TechSpot

Having troubles removing rootkit

By emilyrose
May 13, 2011
  1. Hi there, my computer has a rootkit that doesn't seem to want to go away. First I noticed that "antimalware doctor" was installed on my computer and I knew this bad, shortly after avast pops up saying it's found a rootkit. I let it run a boot-time scan and deleted what it had found, but after it finished the same message popped up wanting to do the boot-time scan again. Instead I just ran MBAM, deleted the infected files and restarted. But it's still there, everytime I boot up my computer that same avast message pops up. If I press "no" on restart computer another avast window will pop up saying "Suspicious files have been detected(using a heuristic method).This may be a sign of malware infection. Please allow the files to be submitted to our virus lab for analysis.The file name that comes up is "\\.\PHYSICALDRIVE0 MBR:TDL4". I've ran the scan several times,as well as MBAM and it's not finding anything anymore. Everytime I search something on google I get redirected, sometimes when I restart my taskbar goes back to "windows classic style"(even though it's always on "windows XP style") with no other options, I know it's still in there. So I ran DDS and GMER, these are the results:
    Attach.txt:
    DDS (Ver_11-03-05.01)
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/1/2011 2:55:49 PM
    System Uptime: 5/12/2011 5:51:32 PM (3 hours ago)
    .
    Motherboard: | | SiS-661
    Processor: Intel(R) Celeron(R) CPU 1.80GHz | Socket 478 | 1804/100mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 75 GiB total, 50.999 GiB free.
    D: is CDROM (CDFS)
    G: is FIXED (NTFS) - 932 GiB total, 896.21 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Multimedia Audio Controller
    Device ID: PCI\VEN_1039&DEV_7012&SUBSYS_0C56105B&REV_A0\3&61AAA01&0&17
    Manufacturer:
    Name: Multimedia Audio Controller
    PNP Device ID: PCI\VEN_1039&DEV_7012&SUBSYS_0C56105B&REV_A0\3&61AAA01&0&17
    Service:
    .
    ==== System Restore Points ===================
    .
    RP14: 4/1/2011 6:08:12 PM - Installed PowerDVD
    RP15: 4/1/2011 6:31:34 PM - Installed Microsoft Office Enterprise 2007
    RP16: 4/1/2011 6:41:56 PM - Printer Driver Send To Microsoft OneNote Driver Installed
    RP17: 4/1/2011 6:53:02 PM - Installed Java(TM) 6 Update 18
    RP18: 4/1/2011 7:01:45 PM - Installed Windows XP -- Software Updates KB952011.
    RP19: 4/1/2011 7:05:31 PM - Installed Windows Media Player Firefox Plugin
    RP20: 4/1/2011 7:18:14 PM - Installed Nero 7 Ultra Edition
    RP21: 4/1/2011 8:21:03 PM - Installed iTunes
    RP22: 4/1/2011 9:12:36 PM - Printer Driver Adobe PDF Converter Installed
    RP23: 4/1/2011 9:41:18 PM - avast! Free Antivirus Setup
    RP24: 4/1/2011 11:14:29 PM - Installed Nancy Drew: Secrets Can Kill REMASTERED
    RP25: 4/1/2011 11:36:41 PM - Installed Nancy Drew: Danger by Design
    RP26: 4/2/2011 12:03:13 AM - Installed Nancy Drew: Shadow at the Water's Edge
    RP27: 4/2/2011 9:48:55 PM - Removed Nancy Drew: Danger by Design
    RP28: 4/3/2011 10:47:11 PM - System Checkpoint
    RP29: 4/4/2011 11:36:02 PM - System Checkpoint
    RP30: 4/5/2011 11:53:24 PM - System Checkpoint
    RP31: 4/7/2011 7:17:14 PM - System Checkpoint
    RP32: 4/9/2011 1:44:01 PM - System Checkpoint
    RP33: 4/10/2011 4:55:51 PM - System Checkpoint
    RP34: 4/11/2011 5:37:23 PM - System Checkpoint
    RP35: 4/11/2011 10:50:08 PM - Installed The Sims Deluxe Edition
    RP36: 4/12/2011 11:45:38 PM - System Checkpoint
    RP37: 4/14/2011 1:28:06 PM - System Checkpoint
    RP38: 4/16/2011 1:21:35 PM - System Checkpoint
    RP39: 4/17/2011 8:59:35 PM - System Checkpoint
    RP40: 4/19/2011 8:19:22 PM - System Checkpoint
    RP41: 4/20/2011 2:03:13 AM - Printer Driver HP Officejet J4500 Series fax Installed
    RP42: 4/21/2011 1:27:37 PM - System Checkpoint
    RP43: 4/22/2011 2:54:34 PM - System Checkpoint
    RP44: 4/23/2011 2:57:09 PM - System Checkpoint
    RP45: 4/24/2011 7:32:32 PM - System Checkpoint
    RP46: 4/25/2011 7:43:33 PM - System Checkpoint
    RP47: 4/26/2011 8:22:05 PM - System Checkpoint
    RP48: 4/27/2011 9:38:14 PM - System Checkpoint
    RP49: 4/29/2011 3:01:28 PM - System Checkpoint
    RP50: 4/30/2011 4:48:42 PM - System Checkpoint
    RP51: 5/1/2011 5:06:48 PM - System Checkpoint
    RP52: 5/2/2011 6:25:28 PM - System Checkpoint
    RP53: 5/3/2011 7:16:46 PM - System Checkpoint
    RP54: 5/3/2011 11:27:03 PM - Installed The Sims Hot Date
    RP55: 5/3/2011 11:41:30 PM - Installed The Sims Vacation
    RP56: 5/3/2011 11:52:29 PM - Installed The Sims Deluxe Edition
    RP57: 5/5/2011 12:07:10 AM - System Checkpoint
    RP58: 5/5/2011 12:40:10 AM - Installed The Sims Unleashed
    RP59: 5/5/2011 1:12:44 AM - Installed The Sims Superstar
    RP60: 5/6/2011 12:10:16 PM - System Checkpoint
    RP61: 5/7/2011 12:21:28 PM - System Checkpoint
    RP62: 5/9/2011 1:23:28 AM - System Checkpoint
    RP63: 5/11/2011 8:29:08 PM - System Checkpoint
    RP64: 5/12/2011 1:29:50 AM - Installed HiJackThis
    .
    ==== Installed Programs ======================
    .
    µTorrent
    32 Bit HP CIO Components Installer
    4500_Help
    Add or Remove Adobe Creative Suite 3 Master Collection
    Adobe Acrobat 8 Professional
    Adobe After Effects CS3 Presets
    Adobe AIR
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe BridgeTalk Plugin CS3
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Creative Suite 3 Master Collection
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe Dreamweaver CS3
    Adobe Encore CS3
    Adobe Encore CS3 Codecs
    Adobe ExtendScript Toolkit 2
    Adobe Extension Manager CS3
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Illustrator CS3
    Adobe InDesign CS3
    Adobe InDesign CS3 Icon Handler
    Adobe Linguistics CS3
    Adobe MotionPicture Color Files
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Reader X (10.0.1)
    Adobe Setup
    Adobe SING CS3
    Adobe Soundbooth CS3
    Adobe Soundbooth CS3 Codecs
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe Version Cue CS3 Server
    Adobe Video Profiles
    Adobe WAS CS3
    Adobe WinSoft Linguistics Plugin
    Adobe XMP DVA Panels CS3
    Adobe XMP Panels CS3
    Advanced Uninstaller PRO v10.1 (remove!)
    AHV content for Acrobat and Flash
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    avast! Free Antivirus
    Bonjour
    BPD_HPSU
    bpd_scan
    BPDSoftware
    BPDSoftware_Ini
    BufferChm
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center HydraVision Full
    Catalyst Control Center Localization All
    ccc-core-preinstall
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    CCleaner
    CyberLink PowerDVD 9
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DivX Setup
    DocMgr
    DocProc
    DocProcQFolder
    eSupportQFolder
    Fax
    Free YouTube to MP3 Converter version 3.9.35.324
    GPBaseService
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB961118)
    HP Document Manager 1.0
    HP Imaging Device Functions 10.0
    HP Officejet J4500 Series
    HP Photosmart Essential 2.5
    HP Smart Web Printing
    HP Solution Center 10.0
    HP Update
    HPProductAssistant
    iMacsoft iPod to PC Transfer
    iTunes
    J4500
    Java Auto Updater
    Java(TM) 6 Update 18
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.17)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nancy Drew: Secrets Can Kill REMASTERED
    Nancy Drew: Shadow at the Water's Edge
    Nero 7 Ultra Edition
    OCR Software by I.R.I.S. 10.0
    PDF Settings
    Picasa 3
    Plants vs. Zombies
    PowerISO
    ProductContext
    PSSWCORE
    QuickTime
    rayman2
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2482017)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Segoe UI
    Skins
    SmartWebPrintingOC
    Software Update for Web Folders
    SolutionCenter
    Sophos Anti-Rootkit 1.5.4
    Status
    Toolbox
    TrayApp
    Uninstall 1.0.0.1
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.4053
    VideoToolkit01
    WebFldrs XP
    WebReg
    Webshots Desktop
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player Firefox Plugin
    Windows Search 4.0
    Windows XP Service Pack 3
    WinRAR archiver
    Xilisoft iPhone Ringtone Maker
    Xilisoft iPhone Transfer
    Xvid 1.2.2 final uninstall
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/9/2011 3:49:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
    5/9/2011 10:18:18 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Themes service.
    5/9/2011 10:18:18 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
    5/9/2011 10:18:18 PM, error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    5/8/2011 2:49:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
    5/8/2011 12:49:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402
    5/8/2011 1:49:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
    5/7/2011 9:49:01 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
    5/7/2011 9:49:01 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
    5/7/2011 8:49:02 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
    5/7/2011 8:49:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
    5/7/2011 7:49:01 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
    5/7/2011 7:49:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
    5/7/2011 6:49:01 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
    5/7/2011 6:49:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
    5/7/2011 5:49:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
    5/7/2011 5:49:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
    5/7/2011 4:49:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
    5/7/2011 4:49:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
    5/7/2011 3:49:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
    5/7/2011 2:49:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
    5/7/2011 2:28:40 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    5/7/2011 12:49:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
    5/7/2011 11:49:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
    5/7/2011 11:49:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
    5/7/2011 10:49:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
    5/7/2011 10:49:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
    5/7/2011 1:49:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402
    5/7/2011 1:20:44 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file rundll32.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 1.0.0.0, the version of the system file is 5.1.2600.5512.
    5/5/2011 2:46:02 PM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
    5/12/2011 2:53:38 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Themes service to connect.
    5/12/2011 2:45:16 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.

