Inactive Having troubles removing rootkit

Status
Not open for further replies.
E

emilyrose

Posts: 12   +0
Hi there, my computer has a rootkit that doesn't seem to want to go away. First I noticed that "antimalware doctor" was installed on my computer and I knew this bad, shortly after avast pops up saying it's found a rootkit. I let it run a boot-time scan and deleted what it had found, but after it finished the same message popped up wanting to do the boot-time scan again. Instead I just ran MBAM, deleted the infected files and restarted. But it's still there, everytime I boot up my computer that same avast message pops up. If I press "no" on restart computer another avast window will pop up saying "Suspicious files have been detected(using a heuristic method).This may be a sign of malware infection. Please allow the files to be submitted to our virus lab for analysis.The file name that comes up is "\\.\PHYSICALDRIVE0 MBR:TDL4". I've ran the scan several times,as well as MBAM and it's not finding anything anymore. Everytime I search something on google I get redirected, sometimes when I restart my taskbar goes back to "windows classic style"(even though it's always on "windows XP style") with no other options, I know it's still in there. So I ran DDS and GMER, these are the results:
Attach.txt:
DDS (Ver_11-03-05.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/1/2011 2:55:49 PM
System Uptime: 5/12/2011 5:51:32 PM (3 hours ago)
.
Motherboard: | | SiS-661
Processor: Intel(R) Celeron(R) CPU 1.80GHz | Socket 478 | 1804/100mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 50.999 GiB free.
D: is CDROM (CDFS)
G: is FIXED (NTFS) - 932 GiB total, 896.21 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_1039&DEV_7012&SUBSYS_0C56105B&REV_A0\3&61AAA01&0&17
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_1039&DEV_7012&SUBSYS_0C56105B&REV_A0\3&61AAA01&0&17
Service:
.
==== System Restore Points ===================
.
RP14: 4/1/2011 6:08:12 PM - Installed PowerDVD
RP15: 4/1/2011 6:31:34 PM - Installed Microsoft Office Enterprise 2007
RP16: 4/1/2011 6:41:56 PM - Printer Driver Send To Microsoft OneNote Driver Installed
RP17: 4/1/2011 6:53:02 PM - Installed Java(TM) 6 Update 18
RP18: 4/1/2011 7:01:45 PM - Installed Windows XP -- Software Updates KB952011.
RP19: 4/1/2011 7:05:31 PM - Installed Windows Media Player Firefox Plugin
RP20: 4/1/2011 7:18:14 PM - Installed Nero 7 Ultra Edition
RP21: 4/1/2011 8:21:03 PM - Installed iTunes
RP22: 4/1/2011 9:12:36 PM - Printer Driver Adobe PDF Converter Installed
RP23: 4/1/2011 9:41:18 PM - avast! Free Antivirus Setup
RP24: 4/1/2011 11:14:29 PM - Installed Nancy Drew: Secrets Can Kill REMASTERED
RP25: 4/1/2011 11:36:41 PM - Installed Nancy Drew: Danger by Design
RP26: 4/2/2011 12:03:13 AM - Installed Nancy Drew: Shadow at the Water's Edge
RP27: 4/2/2011 9:48:55 PM - Removed Nancy Drew: Danger by Design
RP28: 4/3/2011 10:47:11 PM - System Checkpoint
RP29: 4/4/2011 11:36:02 PM - System Checkpoint
RP30: 4/5/2011 11:53:24 PM - System Checkpoint
RP31: 4/7/2011 7:17:14 PM - System Checkpoint
RP32: 4/9/2011 1:44:01 PM - System Checkpoint
RP33: 4/10/2011 4:55:51 PM - System Checkpoint
RP34: 4/11/2011 5:37:23 PM - System Checkpoint
RP35: 4/11/2011 10:50:08 PM - Installed The Sims Deluxe Edition
RP36: 4/12/2011 11:45:38 PM - System Checkpoint
RP37: 4/14/2011 1:28:06 PM - System Checkpoint
RP38: 4/16/2011 1:21:35 PM - System Checkpoint
RP39: 4/17/2011 8:59:35 PM - System Checkpoint
RP40: 4/19/2011 8:19:22 PM - System Checkpoint
RP41: 4/20/2011 2:03:13 AM - Printer Driver HP Officejet J4500 Series fax Installed
RP42: 4/21/2011 1:27:37 PM - System Checkpoint
RP43: 4/22/2011 2:54:34 PM - System Checkpoint
RP44: 4/23/2011 2:57:09 PM - System Checkpoint
RP45: 4/24/2011 7:32:32 PM - System Checkpoint
RP46: 4/25/2011 7:43:33 PM - System Checkpoint
RP47: 4/26/2011 8:22:05 PM - System Checkpoint
RP48: 4/27/2011 9:38:14 PM - System Checkpoint
RP49: 4/29/2011 3:01:28 PM - System Checkpoint
RP50: 4/30/2011 4:48:42 PM - System Checkpoint
RP51: 5/1/2011 5:06:48 PM - System Checkpoint
RP52: 5/2/2011 6:25:28 PM - System Checkpoint
RP53: 5/3/2011 7:16:46 PM - System Checkpoint
RP54: 5/3/2011 11:27:03 PM - Installed The Sims Hot Date
RP55: 5/3/2011 11:41:30 PM - Installed The Sims Vacation
RP56: 5/3/2011 11:52:29 PM - Installed The Sims Deluxe Edition
RP57: 5/5/2011 12:07:10 AM - System Checkpoint
RP58: 5/5/2011 12:40:10 AM - Installed The Sims Unleashed
RP59: 5/5/2011 1:12:44 AM - Installed The Sims Superstar
RP60: 5/6/2011 12:10:16 PM - System Checkpoint
RP61: 5/7/2011 12:21:28 PM - System Checkpoint
RP62: 5/9/2011 1:23:28 AM - System Checkpoint
RP63: 5/11/2011 8:29:08 PM - System Checkpoint
RP64: 5/12/2011 1:29:50 AM - Installed HiJackThis
.
==== Installed Programs ======================
.
µTorrent
32 Bit HP CIO Components Installer
4500_Help
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat 8 Professional
Adobe After Effects CS3 Presets
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe Encore CS3 Codecs
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader X (10.0.1)
Adobe Setup
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Advanced Uninstaller PRO v10.1 (remove!)
AHV content for Acrobat and Flash
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
avast! Free Antivirus
Bonjour
BPD_HPSU
bpd_scan
BPDSoftware
BPDSoftware_Ini
BufferChm
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
CyberLink PowerDVD 9
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DivX Setup
DocMgr
DocProc
DocProcQFolder
eSupportQFolder
Fax
Free YouTube to MP3 Converter version 3.9.35.324
GPBaseService
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
HP Document Manager 1.0
HP Imaging Device Functions 10.0
HP Officejet J4500 Series
HP Photosmart Essential 2.5
HP Smart Web Printing
HP Solution Center 10.0
HP Update
HPProductAssistant
iMacsoft iPod to PC Transfer
iTunes
J4500
Java Auto Updater
Java(TM) 6 Update 18
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.17)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nancy Drew: Secrets Can Kill REMASTERED
Nancy Drew: Shadow at the Water's Edge
Nero 7 Ultra Edition
OCR Software by I.R.I.S. 10.0
PDF Settings
Picasa 3
Plants vs. Zombies
PowerISO
ProductContext
PSSWCORE
QuickTime
rayman2
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2482017)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Segoe UI
Skins
SmartWebPrintingOC
Software Update for Web Folders
SolutionCenter
Sophos Anti-Rootkit 1.5.4
Status
Toolbox
TrayApp
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VideoToolkit01
WebFldrs XP
WebReg
Webshots Desktop
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
Xilisoft iPhone Ringtone Maker
Xilisoft iPhone Transfer
Xvid 1.2.2 final uninstall
.
==== Event Viewer Messages From Past Week ========
.
5/9/2011 3:49:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
5/9/2011 10:18:18 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Themes service.
5/9/2011 10:18:18 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
5/9/2011 10:18:18 PM, error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/8/2011 2:49:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
5/8/2011 12:49:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402
5/8/2011 1:49:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
5/7/2011 9:49:01 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
5/7/2011 9:49:01 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
5/7/2011 8:49:02 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
5/7/2011 8:49:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
5/7/2011 7:49:01 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
5/7/2011 7:49:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
5/7/2011 6:49:01 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
5/7/2011 6:49:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
5/7/2011 5:49:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
5/7/2011 5:49:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
5/7/2011 4:49:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
5/7/2011 4:49:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
5/7/2011 3:49:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
5/7/2011 2:49:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
5/7/2011 2:28:40 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
5/7/2011 12:49:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
5/7/2011 11:49:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
5/7/2011 11:49:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
5/7/2011 10:49:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
5/7/2011 10:49:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
5/7/2011 1:49:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402
5/7/2011 1:20:44 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file rundll32.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 1.0.0.0, the version of the system file is 5.1.2600.5512.
5/5/2011 2:46:02 PM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
5/12/2011 2:53:38 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Themes service to connect.
5/12/2011 2:45:16 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.

