04 23:22:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 16:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2009-01-18 21:07:04 2198 -c--a-w- c:\program files\INSTALL.LOG

============= FINISH: 17:47:11.92 ===============


and:


DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 09/08/2009 9:17:50 AM
System Uptime: 27/04/2010 5:26:01 PM (0 hours ago)

Motherboard: Dell Inc. | | 0M3918
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 4.427 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: TI Technologies Inc.
Description: RADEON X300 Series Secondary
Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_03031002&REV_00\4&166AB6CD&0&0108
Manufacturer: ATI Technologies Inc.
Name: RADEON X300 Series Secondary
PNP Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_03031002&REV_00\4&166AB6CD&0&0108
Service: ati2mtag

==== System Restore Points ===================

RP263: 31/03/2010 6:05:49 PM - System Checkpoint
RP264: 01/04/2010 6:25:26 AM - Software Distribution Service 3.0
RP265: 01/04/2010 4:46:59 PM - Software Distribution Service 3.0
RP266: 03/04/2010 4:01:48 PM - System Checkpoint
RP267: 04/04/2010 6:23:16 PM - System Checkpoint
RP268: 05/04/2010 7:01:19 PM - System Checkpoint
RP269: 06/04/2010 7:17:21 PM - System Checkpoint
RP270: 07/04/2010 7:46:20 PM - System Checkpoint
RP271: 08/04/2010 8:14:46 PM - System Checkpoint
RP272: 09/04/2010 10:25:17 PM - System Checkpoint
RP273: 10/04/2010 8:15:41 AM - Removed Bonjour
RP274: 11/04/2010 10:47:32 AM - System Checkpoint
RP275: 12/04/2010 12:48:54 PM - System Checkpoint
RP276: 13/04/2010 3:06:23 PM - System Checkpoint
RP277: 14/04/2010 7:23:32 AM - Software Distribution Service 3.0
RP278: 15/04/2010 7:47:25 AM - System Checkpoint
RP279: 15/04/2010 5:12:18 PM - Installed SUPERAntiSpyware Free Edition
RP280: 15/04/2010 7:48:37 PM - Removed SUPERAntiSpyware Free Edition
RP281: 16/04/2010 8:26:06 PM - System Checkpoint
RP282: 18/04/2010 4:44:00 PM - System Checkpoint
RP283: 19/04/2010 7:59:20 PM - System Checkpoint
RP284: 19/04/2010 7:37:58 PM - System Checkpoint
RP285: 20/04/2010 7:43:27 AM - Installed AVG 9.0
RP286: 21/04/2010 7:52:01 AM - System Checkpoint
RP287: 22/04/2010 8:23:34 AM - System Checkpoint
RP288: 23/04/2010 12:51:24 PM - System Checkpoint
RP289: 24/04/2010 5:48:24 PM - System Checkpoint
RP290: 26/04/2010 7:50:45 AM - System Checkpoint
RP291: 27/04/2010 8:09:19 AM - System Checkpoint

==== Installed Programs ======================

AAC Decoder
ACDSee Photo Manager 2009
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AutoUpdate
AVG 8.5
Bonjour
CCleaner
Conexant D850 56K V.9x DFVc Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell ResourceCD
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
DivX Version Checker
Google Toolbar for Internet Explorer
Google Update Helper
H.264 Decoder
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel(R) PRO Network Adapters and Drivers
iTunes
Java Auto Updater
Java(TM) 6 Update 18
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Corporation
Microsoft LifeCam
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MKV Splitter
MSXML 6 Service Pack 2 (KB973686)
QuickTime
RealPlayer
RealUpgrade 1.0
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Skype web features
Skype™ 4.1
SoundMAX
Spybot - Search & Destroy
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
VC80CRTRedist - 8.0.50727.4053
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Zinio Reader

 

[km2357]

I will follow your instructions, but I have one quick and silly question first: should I avoid using my computer until this is resolved?! In other words, when I post the logs you asked for, should I do it from a different computer?

The only silly question is the one not asked.

If you have access to a clean computer and a USB/Flash Drive (to transfer logs and programs back and forth), then you can use those to transfer programs and logs between the two computers. And then post the logs I ask for from the clean computer. I'll let you know when you need to do something directly on the infected computer, otherwise you can avoid using it (i.e. surfing the web on it).

1-Do you also need a new HJT log, once I'm done?

The DDS Log(s) I asked for give me a lot more information than a HJT log would. I see no need for a new HJT Log (at the moment), but I will be asking for new DDS Logs throughout the fix.

2-I'm on XP and share my computer with someone, so we each have two users on it, with each his own preferences. I don't know if this is relevant, but thought I would let you know, in case.

Thanks for letting me know. Are the problems you described in your first post only on your account? Or does it affect both accounts?

C: is FIXED (NTFS) - 71 GiB total, 4.427 GiB free.

The computer is extremely low on free space. You should go to Add/Remove Programs and uninstall any programs/games you no longer use/play. Also, if you have any music, movies, other files you no longer need you can either delete them or transfer them to a USB Drive or an External Hard Drive for storage.