    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Emily at 19:59:35.84 on Thu 05/12/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.419 [GMT -7:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\Ati2evxx.exe
    svchost.exe
    svchost.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\gmer\gmer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\dds.scr
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.ca/
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
    IE: Free YouTube to MP3 Converter - c:\documents and settings\emily\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301695638546
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1301695622984
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\mi1933~1\office12\GR99D3~1.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\emily\applic~1\mozilla\firefox\profiles\xy85n44r.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig?hl=en#t_0
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
    FF - Ext: XULRunner: {572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3} - c:\documents and settings\emily\local settings\application data\{572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-1 371544]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-4-1 301528]
    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-5-12 18816]
    R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2011/04/01 17:58:25];c:\program files\cyberlink\powerdvd9\000.fcl [2009-5-7 87536]
    R2 AGCoreService;AG Core Services;c:\program files\agi\core\4.2.0.10754\AGCoreService.exe [2011-4-3 20480]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-4-1 19544]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-4-1 42184]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\a.tmp --> c:\windows\system32\A.tmp [?]
    .
    =============== Created Last 30 ================
    .
    2011-05-13 01:25:36 625664 ----a-w- C:\dds.scr
    2011-05-13 00:46:25 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
    2011-05-13 00:04:40 -------- d-----w- c:\program files\Sophos
    2011-05-13 00:00:46 1376832 ----a-w- C:\sar_15_sfx.exe
    2011-05-12 09:42:43 -------- d-----w- C:\gmer
    2011-05-12 08:35:00 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-05-12 08:29:55 388096 ----a-r- c:\docume~1\emily\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-05-12 08:29:53 -------- d-----w- c:\program files\HiJack
    2011-05-10 01:58:15 -------- d-----w- c:\program files\CyberDefender
    2011-05-07 07:58:33 0 ----a-w- c:\windows\Ycoqetekolasihik.bin
    2011-05-07 07:58:21 -------- d-----w- c:\docume~1\emily\locals~1\applic~1\{572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3}
    2011-04-20 09:05:58 -------- d-----w- c:\docume~1\emily\locals~1\applic~1\HP
    2011-04-20 08:28:20 -------- d-----w- c:\program files\common files\HP
    2011-04-20 08:28:01 -------- d-----w- c:\program files\common files\Hewlett-Packard
    2011-04-20 08:22:28 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
    2011-04-20 08:22:27 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
    2011-04-20 08:18:12 278016 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp5mu.dll
    2011-04-20 08:18:10 118272 ----a-w- c:\windows\system32\hpz3l5mu.dll
    2011-04-20 08:18:06 271704 ----a-r- c:\windows\system32\hpzids01.dll
    2011-04-20 08:17:23 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
    2011-04-20 08:16:21 364544 ----a-r- c:\windows\system32\hppldcoi.dll
    2011-04-20 08:16:21 309760 ----a-r- c:\windows\system32\difxapi.dll
    2011-04-20 08:16:21 294912 ----a-r- c:\windows\system32\hpovst11.dll
    2011-04-20 08:16:20 729088 ----a-r- c:\windows\system32\hpwwiax4.dll
    2011-04-20 08:16:20 593920 ----a-r- c:\windows\system32\hpwtscl3.dll
    2011-04-20 04:43:20 1373528 ----a-r- c:\windows\hpzshl01.exe
    2011-04-20 04:43:20 1140056 ----a-r- c:\windows\hpzmsi01.exe
    2011-04-20 04:43:19 -------- d-----w- c:\windows\yellowtail
    2011-04-20 04:42:56 -------- d-----w- c:\program files\HP
    2011-04-20 04:42:47 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-04-20 04:42:47 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2011-04-20 04:42:40 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
    2011-04-20 04:42:40 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    2011-04-13 07:28:21 -------- d-----w- c:\program files\common files\Blizzard Entertainment
    2011-04-13 07:27:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment
    .
    ==================== Find3M ====================
    .
    2011-04-02 01:53:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-04-02 01:53:08 411368 ----a-w- c:\windows\system32\deploytk.dll
    2011-04-02 01:08:06 29480 ----a-w- c:\windows\system32\msxml3a.dll
    2011-04-02 01:08:05 505128 ----a-w- c:\windows\system32\msvcp71.dll
    2011-04-02 01:08:05 353576 ----a-w- c:\windows\system32\msvcr71.dll
    2011-04-02 00:42:24 0 ----a-w- c:\windows\ativpsrm.bin
    2011-02-23 14:04:21 40648 ----a-w- c:\windows\avastSS.scr
    2011-02-18 23:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: SAMSUNG_SP0822N rev.WA100-31 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x867046F0]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8670aa10]; MOV EAX, [0x8670aa8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86740AB8]
    3 CLASSPNP[0xF786EFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000059[0x86794F18]
    5 ACPI[0xF77E5620] -> nt!IofCallDriver[0x804E37D5] -> [0x86782D98]
    \Driver\atapi[0x86746030] -> IRP_MJ_CREATE -> 0x867046F0
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8670453B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 20:07:56.57 ===============
     