Since GMER is giving you trouble, let's try another Rootkit Scanner in its place:


Step # 1 Download and run SysProt

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
• In the Write to log box select the following items only:
  • Process
    Kernel Modes
    SSDT
    Kernel Hooks
    Hidden Files
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

 

[justwayne]

SysProt Log

Hi!
Ok, I was able to run SysProt and here's the log below. By the way, you were asking if both accounts are affected by the problems; the answer is yes. I am working on clearing some old stuff to make some room on my computer. Thanks again. Here's the log:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\smss.exe
PID: 844
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\csrss.exe
PID: 892
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\winlogon.exe
PID: 924
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 968
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\lsass.exe
PID: 988
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\ati2evxx.exe
PID: 1168
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1184
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1280
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1408
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1536
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1656
Hidden: No
Window Visible: No

Name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PID: 1700
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\spoolsv.exe
PID: 1948
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 808
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 868
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
PID: 1060
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgfws8.exe
PID: 1208
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 1560
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgam.exe
PID: 224
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PID: 384
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG8\avgrsx.exe
PID: 336
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 484
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgemc.exe
PID: 1428
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG8\avgcsrvx.exe
PID: 2632
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\WBEM\unsecapp.exe
PID: 3040
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe
PID: 3064
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\alg.exe
PID: 3308
Hidden: No
Window Visible: No

Name: C:\Program Files\iPod\bin\iPodService.exe
PID: 604
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
PID: 944
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 8004
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgtray.exe
PID: 1160
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PID: 8000
Hidden: No
Window Visible: No

Name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PID: 2880
Hidden: No
Window Visible: No

Name: C:\Program Files\Analog Devices\Core\smax4pnp.exe
PID: 4912
Hidden: No
Window Visible: No

Name: C:\Program Files\iTunes\iTunesHelper.exe
PID: 1064
Hidden: No
Window Visible: No

Name: C:\WINDOWS\vVX3000.exe
PID: 5120
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Java\Java Update\jusched.exe
PID: 6212
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\ctfmon.exe
PID: 212
Hidden: No
Window Visible: No

Name: C:\Program Files\Messenger\msmsgs.exe
PID: 6148
Hidden: No
Window Visible: No

Name: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID: 2952
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Christian.CATSEYE2\Desktop\SysProt.exe
PID: 4632
Hidden: No
Window Visible: Yes

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Christian.CATSEYE2\Desktop\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: BA7CD000
Module End: BA7D8000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F8B67000
Module End: F8B69000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F8A77000
Module End: F8A7A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F8538000
Module End: F8566000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F8B69000
Module End: F8B6B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F8527000
Module End: F8538000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F8667000
Module End: F8671000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F8C2F000
Module End: F8C30000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F88E7000
Module End: F88EE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: F8B6B000
Module End: F8B6D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F8677000
Module End: F8682000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F8508000
Module End: F8527000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F88EF000
Module End: F88F4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F8687000
Module End: F8694000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F84F0000
Module End: F8508000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cercsr6.sys
Service Name: cercsr6
Module Base: F88F7000
Module End: F88FF000
Hidden: No

Module Name: \WINDOWS\System32\Drivers\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: F84D8000
Module End: F84F0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F8697000
Module End: F86A0000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F86A7000
Module End: F86B4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F84B8000
Module End: F84D8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F84A6000
Module End: F84B8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Lbd.sys
Service Name: Lbd
Module Base: F86B7000
Module End: F86C6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F86C7000
Module End: F86D0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F848F000
Module End: F84A6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F8402000
Module End: F848F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F83D5000
Module End: F8402000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F83BB000
Module End: F83D5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\avgrkx86.sys
Service Name: AvgRkx86
Module Base: F8B6D000
Module End: F8B6F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F8837000
Module End: F8840000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: F81E5000
Module End: F8362000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F81D1000
Module End: F81E5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F89F7000
Module End: F89FD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F81AD000
Module End: F81D1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F89FF000
Module End: F8A07000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
Service Name: HSFHWBS2
Module Base: F8179000
Module End: F81AD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F8156000
Module End: F8179000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
Service Name: HSF_DP
Module Base: F8057000
Module End: F8156000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Service Name: winachsf
Module Base: F7FB0000
Module End: F8057000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F8A07000
Module End: F8A0F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\e100b325.sys
Service Name: E100B
Module Base: F7F8A000
Module End: F7FB0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\smwdm.sys
Service Name: smwdm
Module Base: F7F4A000
Module End: F7F8A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: F7F26000
Module End: F7F4A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F8847000
Module End: F8856000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\senfilt.sys
Service Name: senfilt
Module Base: F7E73000
Module End: F7F26000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F7E5F000
Module End: F7E73000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F8857000
Module End: F8867000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F8B37000
Module End: F8B3B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F8867000
Module End: F8877000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F8877000
Module End: F8886000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: F8A0F000
Module End: F8A15000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F8887000
Module End: F8892000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
Service Name: Avgfwdx
Module Base: F8A17000
Module End: F8A1D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F8CE4000
Module End: F8CE5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F8897000
Module End: F88A4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F8B47000
Module End: F8B4A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F7E48000
Module End: F7E5F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F88A7000
Module End: F88B2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F88B7000
Module End: F88C3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F8A1F000
Module End: F8A24000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F7E37000
Module End: F7E48000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F88C7000
Module End: F88D0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F8A27000
Module End: F8A2C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F8A2F000
Module End: F8A34000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F88D7000
Module End: F88E1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F8A37000
Module End: F8A3D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F8A3F000
Module End: F8A45000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F8B93000
Module End: F8B95000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F7DD9000
Module End: F7E37000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F8B4F000
Module End: F8B53000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F8707000
Module End: F8711000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F8717000
Module End: F8726000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F8B95000
Module End: F8B97000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Service Name: MODEMCSA
Module Base: F837A000
Module End: F837E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F8B99000
Module End: F8B9B000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F8B9B000
Module End: F8B9D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F8A5F000
Module End: F8A66000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F8A67000
Module End: F8A6D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F8B9D000
Module End: F8B9F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F8B9F000
Module End: F8BA1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F8907000
Module End: F890F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F8362000
Module End: F8365000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: EFA8F000
Module End: EFAA2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: EFA36000
Module End: EFA8F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgtdix.sys
Service Name: AvgTdiX
Module Base: EFA1D000
Module End: EFA36000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: EF9F7000
Module End: EFA1D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: EF9CF000
Module End: EF9F7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F8747000
Module End: F8750000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Service Name: WS2IFSL
Module Base: F8B13000
Module End: F8B16000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: EF9AD000
Module End: EF9CF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F8757000
Module End: F8760000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: EF982000
Module End: EF9AD000
Hidden: No