  2. emilyrose

    emilyrose TS Rookie Topic Starter

    First part of GMER

    GMER 1.0.15.15627 - http://www.gmer.net
    Rootkit scan 2011-05-12 22:05:50
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_SP0822N rev.WA100-31
    Running: gmer.exe; Driver: C:\DOCUME~1\Emily\LOCALS~1\Temp\fgdcapod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xA48939CA]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xA48E8A68]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xA48B3AF5]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xA4895EAC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xA4895F04]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xA489601A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xA48B34A9]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xA4895E02]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xA4895F54]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xA4895E56]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xA4895FC8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xA48939EE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xA48B41BB]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xA48B4471]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xA489629E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA48B4026]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA48B3E91]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xA48E8B18]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xA48937B8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xA4893A12]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xA4896412]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xA48944AA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xA4895EDC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xA4895F2C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xA4896044]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xA48B3805]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xA4895E2E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xA48960D6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xA4895F94]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xA4895E84]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xA48961BA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xA4895FF2]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xA48E8BB0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xA48B3D0C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xA4894370]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xA48B3B5E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA48F0E26]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xA48B2B1C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xA4893A36]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xA4893A5A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xA4893812]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xA489394E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xA48B42C2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xA489392A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xA4893972]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xA4893A7E]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA48FD8DE]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!_abnormal_termination + 34D 804E29B9 3 Bytes [0E, 8F, A4]
    PAGE ntoskrnl.exe!ObInsertObject 805650BA 5 Bytes JMP A48FAD38 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056BB08 4 Bytes CALL A4894E25 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntoskrnl.exe!ZwCreateProcessEx 8058124C 7 Bytes JMP A48FD8E2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntoskrnl.exe!ObMakeTemporaryObject 805A038B 5 Bytes JMP A48F929E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF61D9000, 0x1C5D38, 0xE8000020]
    .text C:\Program Files\CyberLink\PowerDVD9\000.fcl section is writeable [0xA21BF000, 0x2892, 0xE8000020]
    .vmp2 C:\Program Files\CyberLink\PowerDVD9\000.fcl entry point in ".vmp2" section [0xA21E2050]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
    .text C:\Program Files\Bonjour\mDNSResponder.exe[384] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
    .text C:\Program Files\Bonjour\mDNSResponder.exe[384] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
    .text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
    .text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
    .text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
    .text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
    .text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
    .text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
    .text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
    .text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[384] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
    .text C:\Program Files\Bonjour\mDNSResponder.exe[384] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
    .text C:\Program Files\Bonjour\mDNSResponder.exe[384] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[384] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
    .text C:\Program Files\Bonjour\mDNSResponder.exe[384] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
    .text C:\WINDOWS\system32\winlogon.exe[552] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00070030
    .text C:\WINDOWS\system32\winlogon.exe[552] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0007006C
    .text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
    .text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
    .text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
    .text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
    .text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
    .text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
    .text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
    .text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
    .text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
    .text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
    .text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
    .text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
    .text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
    .text C:\WINDOWS\system32\svchost.exe[576] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[576] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[576] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
    .text C:\WINDOWS\system32\svchost.exe[576] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
    .text C:\WINDOWS\system32\svchost.exe[576] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
    .text C:\WINDOWS\system32\svchost.exe[576] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
    .text C:\WINDOWS\system32\svchost.exe[576] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
    .text C:\WINDOWS\system32\svchost.exe[576] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
    .text C:\WINDOWS\system32\svchost.exe[576] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
    .text C:\WINDOWS\system32\svchost.exe[576] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
    .text C:\WINDOWS\system32\svchost.exe[576] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
    .text C:\WINDOWS\system32\svchost.exe[576] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
    .text C:\WINDOWS\system32\svchost.exe[576] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
    .text C:\WINDOWS\system32\svchost.exe[576] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
    .text C:\WINDOWS\system32\svchost.exe[576] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
    .text C:\WINDOWS\system32\services.exe[600] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\services.exe[600] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
    .text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
    .text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
    .text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
    .text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
    .text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
    .text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
    .text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
    .text C:\WINDOWS\system32\services.exe[600] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
    .text C:\WINDOWS\system32\services.exe[600] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
    .text C:\WINDOWS\system32\services.exe[600] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
    .text C:\WINDOWS\system32\services.exe[600] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
    .text C:\WINDOWS\system32\services.exe[600] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
    .text C:\WINDOWS\system32\lsass.exe[612] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\lsass.exe[612] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
    .text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
    .text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
    .text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
    .text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
    .text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
    .text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
    .text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
    .text C:\WINDOWS\system32\lsass.exe[612] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
    .text C:\WINDOWS\system32\lsass.exe[612] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
    .text C:\WINDOWS\system32\lsass.exe[612] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
    .text C:\WINDOWS\system32\lsass.exe[612] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
    .text C:\WINDOWS\system32\lsass.exe[612] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
    .text C:\WINDOWS\system32\Ati2evxx.exe[756] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
    .text C:\WINDOWS\system32\Ati2evxx.exe[756] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
    .text C:\WINDOWS\system32\Ati2evxx.exe[756] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
    .text C:\WINDOWS\system32\Ati2evxx.exe[756] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
    .text C:\WINDOWS\system32\Ati2evxx.exe[756] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
    .text C:\WINDOWS\system32\Ati2evxx.exe[756] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
    .text C:\WINDOWS\system32\Ati2evxx.exe[756] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
    .text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D01D4
    .text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D00E4
    .text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0120
    .text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D015C
    .text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0198
    .text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D0030
    .text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D006C
    .text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D00A8
    .text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
    .text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
    .text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
    .text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
    .text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
    .text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
    .text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
    .text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
    .text C:\WINDOWS\system32\svchost.exe[784] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
    .text C:\WINDOWS\system32\svchost.exe[784] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
    .text C:\WINDOWS\system32\svchost.exe[784] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
    .text C:\WINDOWS\system32\svchost.exe[784] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
    .text C:\WINDOWS\system32\svchost.exe[784] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[832] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
    .text C:\Program Files\Java\jre6\bin\jqs.exe[832] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
    .text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
    .text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
    .text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
    .text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
    .text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
    .text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[832] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
    .text C:\Program Files\Java\jre6\bin\jqs.exe[832] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
    .text C:\Program Files\Java\jre6\bin\jqs.exe[832] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[832] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
    .text C:\Program Files\Java\jre6\bin\jqs.exe[832] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
    .text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
    .text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
    .text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
    .text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
    .text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
    .text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
    .text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
    .text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
    .text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
    .text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
    .text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
    .text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
    .text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
    .text C:\WINDOWS\System32\svchost.exe[940] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0075000A
    .text C:\WINDOWS\System32\svchost.exe[940] ntdll.dll!NtWriteVirtualMemory
     
  3. emilyrose

    emilyrose TS Rookie Topic Starter

    GMER part 2

    7C90DFAE 5 Bytes JMP 00A7000A
    .text C:\WINDOWS\System32\svchost.exe[940] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0074000C
    .text C:\WINDOWS\System32\svchost.exe[940] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\System32\svchost.exe[940] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\System32\svchost.exe[940] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
    .text C:\WINDOWS\System32\svchost.exe[940] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
    .text C:\WINDOWS\System32\svchost.exe[940] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
    .text C:\WINDOWS\System32\svchost.exe[940] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
    .text C:\WINDOWS\System32\svchost.exe[940] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
    .text C:\WINDOWS\System32\svchost.exe[940] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
    .text C:\WINDOWS\System32\svchost.exe[940] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
    .text C:\WINDOWS\System32\svchost.exe[940] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
    .text C:\WINDOWS\System32\svchost.exe[940] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
    .text C:\WINDOWS\System32\svchost.exe[940] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 006E000A
    .text C:\WINDOWS\System32\svchost.exe[940] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
    .text C:\WINDOWS\System32\svchost.exe[940] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
    .text C:\WINDOWS\System32\svchost.exe[940] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
    .text C:\WINDOWS\System32\svchost.exe[940] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
    .text C:\WINDOWS\System32\svchost.exe[940] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00B7000A
    .text C:\WINDOWS\system32\svchost.exe[1020] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[1020] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
    .text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
    .text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
    .text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
    .text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
    .text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
    .text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
    .text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
    .text C:\WINDOWS\system32\svchost.exe[1020] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
    .text C:\WINDOWS\system32\svchost.exe[1020] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
    .text C:\WINDOWS\system32\svchost.exe[1020] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
    .text C:\WINDOWS\system32\svchost.exe[1020] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
    .text C:\WINDOWS\system32\svchost.exe[1020] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
    .text C:\WINDOWS\system32\Ati2evxx.exe[1052] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
    .text C:\WINDOWS\system32\Ati2evxx.exe[1052] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
    .text C:\WINDOWS\system32\Ati2evxx.exe[1052] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
    .text C:\WINDOWS\system32\Ati2evxx.exe[1052] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
    .text C:\WINDOWS\system32\Ati2evxx.exe[1052] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
    .text C:\WINDOWS\system32\Ati2evxx.exe[1052] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
    .text C:\WINDOWS\system32\Ati2evxx.exe[1052] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
    .text C:\WINDOWS\system32\Ati2evxx.exe[1052] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D01D4
    .text C:\WINDOWS\system32\Ati2evxx.exe[1052] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D00E4
    .text C:\WINDOWS\system32\Ati2evxx.exe[1052] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0120
    .text C:\WINDOWS\system32\Ati2evxx.exe[1052] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D015C
    .text C:\WINDOWS\system32\Ati2evxx.exe[1052] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0198
    .text C:\WINDOWS\system32\Ati2evxx.exe[1052] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D0030
    .text C:\WINDOWS\system32\Ati2evxx.exe[1052] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D006C
    .text C:\WINDOWS\system32\Ati2evxx.exe[1052] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D00A8
    .text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
    .text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
    .text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
    .text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
    .text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
    .text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
    .text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
    .text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
    .text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
    .text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
    .text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
    .text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
    .text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
    .text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
    .text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
    .text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
    .text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
    .text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
    .text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
    .text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
    .text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
    .text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
    .text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
    .text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
    .text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
    .text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
    .text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
    .text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
    .text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
    .text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
    .text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
    .text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
    .text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
    .text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
    .text C:\WINDOWS\System32\svchost.exe[1200] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
    .text C:\WINDOWS\System32\svchost.exe[1200] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
    .text C:\WINDOWS\System32\svchost.exe[1200] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
    .text C:\WINDOWS\System32\svchost.exe[1200] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
    .text C:\WINDOWS\System32\svchost.exe[1200] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
    .text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C4000A
    .text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A
    .text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BE000C
    .text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003601D4
    .text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003600E4
    .text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00360120
    .text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0036015C
    .text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00360198
    .text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00360030
    .text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0036006C
    .text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003600A8
    .text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003700E4
    .text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00370120
    .text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003700A8
    .text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00370030
    .text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0037006C
    .text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
    .text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
    .text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
    .text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
    .text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
    .text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
    .text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
    .text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
    .text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
    .text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
    .text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
    .text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
    .text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1452] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\WINDOWS\system32\ctfmon.exe[1548] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A0030
    .text C:\WINDOWS\system32\ctfmon.exe[1548] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A006C
    .text C:\WINDOWS\system32\ctfmon.exe[1548] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003601D4
    .text C:\WINDOWS\system32\ctfmon.exe[1548] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003600E4
    .text C:\WINDOWS\system32\ctfmon.exe[1548] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00360120
    .text C:\WINDOWS\system32\ctfmon.exe[1548] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0036015C
    .text C:\WINDOWS\system32\ctfmon.exe[1548] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00360198
    .text C:\WINDOWS\system32\ctfmon.exe[1548] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00360030
    .text C:\WINDOWS\system32\ctfmon.exe[1548] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0036006C
    .text C:\WINDOWS\system32\ctfmon.exe[1548] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003600A8
    .text C:\WINDOWS\system32\ctfmon.exe[1548] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003700E4
    .text C:\WINDOWS\system32\ctfmon.exe[1548] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00370120
    .text C:\WINDOWS\system32\ctfmon.exe[1548] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003700A8
    .text C:\WINDOWS\system32\ctfmon.exe[1548] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00370030
    .text C:\WINDOWS\system32\ctfmon.exe[1548] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0037006C
    .text C:\WINDOWS\system32\spoolsv.exe[1952] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\spoolsv.exe[1952] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\spoolsv.exe[1952] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
    .text C:\WINDOWS\system32\spoolsv.exe[1952] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
    .text C:\WINDOWS\system32\spoolsv.exe[1952] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
    .text C:\WINDOWS\system32\spoolsv.exe[1952] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
    .text C:\WINDOWS\system32\spoolsv.exe[1952] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
    .text C:\WINDOWS\system32\spoolsv.exe[1952] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
    .text C:\WINDOWS\system32\spoolsv.exe[1952] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
    .text C:\WINDOWS\system32\spoolsv.exe[1952] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
    .text C:\WINDOWS\system32\spoolsv.exe[1952] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
    .text C:\WINDOWS\system32\spoolsv.exe[1952] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
    .text C:\WINDOWS\system32\spoolsv.exe[1952] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
    .text C:\WINDOWS\system32\spoolsv.exe[1952] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
    .text C:\WINDOWS\system32\spoolsv.exe[1952] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
    .text C:\WINDOWS\system32\svchost.exe[2028] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[2028] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
    .text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
    .text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
    .text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
    .text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
    .text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
    .text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
    .text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
    .text C:\WINDOWS\system32\svchost.exe[2028] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
    .text C:\WINDOWS\system32\svchost.exe[2028] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
    .text C:\WINDOWS\system32\svchost.exe[2028] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
    .text C:\WINDOWS\system32\svchost.exe[2028] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
    .text C:\WINDOWS\system32\svchost.exe[2028] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
    .text C:\WINDOWS\system32\SearchIndexer.exe[2064] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000D0030
    .text C:\WINDOWS\system32\SearchIndexer.exe[2064] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000D006C
    .text C:\WINDOWS\system32\SearchIndexer.exe[2064] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
    .text C:\WINDOWS\system32\SearchIndexer.exe[2064] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003401D4
    .text C:\WINDOWS\system32\SearchIndexer.exe[2064] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003400E4
    .text C:\WINDOWS\system32\SearchIndexer.exe[2064] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00340120
    .text C:\WINDOWS\system32\SearchIndexer.exe[2064] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0034015C
    .text C:\WINDOWS\system32\SearchIndexer.exe[2064] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00340198
    .text C:\WINDOWS\system32\SearchIndexer.exe[2064] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00340030
    .text C:\WINDOWS\system32\SearchIndexer.exe[2064] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0034006C
    .text C:\WINDOWS\system32\SearchIndexer.exe[2064] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003400A8
    .text C:\WINDOWS\system32\SearchIndexer.exe[2064] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003500E4
    .text C:\WINDOWS\system32\SearchIndexer.exe[2064] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00350120
    .text C:\WINDOWS\system32\SearchIndexer.exe[2064] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003500A8
    .text C:\WINDOWS\system32\SearchIndexer.exe[2064] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00350030
    .text C:\WINDOWS\system32\SearchIndexer.exe[2064] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0035006C
    .text C:\WINDOWS\System32\alg.exe[3004] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\System32\alg.exe[3004] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\System32\alg.exe[3004] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002E00E4
    .text C:\WINDOWS\System32\alg.exe[3004] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002E0120
    .text C:\WINDOWS\System32\alg.exe[3004] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002E00A8
    .text C:\WINDOWS\System32\alg.exe[3004] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002E0030
    .text C:\WINDOWS\System32\alg.exe[3004] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002E006C
    .text C:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002F01D4
    .text C:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002F00E4
    .text C:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002F0120
    .text C:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002F015C
    .text C:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002F0198
    .text C:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002F0030
    .text C:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002F006C
    .text C:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002F00A8