Module Name: C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
Service Name: OMCI
Module Base: F8B1B000
Module End: F8B1F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: EF8EA000
Module End: EF95A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F8777000
Module End: F8782000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: F891F000
Module End: F8927000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Service Name: AvgMfx86
Module Base: F8927000
Module End: F892D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys
Service Name: AvgLdx86
Module Base: EF899000
Module End: EF8EA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: hidusb
Module Base: F8B2B000
Module End: F8B2E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F87A7000
Module End: F87B0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VX3000.sys
Service Name: VX3000
Module Base: EF61B000
Module End: EF7F9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\STREAM.SYS
Service Name: ---
Module Base: F87B7000
Module End: F87C4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\usbaudio.sys
Service Name: usbaudio
Module Base: F87C7000
Module End: F87D6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: F8B2F000
Module End: F8B32000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: F7DC9000
Module End: F7DCD000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: F8807000
Module End: F8817000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EF0BF000
Module End: EF0D7000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F8BB9000
Module End: F8BBB000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: EFCCD000
Module End: EFCD0000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F8947000
Module End: F894C000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F8D53000
Module End: F8D54000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: ECFBB000
Module End: ECFBF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: ECC5A000
Module End: ECC87000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: ECA66000
Module End: ECA69000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: EC9D3000
Module End: ECA2A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: EC766000
Module End: EC77B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: EC7DB000
Module End: EC7EA000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\TDTCP.SYS
Service Name: TDTCP
Module Base: F89E7000
Module End: F89ED000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\RDPWD.SYS
Service Name: RDPWD
Module Base: EC515000
Module End: EC538000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: EC0AE000
Module End: EC0EF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: B9783000
Module End: B97AE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: B975F000
Module End: B9783000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F8BF9000
Module End: F8BFB000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F8D42000
Module End: F8D43000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F8A6F000
Module End: F8A74000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateKey
Address: F86B787E
Driver Base: F86B7000
Driver End: F86C6000
Driver Name: Lbd.sys

Function Name: ZwSetValueKey
Address: F86B7BFE
Driver Base: F86B7000
Driver End: F86C6000
Driver Name: Lbd.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\Altino\Favorites\New Folder\Altino`s Links\Links\Karisik çizgi romanlar - Sayfa 19 - Forumuz.biz.url
Status: Hidden

Object: C:\Documents and Settings\Altino\Favorites\New Folder\Çizgi Roman Istekleri - Sayfa 43 - Forumuz.biz.url
Status: Hidden

Object: C:\Documents and Settings\Altino\Favorites\New Folder\Çizgiroman Dagitim - Sayfa 14 - Forumuz.biz.url
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Favorites\Altino`s Links\Links\Karisik çizgi romanlar - Sayfa 19 - Forumuz.biz.url
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Favorites\Çizgi Roman Istekleri - Sayfa 43 - Forumuz.biz.url
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Favorites\Çizgiroman Dagitim - Sayfa 14 - Forumuz.biz.url
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\2FMG9Q5S\PagePos=1&adtype=PROMO_TEXT&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RECIPE_33782_1&SE
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\2FMG9Q5S\PagePos=2&adtype=GOOGLE&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RECIPE_33782_1&SECTIO
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\2FMG9Q5S\PagePos=5&show=TU&topic1=RECIPE_CONTENT&chef=TYLER_FLORENCE&ingredient=FRUIT&ingredient=POTATOES&interest=EASY&mealpart=DINNER&mealpart=
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\5TYVE1LX\adtype=LEADERBOARD&adsize=468x60&PagePos=1&SUBSECTION=SHOW_TU&vgncontent=SHOWS_A_TO_Z&category=TV&site=FOOD&tile=227484268110228&ord=902
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\5TYVE1LX\adtype=PRESTITIAL&PagePos=1&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RECIPE_33782_1&SE
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\5TYVE1LX\adtype=RECIPE_TOOLBAR&PagePos=1&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RECIPE_33782_
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\5TYVE1LX\adtype=SUPERSTITIAL&PagePos=1&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RECIPE_33782_1&
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\5TYVE1LX\adtype=SUPERSTITIAL&PagePos=2&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RECIPE_33782_1&
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\5TYVE1LX\adtype=SUPERSTITIAL&PagePos=3&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RECIPE_33782_1&
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\5TYVE1LX\PagePos=1&adtype=BASEBOARD&show=TU&topic1=RECIPE_CONTENT&chef=TYLER_FLORENCE&ingredient=FRUIT&ingredient=POTATOES&interest=EASY&mealpart
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\8U9ZA9DI\0x600&PagePos=1&SUBSECTION=SHOW_TU&vgncontent=SHOWS_A_TO_Z&category=TV&site=FOOD&tile=227484268110228&ord=902225656&pagetype=EPISODE&uni
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\8U9ZA9DI\adtype=LEADERBOARD&adsize=468x60&PagePos=1&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RE
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\8U9ZA9DI\adtype=SUPERSTITIAL&PagePos=1&SUBSECTION=SHOW_TU&vgncontent=SHOWS_A_TO_Z&category=TV&site=FOOD&tile=227484268110228&ord=902225656&pagety
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\8U9ZA9DI\adtype=SUPERSTITIAL&PagePos=2&SUBSECTION=SHOW_TU&vgncontent=SHOWS_A_TO_Z&category=TV&site=FOOD&tile=227484268110228&ord=902225656&pagety
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\K9CHMAC8\adtype=PRESTITIAL&PagePos=1&SUBSECTION=SHOW_TU&vgncontent=SHOWS_A_TO_Z&category=TV&site=FOOD&tile=227484268110228&ord=902225656&pagetype
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\K9CHMAC8\adtype=SUPERSTITIAL&PagePos=3&SUBSECTION=SHOW_TU&vgncontent=SHOWS_A_TO_Z&category=TV&site=FOOD&tile=227484268110228&ord=902225656&pagety
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\K9CHMAC8\PagePos=1&topic1=TYLER_FLORENCE&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RECIPE_33782_
Status: Hidden