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] [A48DF550] \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[600] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00610002
    IAT C:\WINDOWS\system32\services.exe[600] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00610000

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 866F353B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 866F353B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 866F353B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 866F353B

    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- EOF - GMER 1.0.15 ----
     
  4. emilyrose

    emilyrose TS Rookie Topic Starter

    Also, here are the results from the last MBAM scan I did:
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6253

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    5/12/2011 10:17:57 PM
    mbam-log-2011-05-12 (22-17-57).txt

    Scan type: Quick scan
    Objects scanned: 156954
    Time elapsed: 10 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Unfortunately I didn't save the log from when it did find infected files in MBAM. I deleted the infected files of both the MBAM and the first avast boot scan. Not too sure if that was the right thing to do, but obviously the rootkit is still on here. So what would be the next step I would take to get rid of this?
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run the following:
    Please download MBRCheck and save to your desktop
    • Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      [o] Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      [o] Found non-standard or infected MBR.
      [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Paste this log to your next message.
    ===================================
    Follow that with Please note: If you have Combofix on the desktop already, please uninstall it. The download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there
    .
    ------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =============================
    Follow with Eset online virus scan:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.


    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  6. emilyrose

    emilyrose TS Rookie Topic Starter

    Hi, thank you so much for your help! So here are the results of MBR:
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000004d

    Kernel Drivers (total 131):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EF000 \WINDOWS\system32\hal.dll
    0xF7D2E000 \WINDOWS\system32\KDCOM.DLL
    0xF7C3E000 \WINDOWS\system32\BOOTVID.dll
    0xF77DF000 ACPI.sys
    0xF7D30000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF77CE000 pci.sys
    0xF782E000 isapnp.sys
    0xF7DF6000 pciide.sys
    0xF7AAE000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF783E000 MountMgr.sys
    0xF77AF000 ftdisk.sys
    0xF7D32000 dmload.sys
    0xF7789000 dmio.sys
    0xF7AB6000 PartMgr.sys
    0xF784E000 VolSnap.sys
    0xF7771000 atapi.sys
    0xF785E000 disk.sys
    0xF786E000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7751000 fltmgr.sys
    0xF773F000 sr.sys
    0xF787E000 PxHelp20.sys
    0xF7728000 KSecDD.sys
    0xF769B000 Ntfs.sys
    0xF766E000 NDIS.sys
    0xF788E000 uagp35.sys
    0xF7654000 Mup.sys
    0xF793E000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF7256000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF70C5000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF794E000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF795E000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF796E000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF70A2000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF7B86000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xF7B8E000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xF707E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7B96000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF7B9E000 \SystemRoot\system32\DRIVERS\sisnic.sys
    0xF797E000 \SystemRoot\system32\DRIVERS\mf.sys
    0xF7BA6000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xF798E000 \SystemRoot\system32\DRIVERS\serial.sys
    0xF7CF2000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xF706A000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF7F4E000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF799E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7CF6000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF7053000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF79AE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF79BE000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7BAE000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF7042000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF79CE000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7BB6000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7BBE000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF7012000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF79EE000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7BC6000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF7BCE000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7D70000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF6FB4000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7D12000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF7A2E000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF7A3E000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7D72000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xAA781000 \SystemRoot\system32\drivers\adm8820.sys
    0xAA75D000 \SystemRoot\system32\drivers\portcls.sys
    0xF7A4E000 \SystemRoot\system32\drivers\drmk.sys
    0xF7628000 \SystemRoot\system32\DRIVERS\admjoy.sys
    0xF7BF6000 \SystemRoot\system32\DRIVERS\flpydisk.sys
    0xF7DA2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7EEE000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7DA4000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7C06000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF7C0E000 \SystemRoot\System32\drivers\vga.sys
    0xF7DA6000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7DA8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7C16000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7C1E000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF6F8C000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xAA6E2000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xAA689000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF78BE000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xAA661000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF7C26000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0xAA63F000 \SystemRoot\System32\drivers\afd.sys
    0xF78CE000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF7C2E000 \SystemRoot\System32\Drivers\SCDEmu.SYS
    0xAA5EC000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xAA554000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF78DE000 \SystemRoot\System32\Drivers\Fips.SYS
    0xAA52E000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF78EE000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xAA444000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xAA3D4000 \SystemRoot\System32\Drivers\aswSnx.SYS
    0xF7ACE000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xF7B1E000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xF79DE000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xF7B26000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xAA3C4000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF6F7C000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xAA3BC000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xAA394000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7D66000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF6FAC000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF7B2E000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7E9F000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF065000 \SystemRoot\System32\ati2cqag.dll
    0xBF0FE000 \SystemRoot\System32\atikvmag.dll
    0xBF182000 \SystemRoot\System32\atiok3x2.dll
    0xBF1CD000 \SystemRoot\System32\ati3duag.dll
    0xBF572000 \SystemRoot\System32\ativvaxx.dll
    0xBF9C5000 \SystemRoot\System32\ATMFD.DLL
    0xAA623000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xA826C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA800D000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xA7D50000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA7F8D000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA7B15000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xF7D8E000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xF7B66000 \SystemRoot\System32\drivers\aspi32.sys
    0xA79CD000 \SystemRoot\system32\DRIVERS\srv.sys
    0xA7A7D000 \SystemRoot\system32\DRIVERS\secdrv.sys
    0xA7889000 \??\C:\Program Files\CyberLink\PowerDVD9\000.fcl
    0xA7488000 \SystemRoot\System32\Drivers\HTTP.sys
    0xA747C000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xA7329000 \??\C:\DOCUME~1\Emily\LOCALS~1\Temp\fgdcapod.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 35):
    0 System Idle Process
    4 System
    516 C:\WINDOWS\system32\smss.exe
    572 csrss.exe
    604 C:\WINDOWS\system32\winlogon.exe
    648 C:\WINDOWS\system32\services.exe
    660 C:\WINDOWS\system32\lsass.exe
    816 C:\WINDOWS\system32\ati2evxx.exe
    832 C:\WINDOWS\system32\svchost.exe
    928 svchost.exe
    996 C:\WINDOWS\system32\svchost.exe
    1064 svchost.exe
    1084 C:\WINDOWS\system32\ati2evxx.exe
    1200 svchost.exe
    1416 C:\WINDOWS\explorer.exe
    1492 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    1588 C:\Program Files\AVAST Software\Avast\AvastUI.exe
    1604 C:\WINDOWS\system32\ctfmon.exe
    2012 C:\WINDOWS\system32\spoolsv.exe
    408 svchost.exe
    444 C:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe
    464 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    568 C:\Program Files\Bonjour\mDNSResponder.exe
    776 C:\WINDOWS\system32\svchost.exe
    1048 C:\Program Files\Java\jre6\bin\jqs.exe
    1240 C:\WINDOWS\system32\svchost.exe
    1560 C:\WINDOWS\system32\svchost.exe
    1316 C:\WINDOWS\system32\svchost.exe
    2148 C:\WINDOWS\system32\searchindexer.exe
    3268 alg.exe
    2416 C:\Program Files\Mozilla Firefox\firefox.exe
    176 C:\Program Files\Mozilla Firefox\plugin-container.exe
    2792 C:\WINDOWS\system32\searchprotocolhost.exe
    3584 searchfilterhost.exe
    3708 C:\Documents and Settings\Emily\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00100000 (NTFS)