Object: C:\Documents and Settings\Altino\My Documents\Altino\Recent\Bossa NnRoses.lnk
Status: Hidden

Object: C:\Documents and Settings\Altino.CATSEYE2\Local Settings\Temporary Internet Files\Content.IE5\9X1YRZTY\Final Crisis
Status: Hidden

Object: C:\Documents and Settings\Christian\Desktop\Altino's favorites\Altino`s Links\Links\Karisik çizgi romanlar - Sayfa 19 - Forumuz.biz.url
Status: Hidden

Object: C:\Documents and Settings\Christian\Desktop\Altino's favorites\Çizgi Roman Istekleri - Sayfa 43 - Forumuz.biz.url
Status: Hidden

Object: C:\Documents and Settings\Christian\Desktop\Altino's favorites\Çizgiroman Dagitim - Sayfa 14 - Forumuz.biz.url
Status: Hidden

Object: C:\Documents and Settings\Christian\My Documents\Christian\Desktop\RE_ Yvon et Phalla...
Status: Hidden

Object: C:\Documents and Settings\Christian\My Documents\Christian\Local Settings\Temporary Internet Files\Content.IE5\012NSXAR\RE_ Yvon et Phalla...
Status: Hidden

Object: C:\Documents and Settings\Christian\My Documents\Christian\Local Settings\Temporary Internet Files\Content.IE5\2LMNA3G9\RE _ Sur la question des cadeaux de Noël...
Status: Hidden

Object: C:\Documents and Settings\Christian\My Documents\Christian\Local Settings\Temporary Internet Files\Content.IE5\EFQJAD6R\RE _ Sur la question des cadeaux de Noël...
Status: Hidden

Object: C:\Documents and Settings\Christian\My Documents\Christian\Local Settings\Temporary Internet Files\Content.IE5\O1EFODI3\Délai...
Status: Hidden

Object: C:\Documents and Settings\Christian\My Documents\Christian\Local Settings\Temporary Internet Files\Content.IE5\O1EFODI3\RE_ oui, le message se rend...
Status: Hidden

Object: C:\Documents and Settings\Christian\My Documents\Christian\Local Settings\Temporary Internet Files\Content.IE5\QVEJUP2J\RE _ Sur la question des cadeaux de Noël...
Status: Hidden

Object: C:\Documents and Settings\Christian\My Documents\Christian\Local Settings\Temporary Internet Files\Content.IE5\YER48X15\RE _ Sur la question des cadeaux de Noël...
Status: Hidden

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{02F8B483-2966-472B-A12B-0937551E341B}
Status: Access denied

Object: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}
Status: Access denied

Object: C:\System Volume Information\_restore{98054201-3FC1-48C4-AF21-5943FE809E52}
Status: Access denied

Object: C:\System Volume Information\_restore{9F47AE68-40F3-4B6C-8F59-1D7184167832}
Status: Access denied

 

[km2357]

By the way, you were asking if both accounts are affected by the problems; the answer is yes.

Ok. Once we're finished working on your account and if the other account still has problems, we'll work on that account. When/if the time comes, we'll continue in this thread, no need to start a new one.


Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.

 

[justwayne]

Hi, here're the ComboFix log:

ComboFix 10-04-29.01 - Christian 29/04/2010 17:06:48.1.2 - x86
Running from: c:\documents and settings\Christian.CATSEYE2\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Altino\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\Altino\System
c:\documents and settings\Altino\System\win_qs8.jqx
c:\documents and settings\Christian\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\Christian\System
c:\documents and settings\Christian\System\win_qs8.jqx
c:\program files\INSTALL.LOG
c:\recycler\S-1-5-21-1292428093-776561741-682003330-1005
c:\recycler\S-1-5-21-1292428093-776561741-682003330-1006
c:\recycler\S-1-5-21-1915440068-4218434781-2478028672-1006
c:\recycler\S-1-5-21-1915440068-4218434781-2478028672-1007
c:\recycler\S-1-5-21-1915440068-4218434781-2478028672-500
c:\recycler\S-1-5-21-4122468611-1368610669-1466313096-1138
c:\windows\system32\vos
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-25 03:32 . 2010-04-25 03:32 -------- d-----w- c:\documents and settings\Altino.CATSEYE2\Application Data\Malwarebytes
2010-04-24 21:21 . 2010-04-24 21:21 -------- d-----w- c:\documents and settings\Christian.CATSEYE2\Application Data\Malwarebytes
2010-04-24 21:18 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-24 21:16 . 2010-04-24 21:16 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-04-24 21:16 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 00:31 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-21 00:30 . 2010-04-21 00:30 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-21 00:24 . 2010-04-21 00:25 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-15 22:14 . 2010-04-15 22:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2010-04-09 17:34 . 2001-08-17 18:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-04-09 17:34 . 2001-08-17 18:57 16128 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys
2010-03-31 19:37 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-03-31 19:36 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-03-31 19:36 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-03-31 19:36 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-03-31 01:04 . 2004-08-04 10:00 221184 ----a-w- c:\windows\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 22:15 . 2009-08-15 01:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-04-25 21:40 . 2010-02-02 00:03 -------- d-----w- c:\documents and settings\Christian.CATSEYE2\Application Data\Skype
2010-04-25 21:24 . 2010-02-02 00:08 -------- d-----w- c:\documents and settings\Christian.CATSEYE2\Application Data\skypePM
2010-04-24 21:20 . 2008-08-31 13:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-21 00:25 . 2005-05-18 11:18 -------- d-----w- c:\program files\Lavasoft
2010-04-21 00:22 . 2009-08-15 01:49 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2010-04-20 12:37 . 2009-01-10 19:27 -------- d-----w- c:\program files\AVG
2010-04-17 14:10 . 2009-08-26 05:35 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-16 13:14 . 2010-02-03 07:39 265056 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-16 00:51 . 2008-08-26 10:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-16 00:51 . 2009-02-09 21:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-15 00:05 . 2009-08-15 02:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2010-04-11 04:09 . 2009-08-10 05:22 13104 -c--a-w- c:\documents and settings\Altino.CATSEYE2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-30 23:48 . 2009-08-09 14:13 77423 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2010-03-30 11:42 . 2009-10-25 15:02 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVG Security Toolbar
2010-03-14 15:18 . 2009-02-06 22:40 -------- d-----w- c:\program files\CCleaner
2010-03-12 01:14 . 2005-04-05 12:05 -------- d-----w- c:\program files\Common Files\Java
2010-03-12 01:11 . 2005-04-05 12:05 -------- d-----w- c:\program files\Java
2010-03-11 01:46 . 2009-10-25 14:52 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Temp
2010-03-10 06:15 . 2004-08-04 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 05:04 . 2005-05-08 17:51 -------- d-----w- c:\program files\DivX
2010-03-05 05:02 . 2009-08-16 17:20 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-04 23:24 . 2005-04-05 12:08 -------- d-----w- c:\program files\Real
2010-03-04 23:22 . 2010-03-04 23:22 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-04 23:22 . 2010-03-04 23:22 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-25 06:24 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-03-30 01:21 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-30 01:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 10:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 10:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-07 15:08 . 2009-08-15 14:54 12328 -c--a-w- c:\documents and settings\Christian.CATSEYE2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-02 00:08 . 2010-02-02 00:08 56 ---ha-w- c:\windows\system32\ezsidmv.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:02 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-16 68856]
"Zinio DLM"="c:\program files\Zinio\ZinioReader.exe" [2009-07-21 2707526]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-18 2046816]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-09 122368]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-04 202256]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
"VX3000"="c:\windows\vVX3000.exe" [2009-07-24 762208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-10 13:31 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avgfws8"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"7957:TCP"= 7957:TCP:Services
"7958:TCP"= 7958:TCP:Services
"3071:TCP"= 3071:TCP:Services
"4642:TCP"= 4642:TCP:Services
"2338:TCP"= 2338:TCP:Services
"3176:TCP"= 3176:TCP:Services
"1666:TCP"= 1666:TCP:Services
"1832:TCP"= 1832:TCP:Services

R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [09/08/2009 1:08 PM 12552]
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [20/04/2010 7:31 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [09/08/2009 1:08 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [09/08/2009 1:08 PM 108552]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 10:52 AM 1265264]
R3 Avgfwdx;Avgfwdx;c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys [09/08/2009 1:07 PM 29208]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27/01/2010 8:31 AM 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys [09/08/2009 1:07 PM 29208]
S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/01/2009 2:27 PM 908056]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/01/2009 2:27 PM 297752]
S4 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [09/08/2009 1:07 PM 1370488]
.
Contents of the 'Scheduled Tasks' folder

2010-04-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:30]

2010-04-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 13:28]

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 13:28]

2010-04-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-57989841-1592454029-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-04-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-57989841-1592454029-725345543-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-04-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-57989841-1592454029-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-04-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-57989841-1592454029-725345543-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-29 17:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x82D4C6D8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf86abf28
\Driver\ACPI -> ACPI.sys @ 0xf853ecb8
\Driver\atapi -> 0x82d4c6d8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x829008f0
PacketIndicateHandler -> NDIS.sys @ 0xf83f7a21
SendHandler -> NDIS.sys @ 0xf83d587b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
Completion time: 2010-04-29 17:52:10
ComboFix-quarantined-files.txt 2010-04-29 22:52

Pre-Run: 3,506,909,184 bytes free
Post-Run: 13,486,489,600 bytes free

- - End Of File - - 048380970F3D4D112A04634118D72BF0

Everything went well, I guess. I am not sure I was able to disable AVG, as required, as showed a message at the beginning of the scan telling me it was still active!
I appreciate your help. This scan actually cleared almost 10 GB off! I should menion that two yearsago, I had to do a Repair Install and I think I might have installed a second copy of XP on this computer by accident!

Thanks again!

 

[km2357]

To disable AVG 8.5, you can follow the instructions located at the website below:

http://www.avg.com/us-en/faq?num=1209


Do you or other person using the computer recognize the following files/links?

C:\Documents and Settings\Altino\Favorites\New Folder\Altino`s Links\Links\Karisik çizgi romanlar - Sayfa 19 - Forumuz.biz.url
C:\Documents and Settings\Altino\Favorites\New Folder\Çizgi Roman Istekleri - Sayfa 43 - Forumuz.biz.url
C:\Documents and Settings\Altino\Favorites\New Folder\Çizgiroman Dagitim - Sayfa 14 - Forumuz.biz.url
C:\Documents and Settings\Altino\My Documents\Altino\Favorites\Altino`s Links\Links\Karisik çizgi romanlar - Sayfa 19 - Forumuz.biz.url
C:\Documents and Settings\Altino\My Documents\Altino\Favorites\Çizgi Roman Istekleri - Sayfa 43 - Forumuz.biz.url
C:\Documents and Settings\Altino\My Documents\Altino\Favorites\Çizgiroman Dagitim - Sayfa 14 - Forumuz.biz.url
C:\Documents and Settings\Altino\My Documents\Altino\Recent\Bossa NnRoses.lnk
C:\Documents and Settings\Christian\Desktop\Altino's favorites\Altino`s Links\Links\Karisik çizgi romanlar - Sayfa 19 - Forumuz.biz.url
C:\Documents and Settings\Christian\Desktop\Altino's favorites\Çizgi Roman Istekleri - Sayfa 43 - Forumuz.biz.url
C:\Documents and Settings\Christian\Desktop\Altino's favorites\Çizgiroman Dagitim - Sayfa 14 - Forumuz.biz.url
C:\Documents and Settings\Christian\My Documents\Christian\Desktop\RE_ Yvon et Phalla...


Did you or the other account user open/recognize the following ports?

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"7957:TCP"= 7957:TCP:Services
"7958:TCP"= 7958:TCP:Services
"3071:TCP"= 3071:TCP:Services
"4642:TCP"= 4642:TCP:Services
"2338:TCP"= 2338:TCP:Services
"3176:TCP"= 3176:TCP:Services
"1666:TCP"= 1666:TCP:Services
"1832:TCP"= 1832:TCP:Services


Upload Files

Go to Jotti
Copy the following line into the white textbox:
c:\windows\system32\ezsidmv.dat
Click Submit.
Please post the results of this scan to this thread.

If Jotti is busy, Go to VirusTotal and scan the file(s) there.


Please run the following:

• Download TDSSKiller and save it to your Desktop.

Extract TDSSKiller.exe to your Desktop.

Run TDSSKiller.exe. You may be prompted to restart your machine. Type Y at the prompt

Once complete, a log will be produced at root. It will be named

UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_27.1.2010_15.31.43_log.txt.

If TDSSKiller does not reboot your computer, please reboot it.

Once it has booted back up, do the following:


Run Batchfile

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the codebox to Notepad. Save it as "All Files" and name it mbrlog.bat Please save it on your desktop.

@echo off
mbr.exe -t
start mbr.log
del %0

Double click mbrlog.bat. A window will open and close. This is normal.


In your next post/reply, I need to see the following:

1. Answers to my questions about the files/links and the open firewall ports.
2. The Jotti/Virustotal Results
3. The TDSSKiller Log
4. The mbrlog.bat Log/Results

 

[justwayne]

More logs

Hi!

First off, in response to your question: we know what those files/links are and use them frequently,except for the last one (which was an old email I had saved to my desktop a long time ago, I think) and the one that reads "BossaNnRoses", which is an old music file from years ago! Those two files are not important. As for the ports, we have no clue what they are or what they do!

Now, about the logs: I was successful with the VirusTotal one, although it didn't give the option of saving a log. I copied it to the note pad and will attach it here at the end of my paragraph. The second one gave me a hard time. I was simply unable to run the file! I tried everything, downloaded i a second time and it still does nothing. It dosn't open or anything! Hopefully, I did the right thing by moving on. I was able to save the mbrlog.bat log.
So here are two of the three logs requested:

File ezsidmv.dat received on 2010.04.30 20:43:47 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.04.30 -
AhnLab-V3 2010.04.30.02 2010.04.30 -
AntiVir 8.2.1.224 2010.04.30 -
Antiy-AVL 2.0.3.7 2010.04.30 -
Authentium 5.2.0.5 2010.04.30 -
Avast 4.8.1351.0 2010.04.30 -
Avast5 5.0.332.0 2010.04.30 -
AVG 9.0.0.787 2010.04.30 -
BitDefender 7.2 2010.04.30 -
CAT-QuickHeal 10.00 2010.04.29 -
ClamAV 0.96.0.3-git 2010.04.30 -
Comodo 4721 2010.04.30 -
DrWeb 5.0.2.03300 2010.04.30 -
eSafe 7.0.17.0 2010.04.29 -
eTrust-Vet 35.2.7462 2010.04.30 -
F-Prot 4.5.1.85 2010.04.30 -
F-Secure 9.0.15370.0 2010.04.30 -
Fortinet 4.0.14.0 2010.04.30 -
GData 21 2010.04.30 -
Ikarus T3.1.1.80.0 2010.04.30 -
Jiangmin 13.0.900 2010.04.29 -
Kaspersky 7.0.0.125 2010.04.30 -
McAfee 5.400.0.1158 2010.04.30 -
McAfee-GW-Edition 6.8.5 2010.04.30 -
Microsoft 1.5703 2010.04.30 -
NOD32 5076 2010.04.30 -
Norman 6.04.12 2010.04.30 -
nProtect 2010-04-30.01 2010.04.30 -
Panda 10.0.2.7 2010.04.30 -
PCTools 7.0.3.5 2010.04.30 -
Prevx 3.0 2010.04.30 -
Rising 22.45.04.03 2010.04.30 -
Sophos 4.53.0 2010.04.30 -
Sunbelt 6242 2010.04.30 -
Symantec 20091.2.0.41 2010.04.30 -
TheHacker 6.5.2.0.274 2010.04.30 -
TrendMicro 9.120.0.1004 2010.04.30 -
TrendMicro-HouseCall 9.120.0.1004 2010.04.30 -
VBA32 3.12.12.4 2010.04.30 -
ViRobot 2010.4.30.2297 2010.04.30 -
VirusBuster 5.0.27.0 2010.04.30 -