    PhysicalDrive0 Model Number: SAMSUNGSP0822N, Rev: WA100-31
    PhysicalDrive1 Model Number: WDExt HDD 1021, Rev: 2002

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    931 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!

    After that I disabled my internet and virus program and proceeded with combofix forgetting I needed to be connected to the internet to install the Microsoft Windows Recovery Console, so I tried reconnecting but it kept failing to connect so I just let combofix continue to run since a message came up saying combofix wanted to continue scanning for malware. Here are the results:
    ComboFix 11-05-13.02 - Emily 05/13/2011 17:39:28.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.664 [GMT -7:00]
    Running from: c:\documents and settings\Emily\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Emily\Application Data\Adobe\plugs
    c:\documents and settings\Emily\Application Data\Adobe\shed
    c:\documents and settings\Emily\Local Settings\Application Data\{572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3}
    c:\documents and settings\Emily\Local Settings\Application Data\{572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3}\chrome.manifest
    c:\documents and settings\Emily\Local Settings\Application Data\{572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3}\chrome\content\_cfg.js
    c:\documents and settings\Emily\Local Settings\Application Data\{572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3}\chrome\content\overlay.xul
    c:\documents and settings\Emily\Local Settings\Application Data\{572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3}\install.rdf
    G:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-14 to 2011-05-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-13 09:20 . 2011-05-13 09:20 -------- d-----w- c:\program files\ESET
    2011-05-13 09:20 . 2011-05-13 09:20 2322184 ----a-w- C:\esetsmartinstaller_enu.exe
    2011-05-13 07:02 . 2011-05-13 07:19 -------- d-----w- C:\TDSS
    2011-05-13 01:25 . 2011-05-13 01:25 625664 ----a-w- C:\dds.scr
    2011-05-13 00:00 . 2011-05-13 00:00 1376832 ----a-w- C:\sar_15_sfx.exe
    2011-05-12 09:42 . 2011-05-13 05:11 -------- d-----w- C:\gmer
    2011-05-12 08:35 . 2011-05-12 08:34 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-05-10 01:58 . 2011-05-10 01:58 -------- d-----w- c:\program files\CyberDefender
    2011-05-07 07:58 . 2011-05-07 07:58 0 ----a-w- c:\windows\Ycoqetekolasihik.bin
    2011-05-03 02:10 . 2011-05-03 02:10 -------- d-----w- c:\windows\Sun
    2011-04-20 09:32 . 2011-04-20 09:32 -------- d-----w- c:\documents and settings\Emily\Application Data\HP
    2011-04-20 09:05 . 2011-04-20 09:05 -------- d-----w- c:\documents and settings\Emily\Local Settings\Application Data\HP
    2011-04-20 08:43 . 2011-04-20 08:43 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
    2011-04-20 08:34 . 2011-04-20 08:43 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
    2011-04-20 08:28 . 2011-04-20 08:28 -------- d-----w- c:\program files\Common Files\HP
    2011-04-20 08:28 . 2011-04-20 08:28 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
    2011-04-20 08:27 . 2011-04-20 08:27 -------- d-----w- c:\program files\Hewlett-Packard
    2011-04-20 08:22 . 2007-01-17 16:37 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
    2011-04-20 08:22 . 2007-01-17 16:37 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
    2011-04-20 08:19 . 2011-04-20 08:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
    2011-04-20 08:18 . 2007-11-06 02:06 278016 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5mu.dll
    2011-04-20 08:18 . 2007-11-06 02:07 118272 ----a-w- c:\windows\system32\hpz3l5mu.dll
    2011-04-20 08:18 . 2007-11-07 02:10 271704 ----a-r- c:\windows\system32\hpzids01.dll
    2011-04-20 08:17 . 2007-01-17 16:37 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
    2011-04-20 08:16 . 2007-01-17 16:37 364544 ----a-r- c:\windows\system32\hppldcoi.dll
    2011-04-20 08:16 . 2007-01-17 16:37 309760 ----a-r- c:\windows\system32\difxapi.dll
    2011-04-20 08:16 . 2007-01-17 16:31 294912 ----a-r- c:\windows\system32\hpovst11.dll
    2011-04-20 08:16 . 2007-10-31 10:35 729088 ----a-r- c:\windows\system32\hpwwiax4.dll
    2011-04-20 08:16 . 2007-10-31 10:35 593920 ----a-r- c:\windows\system32\hpwtscl3.dll
    2011-04-20 04:43 . 2007-11-07 02:15 1140056 ----a-r- c:\windows\hpzmsi01.exe
    2011-04-20 04:43 . 2007-11-07 02:04 1373528 ----a-r- c:\windows\hpzshl01.exe
    2011-04-20 04:43 . 2011-04-20 04:43 -------- d-----w- c:\windows\yellowtail
    2011-04-20 04:42 . 2011-04-20 08:43 -------- d-----w- c:\program files\HP
    2011-04-20 04:42 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-04-20 04:42 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2011-04-20 04:42 . 2008-04-13 17:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
    2011-04-20 04:42 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-13 07:01 . 2011-05-13 07:01 1280815 ----a-w- C:\tdsskiller.zip
    2011-05-10 12:10 . 2011-04-02 04:41 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-10 12:10 . 2011-04-02 04:41 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-10 12:03 . 2011-04-02 04:41 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-10 12:03 . 2011-04-02 04:41 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-05-10 12:02 . 2011-04-02 04:41 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-05-10 12:02 . 2011-04-02 04:41 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-05-10 12:02 . 2011-04-02 04:41 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-05-10 11:59 . 2011-04-02 04:41 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-05-10 11:59 . 2011-04-02 04:41 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-05-10 11:59 . 2011-04-02 04:41 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-04-02 01:53 . 2011-04-02 01:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-04-02 01:53 . 2011-04-02 01:53 411368 ----a-w- c:\windows\system32\deploytk.dll
    2011-04-02 01:08 . 2011-04-02 00:56 29480 ----a-w- c:\windows\system32\msxml3a.dll
    2011-04-02 01:08 . 2011-04-02 00:50 505128 ----a-w- c:\windows\system32\msvcp71.dll
    2011-04-02 01:08 . 2011-04-02 00:50 353576 ----a-w- c:\windows\system32\msvcr71.dll
    2011-02-18 23:36 . 2011-04-02 03:19 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2011-02-18 23:36 . 2011-04-02 03:19 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
    .
    Code:
    <pre>
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
    c:\program files\HP\Digital Imaging\bin\hpqSRMon .exe
    c:\program files\HP\HP Software Update\HPWuSchd2 .exe
    c:\windows\system32\rundll32 .exe
    </pre>
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2009-11-06 297808]
    .
    [HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
    [HKEY_CLASSES_ROOT\agihelper.AGUtils]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
    2009-11-06 05:17 297808 ----a-w- c:\windows\system32\mscoree.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Emily^Start Menu^Programs^Startup^Webshots.lnk]
    path=c:\documents and settings\Emily\Start Menu\Programs\Startup\Webshots.lnk
    backup=c:\windows\pss\Webshots.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\asecpp70.exe]
    c:\documents and settings\Emily\Application Data\B048D7F1E838916CD6AFD9D3C6713578\asecpp70.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    c:\program files\HP\HP Software Update\HPWuSchd2.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
    c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyCleanPC Registry Cleaner]
    c:\program files\CyberDefender\Registry Scanner\CDregclean.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    2007-04-09 12:23 200704 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [N/A]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    .
    R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\A.tmp [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2011/04/01 17:58];c:\program files\CyberLink\PowerDVD9\000.fcl [2009-05-08 04:05 87536]
    S2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10754\AGCoreService.exe [2010-06-29 20480]
    S2 aswFsBlk;aswFsBlk; [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    IE: Free YouTube to MP3 Converter - c:\documents and settings\Emily\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
    FF - ProfilePath - c:\documents and settings\Emily\Application Data\Mozilla\Firefox\Profiles\xy85n44r.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig?hl=en#t_0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-13 18:18
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\A.tmp"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
    "ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(564)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2011-05-13 18:37:14
    ComboFix-quarantined-files.txt 2011-05-14 01:36
    .
    Pre-Run: 54,426,267,648 bytes free
    Post-Run: 54,402,711,552 bytes free
    .
    - - End Of File - - 4A1DB7A5A584EAF70DBFD3BA975C2EA3

    Then I ran Eset, took around 6 hours to complete and only found:

    C:\System Volume Information\_restore{2D4C0AFE-27F0-4A63-B549-5921EF306D85}\RP20\A0006328.exe Win32/Toolbar.AskSBar application
    C:\System Volume Information\_restore{2D4C0AFE-27F0-4A63-B549-5921EF306D85}\RP60\A0016073.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, it appears thart the rootkit has beeen handled. Eset is fine. The 2 entries are System Restore points. They are not active in the system now. I will have you remove the old restore points when we're finished and set a new, clean one. (It goes without saying that you shouldn't be doing a Sytem Restore during cleaning!)

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry. Do not install new programs unless I have directed you to.

    You put the Sophos AntiRootkit on the system the day after you posted the logs. This means that there can be changes in the logs and it makes it more difficult to work with them.
    =========================================
    Regarding Antimalware Doctor: It is a rogue anti-spyware program that displays fake security alerts and reports false scan results to make you think that your computer is infected with malware. This fake program is promoted and installed through the use of trojan viruses that usually come from fake online scanner and various bogus websites. The scam is that it will claim that you must purchase the program in order to remove the infections.
    =========================================
    Unless you can't get into Normal Mode, you should do these scans in Normal Mode. Combofix will disconnect briefly, but it's after the Repair Console query. If you need to boot into Safe Mode, I will tell you. You can connect and run Combofix again if you want, then go ahead and install the Recovery Console. After doing that, go on with the following:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\a.tmp
    c:\windows\system32\A.tmp 
    c:\windows\Ycoqetekolasihik.bin
    DirLook::
    c:\windows\yellowtail
    RenV::
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
    c:\program files\HP\Digital Imaging\bin\hpqSRMon .exe
    c:\program files\HP\HP Software Update\HPWuSchd2 .exe
    c:\windows\system32\rundll32 .exe
    Folder::
    c:\docume~1\emily\locals~1\applic~1\{572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3}
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"=-
    [HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
    [HKEY_CLASSES_ROOT\agihelper.AGUtils]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\asecpp70.exe]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyCleanPC Registry Cleaner]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"=-
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
    "ImagePath"=-
    Driver::
    MEMSWEEP2
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please uninstall CyberDefender. This is not a good program to have. It beings 'MyCleanPC' bundled with it and BHOs and Toolbars. So remove any related entries also.
    ===================================
    An important note: If you are not already using a Site Advisor, I recommend WOT:

    The Web of Trust (WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety. Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

    Every time you do a search and the screen comes up with the sites, they will have the rating light. Green (2 shades), Amber/Yellow Caution, Red> not advised. A few sites haven't been rated and show as a blue flashlight. Go for the Green only. That will tell the that the site is safe and reliable and/or whatever program you're searching for should be safe.

    If you want to link to another site from the page you're on o another, WOT will give you an Alert that the site is known for fraudulent entries, unreliable or other and the site won't load. Don't worry- those Alerts don't happen if you still to the green rating.
     
  8. emilyrose

    emilyrose TS Rookie Topic Starter

    I installed the Recovery Console and ran Combofix with the custom script, here are the results: ComboFix 11-05-14.01 - Emily 05/14/2011 18:19:14.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.657 [GMT -7:00]
    Running from: c:\documents and settings\Emily\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Emily\Desktop\CFScript.txt.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    FILE ::
    "c:\windows\system32\a.tmp"
    "c:\windows\Ycoqetekolasihik.bin"
    .
    PEV Error: StartUpFile
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\Ycoqetekolasihik.bin
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_MEMSWEEP2
    -------\Service_MEMSWEEP2
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-15 to 2011-05-15 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-13 23:55 . 2011-05-13 23:55 80384 ----a-w- C:\MBRCheck.exe
    2011-05-13 09:20 . 2011-05-13 09:20 -------- d-----w- c:\program files\ESET
    2011-05-13 09:20 . 2011-05-13 09:20 2322184 ----a-w- C:\esetsmartinstaller_enu.exe
    2011-05-13 07:02 . 2011-05-13 07:19 -------- d-----w- C:\TDSS
    2011-05-13 01:25 . 2011-05-13 01:25 625664 ----a-w- C:\dds.scr
    2011-05-13 00:00 . 2011-05-13 00:00 1376832 ----a-w- C:\sar_15_sfx.exe
    2011-05-12 09:42 . 2011-05-13 05:11 -------- d-----w- C:\gmer
    2011-05-12 08:35 . 2011-05-12 08:34 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-05-10 01:58 . 2011-05-10 01:58 -------- d-----w- c:\program files\CyberDefender
    2011-05-03 02:10 . 2011-05-03 02:10 -------- d-----w- c:\windows\Sun
    2011-04-20 09:32 . 2011-04-20 09:32 -------- d-----w- c:\documents and settings\Emily\Application Data\HP
    2011-04-20 09:05 . 2011-04-20 09:05 -------- d-----w- c:\documents and settings\Emily\Local Settings\Application Data\HP
    2011-04-20 08:43 . 2011-04-20 08:43 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
    2011-04-20 08:34 . 2011-04-20 08:43 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
    2011-04-20 08:28 . 2011-04-20 08:28 -------- d-----w- c:\program files\Common Files\HP
    2011-04-20 08:28 . 2011-04-20 08:28 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
    2011-04-20 08:27 . 2011-04-20 08:27 -------- d-----w- c:\program files\Hewlett-Packard
    2011-04-20 08:22 . 2007-01-17 16:37 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
    2011-04-20 08:22 . 2007-01-17 16:37 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
    2011-04-20 08:19 . 2011-04-20 08:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
    2011-04-20 08:18 . 2007-11-06 02:06 278016 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5mu.dll
    2011-04-20 08:18 . 2007-11-06 02:07 118272 ----a-w- c:\windows\system32\hpz3l5mu.dll
    2011-04-20 08:18 . 2007-11-07 02:10 271704 ----a-r- c:\windows\system32\hpzids01.dll
    2011-04-20 08:17 . 2007-01-17 16:37 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
    2011-04-20 08:16 . 2007-01-17 16:37 364544 ----a-r- c:\windows\system32\hppldcoi.dll
    2011-04-20 08:16 . 2007-01-17 16:37 309760 ----a-r- c:\windows\system32\difxapi.dll
    2011-04-20 08:16 . 2007-01-17 16:31 294912 ----a-r- c:\windows\system32\hpovst11.dll
    2011-04-20 08:16 . 2007-10-31 10:35 729088 ----a-r- c:\windows\system32\hpwwiax4.dll
    2011-04-20 08:16 . 2007-10-31 10:35 593920 ----a-r- c:\windows\system32\hpwtscl3.dll
    2011-04-20 04:43 . 2007-11-07 02:15 1140056 ----a-r- c:\windows\hpzmsi01.exe
    2011-04-20 04:43 . 2007-11-07 02:04 1373528 ----a-r- c:\windows\hpzshl01.exe
    2011-04-20 04:43 . 2011-04-20 04:43 -------- d-----w- c:\windows\yellowtail
    2011-04-20 04:42 . 2011-04-20 08:43 -------- d-----w- c:\program files\HP
    2011-04-20 04:42 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-04-20 04:42 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2011-04-20 04:42 . 2008-04-13 17:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
    2011-04-20 04:42 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-13 07:01 . 2011-05-13 07:01 1280815 ----a-w- C:\tdsskiller.zip
    2011-05-10 12:10 . 2011-04-02 04:41 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-10 12:10 . 2011-04-02 04:41 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-10 12:03 . 2011-04-02 04:41 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-10 12:03 . 2011-04-02 04:41 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-05-10 12:02 . 2011-04-02 04:41 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-05-10 12:02 . 2011-04-02 04:41 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-05-10 12:02 . 2011-04-02 04:41 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-05-10 11:59 . 2011-04-02 04:41 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-05-10 11:59 . 2011-04-02 04:41 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-05-10 11:59 . 2011-04-02 04:41 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-04-02 01:53 . 2011-04-02 01:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-04-02 01:53 . 2011-04-02 01:53 411368 ----a-w- c:\windows\system32\deploytk.dll
    2011-04-02 01:08 . 2011-04-02 00:56 29480 ----a-w- c:\windows\system32\msxml3a.dll
    2011-04-02 01:08 . 2011-04-02 00:50 505128 ----a-w- c:\windows\system32\msvcp71.dll
    2011-04-02 01:08 . 2011-04-02 00:50 353576 ----a-w- c:\windows\system32\msvcr71.dll
    2011-02-18 23:36 . 2011-04-02 03:19 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2011-02-18 23:36 . 2011-04-02 03:19 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of c:\windows\yellowtail ----
    .
    2011-04-20 04:43 . 2007-06-08 13:12 340 ----a-r- c:\windows\yellowtail\scrub2k.ini
    2011-04-20 04:43 . 2007-05-09 11:07 65536 ----a-r- c:\windows\yellowtail\scrub2k.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
    2009-11-06 05:17 297808 ----a-w- c:\windows\system32\mscoree.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Emily^Start Menu^Programs^Startup^Webshots.lnk]
    path=c:\documents and settings\Emily\Start Menu\Programs\Startup\Webshots.lnk
    backup=c:\windows\pss\Webshots.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-10-15 04:17 49152 ----a-w- c:\program files\HP\HP Software Update\HPWuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
    2007-08-22 23:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    2007-04-09 12:23 200704 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    2010-02-11 06:32 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/1/2011 9:41 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/1/2011 9:41 PM 307928]
    R2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10754\AGCoreService.exe [4/3/2011 5:46 PM 20480]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/1/2011 9:41 PM 19544]
    S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2011/04/01 17:58]; [x]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    IE: Free YouTube to MP3 Converter - c:\documents and settings\Emily\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
    FF - ProfilePath - c:\documents and settings\Emily\Application Data\Mozilla\Firefox\Profiles\xy85n44r.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig?hl=en#t_0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-asecpp70 - c:\documents and settings\Emily\Application Data\B048D7F1E838916CD6AFD9D3C6713578\asecpp70.exe
    MSConfigStartUp-MyCleanPC Registry Cleaner - c:\program files\CyberDefender\Registry Scanner\CDregclean.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-14 19:04
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(608)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(1196)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\SearchIndexer.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-05-14 19:20:17 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-15 02:19
    ComboFix2.txt 2011-05-14 23:51
    .
    Pre-Run: 54,200,967,168 bytes free
    Post-Run: 54,099,271,680 bytes free
    .
    - - End Of File - - 91291A7A2E2AFE33283BC25337B4E66F