Additional information
File size: 56 bytes
MD5...: a02aaf0f1779e3395d94b346b477c858
SHA1..: 2ed5eec2a37357689fd37e787916d67502434c7d
SHA256: 65a4d998672e09f4995307d7b9e0a3fc7dc30425469b916a5f14b265fc827690
ssdeep: 3fCAnY/rg1CSupwCsftDnfCA4U1buelftD<BR>
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: Unknown!
sigcheck:<BR>publisher....: n/a<BR>copyright....: n/a<BR>product......: n/a<BR>description..: n/a<BR>original name: n/a<BR>internal name: n/a<BR>file version.: n/a<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>

And:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82D601A0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x82d601a0
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x828e78f0
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

Looking forward to reading your next instructions! Thanks!

 

[km2357]

except for the last one (which was an old email I had saved to my desktop a long time ago, I think) and the one that reads "BossaNnRoses", which is an old music file from years ago! Those two files are not important.

If you no longer use/need those files you can go ahead and delete them.


Step # 1: Download and Run HAMeb_Check by noahdfear.

Download and run HAMeb_check.exe
Post the contents of the resulting log.



Step # 2 Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  

  :filefind
  atapi.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt



Step # 3 Download and Run Maxlook by noahdfear.

You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console

If you do not have Recovery Console installed, let me know and do not go any further with this step.

Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat

You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

Once back in Windows, go to Start > Run, and copy/paste the following then press Enter.

maxlook -sig

Follow the prompts, and post the log produced, C:\looklog.txt


In your next post/reply, I need to see the following:

1. The HAMeb_check Log
2. The SystemLook Log
3. The Maxlook Log

 

[justwayne]

The dreaded recovery console!

Hi,

I was able to get the first two logs. As for the third thing you need me to run, how do I know whether I have the recovery console installed or not? I think I do, but am not sure. In fact, if I'm not mistaking, you asked me to run something the other day that prompted an auto-install of the console, which was successful. Is there an easy way to find out? I hope I don't have to hunt around for the install cd, because I bought this computer with XP already installed and had to fight with Dell's Customer Service for them to send me some kind of back up! All they sent me was 3-4 disks containing backup for this and that and to repair or reinstall Windows. I don't remember seeing the recovery console on one of them, but I could be wrong.

in any case, I am posting the first two logs as requested. By the way, can you tell me your first impressions on the situation? I keep seeing the word "infected" in those logs, but what is the infection? Just a trojan?

C:\Documents and Settings\Christian.CATSEYE2\Local Settings\Temporary Internet Files\Content.IE5\IGCKVC2N\HAMeb_check[1].exe
30/04/2010 at 19:57:53.34

Account active Yes
Local Group Memberships *Administrators

~~ Checking profile list ~~

S-1-5-21-57989841-1592454029-725345543-1000
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x829CE770]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x829ce770
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x828dd8f0
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3246:TCP"=3246:TCP:*:Enabled:Services
"2479:TCP"=2479:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"7957:TCP"=7957:TCP:*:Enabled:Services
"7958:TCP"=7958:TCP:*:Enabled:Services
"3071:TCP"=3071:TCP:*:Enabled:Services
"4642:TCP"=4642:TCP:*:Enabled:Services
"2338:TCP"=2338:TCP:*:Enabled:Services
"3176:TCP"=3176:TCP:*:Enabled:Services
"1666:TCP"=1666:TCP:*:Enabled:Services
"1832:TCP"=1832:TCP:*:Enabled:Services
"2898:TCP"=2898:TCP:*:Enabled:Services
"4296:TCP"=4296:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3246:TCP"=3246:TCP:*:Enabled:Services
"2479:TCP"=2479:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"7957:TCP"=7957:TCP:*:Enabled:Services
"7958:TCP"=7958:TCP:*:Enabled:Services
"3071:TCP"=3071:TCP:*:Enabled:Services
"4642:TCP"=4642:TCP:*:Enabled:Services
"2338:TCP"=2338:TCP:*:Enabled:Services
"3176:TCP"=3176:TCP:*:Enabled:Services
"1666:TCP"=1666:TCP:*:Enabled:Services
"1832:TCP"=1832:TCP:*:Enabled:Services
"2898:TCP"=2898:TCP:*:Enabled:Services
"4296:TCP"=4296:TCP:*:Enabled:Services


~~ EOF ~~


AND:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:59 on 30/04/2010 by Christian (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\I386\atapi.sys --a--c 95360 bytes [00:08 15/04/2005] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [23:21 30/03/2010] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [22:47 29/04/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [18:40 13/04/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys --a--- 96512 bytes [10:00 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SYSTEM32\ReinstallBackups\0036\DriverFiles\i386\atapi.sys --a--c 95360 bytes [16:38 09/08/2009] [10:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\SYSTEM32\ReinstallBackups\0044\DriverFiles\i386\atapi.sys --a--c 95360 bytes [16:38 09/08/2009] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

 

[km2357]

I was able to get the first two logs. As for the third thing you need me to run, how do I know whether I have the recovery console installed or not?