    A message did come up at the end saying there has been a rootkit detected and restarted the computer, after it finished rebooting avast pops up with a message saying suspicious files have been found: \\??\C:\...\catchme.sys Is this bad?
    Also I uninstalled Sophos and Cyber Defender, as well as insalled WOT. I didn't have a Site Advisor before, do you know if it's safe to be doing online banking/pay pal accounts as well at the moment?
    Thank you so much for all the help!
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'd like you to do a couple of things for me while I finishing checking this log:

    1. Repeating:
    After it is uninstalled, you will remove the program folder, like this:
    Right click on Start[/b> Click on Explore. this opens Windows Explorer and allows you to follow this path >>m My Computer> Double click on Local Drive(C)> Programs> Find CyberDefender> Do a Right click> Delete> Look for a separate folder named MyCleanPC If there is one, do a right click> Delete on it also. Then Exit and close Windows Explorer.
    =============================================
    Using the path below, you're going to uncheck all processes related to HP and it's Digital Imaging:
    To remove entries from the Startup Menu using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
      [​IMG]
    • Click on Selective Startup
    • Choose the Startup tab:
      [​IMG]
      All images courtesy NetSquirrel
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Uncheck any processes for HP and it's Digital Imaging
    • Click on Apply> OK when finished.
    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.
    ========================================
    Taking the printer off of startup does not uninstall it. It just stops it from starting on boot and running in the background. All my printers/scanners/AIO have been from HP, They put a multitude of entries on the Startup Menu. I removed all of mine and have no problem. To Print, click on File> Print. You can make any adjustments to the print out by doing that. You can open the HP Image Director in All Programs if you need t use it.
    =====================================
    When you have finished with all of the above, please run this:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Between the two of us, we will make sure the malware is gone and that your system isn't being overloaded running unneeded processes in the background. I have some of these entries in the Registry set up with script for HP to make sure they don't run untill you need it.
     
  10. emilyrose

    emilyrose TS Rookie Topic Starter

    Hmm that's strange I had already uninstalled Cyber Defender, it's not showing up in my add/remove programs, nor is there any folders in Windows Explorer related to it. I just opened WE the normal way since I didn't see an option for explorer by right-clicking on the taskbar(just see toolbars, cascade windows, tile windows horizontally/vertically, show the desktop, task manager, lock taskbar and properties). In MSCONFIG the only 2 things selected under "Startup" are "avastUI" and "ctfmon" everything else I had already unchecked. It was already on "Selective Startup" as well. Here are the results from HiJack This: Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 5:00:44 PM, on 5/15/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\HiJackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: agihelper.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
    O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
    O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Documents and Settings\Emily\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301695638546
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1301695622984
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
    O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

    --
    End of file - 8851 bytes
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    My apology about accessing Windows Explorer. My direction was incorrect> It should have been "Right click on Start> Explore" You can also get there using the Windows key + E. Here is the path to delete the program folder- corrected:


    What model of HP printer do you have now? There are multiple HP processes running for a printer installed 2007.
     
  12. emilyrose

    emilyrose TS Rookie Topic Starter

    So I went through Windows Explorer and wasn't able to find any Cyber Defender or MyCleanPC folders, I also did a Windows search and looked in the registry as well it looks like they're gone. I have an HP Officejet J4500 Series and there isn't any HP processes running in task manager at the moment I disabled them all in msconfig.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I missed the earlier:
    G:\Autorun.inf removal in Combofix indicates possibly using an infected flash drive
    This may be the reason for the repeated warnings. You'll need to disinfect the flash drive:
    You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    Adobe Reader is outdated. Visit this Adobe Reader site Uninstall any earlier updates as they are vulnerabilities. You have numerous entries for v8. Hopefully the update and uninstall of outdated version will bring them current.
    Java is outdated: Check this site .Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    ===========================================
    About this question:
    This is an apples and oranges question. WOT is a Site Advisor. It as rating criteria for Trustworthiness, Vendor Reliability, Privacy, Child Safety.

    The only suggestion I can give by way of comparison is that if I wanted to use PayPal for a financial transaction, I would only want to use it on a site that was well rated.
    =============================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    C:\tdsskiller.zip
    c:\windows\yellowtail\scrub2k.ini
    c:\windows\yellowtail\scrub2k.exe
    Folder::
    c:\program files\CyberDefender
    c:\windows\yellowtail
    DDS::
    uURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
    BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    
    Driver::
    
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
     
  14. emilyrose

    emilyrose TS Rookie Topic Starter

    ComboFix 11-05-14.01 - Emily 05/22/2011 1:08.4.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.635 [GMT -7:00]
    Running from: c:\documents and settings\Emily\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Emily\Desktop\CFScript.txt.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    - REDUCED FUNCTIONALITY MODE -
    .
    FILE ::
    "C:\tdsskiller.zip"
    "c:\windows\yellowtail\scrub2k.exe"
    "c:\windows\yellowtail\scrub2k.ini"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\hijackthis\HiJackThis.exe
    C:\tdsskiller.zip
    c:\windows\yellowtail
    c:\windows\yellowtail\scrub2k.exe
    c:\windows\yellowtail\scrub2k.ini
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-22 to 2011-05-22 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-22 06:14 . 2011-05-22 06:14 -------- d-----w- c:\program files\Common Files\Java
    2011-05-22 06:14 . 2011-04-14 12:08 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-05-22 06:14 . 2011-04-14 12:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-05-22 06:11 . 2011-05-22 06:11 887072 ----a-w- C:\jre-6u25-windows-i586-iftw.exe
    2011-05-22 06:10 . 2011-05-22 06:10 12602368 ----a-w- C:\AdbeRdrUpd1001_Tier2.msp
    2011-05-17 21:23 . 2011-05-17 21:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-15 23:58 . 2011-05-22 08:11 -------- d-----w- C:\HiJackThis
    2011-05-13 23:55 . 2011-05-13 23:55 80384 ----a-w- C:\MBRCheck.exe
    2011-05-13 09:20 . 2011-05-13 09:20 -------- d-----w- c:\program files\ESET
    2011-05-13 09:20 . 2011-05-13 09:20 2322184 ----a-w- C:\esetsmartinstaller_enu.exe
    2011-05-13 07:02 . 2011-05-13 07:19 -------- d-----w- C:\TDSS
    2011-05-13 01:25 . 2011-05-13 01:25 625664 ----a-w- C:\dds.scr
    2011-05-13 00:00 . 2011-05-13 00:00 1376832 ----a-w- C:\sar_15_sfx.exe
    2011-05-12 09:42 . 2011-05-13 05:11 -------- d-----w- C:\gmer
    2011-05-12 08:35 . 2011-05-12 08:34 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-05-03 02:10 . 2011-05-03 02:10 -------- d-----w- c:\windows\Sun
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-22 06:31 . 2011-05-22 06:18 132176337 ----a-w- C:\AdbeRdr1000_mui_Std.zip
    2011-05-10 12:10 . 2011-04-02 04:41 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-10 12:10 . 2011-04-02 04:41 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-10 12:03 . 2011-04-02 04:41 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-10 12:03 . 2011-04-02 04:41 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-05-10 12:02 . 2011-04-02 04:41 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-05-10 12:02 . 2011-04-02 04:41 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-05-10 12:02 . 2011-04-02 04:41 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-05-10 11:59 . 2011-04-02 04:41 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-05-10 11:59 . 2011-04-02 04:41 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-05-10 11:59 . 2011-04-02 04:41 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-04-14 09:40 . 2011-04-02 01:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-04-02 01:08 . 2011-04-02 00:56 29480 ----a-w- c:\windows\system32\msxml3a.dll
    2011-04-02 01:08 . 2011-04-02 00:50 505128 ----a-w- c:\windows\system32\msvcp71.dll
    2011-04-02 01:08 . 2011-04-02 00:50 353576 ----a-w- c:\windows\system32\msvcr71.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
    .
    c:\documents and settings\Emily\Start Menu\Programs\Startup\
    Webshots.lnk - c:\program files\Webshots\3.1.5.7619\Launcher.exe [2011-4-3 157088]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Emily^Start Menu^Programs^Startup^Webshots.lnk]
    path=c:\documents and settings\Emily\Start Menu\Programs\Startup\Webshots.lnk
    backup=c:\windows\pss\Webshots.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-10-15 04:17 49152 ----a-w- c:\program files\HP\HP Software Update\HPWuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
    2007-08-22 23:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    2007-04-09 12:23 200704 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    2010-02-11 06:32 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    .
    R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2011/04/01 17:58]; [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10754\AGCoreService.exe [2010-06-29 20480]
    S2 aswFsBlk;aswFsBlk; [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - JAVAQUICKSTARTERSERVICE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    IE: Free YouTube to MP3 Converter - c:\documents and settings\Emily\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
    FF - ProfilePath - c:\documents and settings\Emily\Application Data\Mozilla\Firefox\Profiles\xy85n44r.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig?hl=en#t_0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-22 01:14
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(608)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2011-05-22 01:26:02
    ComboFix-quarantined-files.txt 2011-05-22 08:25
    ComboFix2.txt 2011-05-15 02:20
    ComboFix3.txt 2011-05-14 23:51
    .
    Pre-Run: 53,253,582,848 bytes free
    Post-Run: 53,258,833,920 bytes free
    .
    - - End Of File - - E032C73D31D02EC9F31ADFBEACCBF2AD

    I checked my Add/Remove programs, it says Adobe Reader X (10.0.1) is installed and on the website it looks like that's the latest one,tried downloading the update but got a message saying: The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade patch. Should I uninstall and do a reinstall? The update I downloaded was called" AdbeRdrUpd1001_tier2." My Java is now up to date as well. I did as you said and ran Flash Disinfector as well, I have an external hard drive.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, something has changed because Combofix ran in - REDUCED FUNCTIONALITY MODE
    In Windows XP, this can be caused by the need to activate Office- or possibly to reactivate it. I see the following installs:
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007


    Has the activation been done? I note it's the Enterprise version. If this being used in a work setting it may need to be activated by the IT in the office?
    ========================================
    Here's an explanation of the Adobe Reader you got:
    C:\AdbeRdrUpd1001_Tier2.msp

    The "Tier_<some number>" identifies the installer language in the filename as follows:
    * Tier 1: English, French, German, and Japanese (Reader only: MUI Reader)
    * Tier 2: Italian, Spanish, Dutch, Brazilian, Portuguese, Swedish, Danish, Finnish, and Norwegian
    This was a patch for a language that was not on the system. Therefore you got this message:
    "The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program."
    You can delete this directory and uninstall the patch.

    If you show Adobe Reader X installed, you don't need to do anything else. This was what I saw, so I told you to update:
    Adobe\Acrobat 8.0
    Open IE> Tools> Manage Add-ons> the dialog box has 2 locations: addons currently on system and addons previously on system. Look in both location and remove any for Adobe Reader v8.

    How is the system doing now? Improved? Problems?
     
  16. emilyrose

    emilyrose TS Rookie Topic Starter

    Microsoft Office seems to be working fine for me, I've never noticed anything popping up saying I need to activate. However I didn't actually install Microsoft Office myself, just before I ended up with a virus I had Windows reinstalled by a friend of mine and he also put Office on there, this computer is just for at home use. Is there any way I can tell if it's been activated or should i contact him? It looks like I downloaded the wrong tier, I got rid of the other one and installed Tier 1 successfully. Now, when I look in IE there is:
    Adobe PDF: 5/10/2007 8.1.0.0
    Adobe PDF Link Helper: 1/30/2011 10.0.1.434
    Adobe PDF Conversion Toolbar helper: 5/10/2007 8.1.0.0
    Adobe PDF 5/10/2007 8.1.0.0

    All of them say "Enabled" so should I disable all of the v8? I don't see an option to remove.
    Everything seems to be running pretty normal, haven't been getting anymore virus warnings or anything, however it is running a little slow but nothing too extreme. Would you like me to run ComboFix again or is everything looking okay?
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I think I know what happened with the system. When 'friend' reinstalled Windows, it put a Vundo malware infection on the system, plus possible other malware. MS Office cost about $150.00. It's not a program that can be legally 'shared'. The version showing in the installed programs list is for Microsoft Office Enterprise 2007 This is for a business environment. The MUI entries for Office are for different languages packs.

    As long as your system is running in the Reduced Function Mode, you won't have full use of the system. If you did not purchase MS Office and have it on your system originally, you will need to uninstall it or buy it. You can't legally activate it because you don't have the license key. You may want to have a conversation with him about this.

    Most likely, he used a flash drive somewhere in the process. It had malware on it and it got passed on to your system.
    ============================================
    You have run Combofix 3 times:
    1. First time: was 5/13> Got Vundo malware &Warning of No Recovery Console.
    If you ever have to run Combofix On another machine, keep this in mind:

    2. Second time was on 5/14, using the script> No warnings
    3. Third time was on 5/22, running script again> Reduced Functionality Mode.

    So it appears that there was some change to the MS Office between 5/14 and 5/22.
     
  18. emilyrose

    emilyrose TS Rookie Topic Starter

    Interesting, although I don't think he'd go out of his way to infect my system. He has been a computer technician for the past 25 years, as well as a family friend however I will definitely talk to him when he gets back. I think the reason for the virus is because my avast was disabled for a couple of days, I had the trial version but forgot to register to keep it on my system and others were using this computer while it wasn't enabled. He never mentioned using a flash drive however we do have an external hard drive. I've used MS office in the past week but I haven't made any changes. Everything seems to be running okay now, thank you so much for all of your help and support, much appreciated!

    Emily
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It was not my intent to suggest that your friend deliberately infected your system. But the removal of G:\Autorun.inf in Combofix points to Drive G. I checked the drives in the DDS log and found this: G: is FIXED (NTFS) - 932 GiB total, 896.21 GiB free.

    So unless he also has a Drive G, this would indicate that you may need to disinfect that drive also.

    I see a Registry entry from 2008 that can be for Office- or a Worm. There is not CID to identify it, so let's take a look:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :reg
      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
      :file
      c:\windows\system32\ctfmon.exe
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    Something changed the system to make it run in Reduced Functionality Mode. I will leave it up to you to resolve the Office issue. The tech might have a volume license to install Office- I don't know that. but it requires a license.
     
  20. emilyrose

    emilyrose TS Rookie Topic Starter

    Oh okay, my bad I thought we were finished! Yeah I don't think he has a drive G it's probably just mine, I will ask him though. Is there anything else I need to download to disinfect that drive? I ran System Look:
    SystemLook 04.09.10 by jpshortstuff
    Log created at 17:18 on 27/05/2011 by Emily
    Administrator - Elevation successful

    ========== reg ==========

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    "key"="SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
    "item"="ctfmon"
    "hkey"="HKCU"
    "command"="C:\WINDOWS\system32\ctfmon.exe"
    "inimapping"="0"


    ========== file ==========

    c:\windows\system32\ctfmon.exe - File found and opened.
    MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
    Created at 22:56 on 03/08/2004
    Modified at 00:12 on 14/04/2008
    Size: 15360 bytes
    Attributes: --a----
    FileDescription: CTF Loader
    FileVersion: 5.1.2600.5512 (xpsp.080413-2105)
    ProductVersion: 5.1.2600.5512
    OriginalFilename: CTFMON.EXE
    InternalName: CTFMON
    ProductName: Microsoft® Windows® Operating System
    CompanyName: Microsoft Corporation
    LegalCopyright: © Microsoft Corporation. All rights reserved.

    -= EOF =-
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...