When you start the computer, do you see a screen that let's you select between Windows XP and Recovery Console? If you do, then you have Recovery Console installed. When that screen comes up, press the up or down arrow and select Recovery Console before the time runs out. If you do see this screen and do have the Recovery Console, go ahead and do Step #3 of my previous post.

if I'm not mistaking, you asked me to run something the other day that prompted an auto-install of the console, which was successful.

That was ComboFix.

in any case, I am posting the first two logs as requested. By the way, can you tell me your first impressions on the situation? I keep seeing the word "infected" in those logs, but what is the infection? Just a trojan?

What I'm seeing from the logs, particularly the HAMbcheck Log is that you have the HelpAssistant infection/virus. This virus opens up bad firewall ports, slows your computer down, create a HelpAssistant directory in Documents and Settings folder which can fill up quickly and use your Hard Drive space and and it can infect the master boot record.

 

[justwayne]

Maxlook

Hello,
I'm stuck! I did find the recovery console and ran Maxlook. I restarted my computer, copied/paster maxlook -sig. The next thing that popped up was the .exe file prompting me to run the application! Of course, since I was warned not to run Maxlook more than once, I didn't!
So as a result, I don't have a log!! Did I do something wrong?

 

[km2357]

Let's try it again, step by step.

First, boot up your computer into Normal Mode and once your computer loads, go to Start > Run, and copy/paste the following into the Run box then press Enter.

maxlook -cleanup


Once that is done, still in normal mode, double click maxlook.exe to run it. Note - you must run it only once!

As instructed when the tool runs, restart the computer and logon to the Recovery Console.

Once in Recovery Console, Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat

You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

Once back in Normal Mode, go to Start > Run, and copy/paste the following into the Run box then press Enter.

maxlook -sig

Follow the prompts, and post the log produced, C:\looklog.txt

 

[justwayne]

Maxlook saga

Well, I don't know why, but it simply dosn't work. I followed your instructions to the letter. The cleanup file ran and then in the window, it said "press any key to continue", which I did and then the box disappeared. I never saw a message that prompted me to restart my computer. So I did restart it and went to the recovery console, entered the "batch look.bat" command, only this time, it says something to the effect of "file not found"! I wa really careful, read everything several times, step by step and double-checked the spelling and everything. What can I do! (I wish you were my next door neighbour, it would be easier!!!)

 

[km2357]

Its no problem, we'll try again.

Did you have maxlook.exe on your computer after running maxlook -cleanup or was it gone? If it was gone, I think what happened was when you ran maxlook -cleanup, it deleted maxlook.exe and look.bat files. My fault for not having you redownload maxlook.exe again. Let's do this again.

First, please download maxlook, saving the file to your Desktop.

Once maxlook.exe has been saved to your Desktop, repeat the steps from my last post:

double click maxlook.exe to run it. Note - you must run it only once!

As instructed when the tool runs, restart the computer and logon to the Recovery Console.

Once in Recovery Console, Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat

You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

Once back in Normal Mode, go to Start > Run, and copy/paste the following into the Run box then press Enter.

maxlook -sig

Follow the prompts, and post the log produced, C:\looklog.txt

 

[justwayne]

Looklog

Hello, here's the log. It's rather short! I was sort of expecting another long full of complicated codes!!

Run from C:\Documents and Settings\Christian.CATSEYE2\Desktop\maxlook.exe on 03/05/2010 at 19:41:48.89

--------- maxlook unsigned files ---------

c:\windows\maxdriver\cercsr6.sys:
	Verified:	Unsigned
	File date:	4:14 PM 13/12/2004
	Publisher:	Adaptec, Inc.
	Description:	DELL CERC SATA1.5/6ch Miniport Driver
	Product:	Dell RAID Controller
	Version:	4.1.0.7405
	File version:	4.1.0.7405
c:\windows\maxdriver\omci.sys:
	Verified:	Unsigned
	File date:	8:42 AM 22/08/2001
	Publisher:	Dell Computer Corporation
	Description:	OMCI Device Driver
	Product:	OMCI Driver
	Version:	6, 1, 0, 242
	File version:	6, 1, 0, 242

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\cercsr6.sys:
	Verified:	Unsigned
	File date:	4:14 PM 13/12/2004
	Publisher:	Adaptec, Inc.
	Description:	DELL CERC SATA1.5/6ch Miniport Driver
	Product:	Dell RAID Controller
	Version:	4.1.0.7405
	File version:	4.1.0.7405
c:\windows\system32\drivers\omci.sys:
	Verified:	Unsigned
	File date:	8:42 AM 22/08/2001
	Publisher:	Dell Computer Corporation
	Description:	OMCI Device Driver
	Product:	OMCI Driver
	Version:	6, 1, 0, 242
	File version:	6, 1, 0, 242

Looking forward to hearing the next step!
Thanks!

 

[km2357]

Nice work on getting the Maxlook Log. I see no problems in the log.

Let's continue.


Step # 1: Download and Run HelpAsst_mebroot_fix by noahdfear.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).