DDS (Ver_11-03-05.01) - NTFSx86
Run by Emily at 19:59:35.84 on Thu 05/12/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.419 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\gmer\gmer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\dds.scr
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c:\documents and settings\emily\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301695638546
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1301695622984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\mi1933~1\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\emily\applic~1\mozilla\firefox\profiles\xy85n44r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig?hl=en#t_0
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
FF - Ext: XULRunner: {572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3} - c:\documents and settings\emily\local settings\application data\{572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-1 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-4-1 301528]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-5-12 18816]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2011/04/01 17:58:25];c:\program files\cyberlink\powerdvd9\000.fcl [2009-5-7 87536]
R2 AGCoreService;AG Core Services;c:\program files\agi\core\4.2.0.10754\AGCoreService.exe [2011-4-3 20480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-4-1 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-4-1 42184]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\a.tmp --> c:\windows\system32\A.tmp [?]
.
=============== Created Last 30 ================
.
2011-05-13 01:25:36 625664 ----a-w- C:\dds.scr
2011-05-13 00:46:25 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-05-13 00:04:40 -------- d-----w- c:\program files\Sophos
2011-05-13 00:00:46 1376832 ----a-w- C:\sar_15_sfx.exe
2011-05-12 09:42:43 -------- d-----w- C:\gmer
2011-05-12 08:35:00 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-05-12 08:29:55 388096 ----a-r- c:\docume~1\emily\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-12 08:29:53 -------- d-----w- c:\program files\HiJack
2011-05-10 01:58:15 -------- d-----w- c:\program files\CyberDefender
2011-05-07 07:58:33 0 ----a-w- c:\windows\Ycoqetekolasihik.bin
2011-05-07 07:58:21 -------- d-----w- c:\docume~1\emily\locals~1\applic~1\{572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3}
2011-04-20 09:05:58 -------- d-----w- c:\docume~1\emily\locals~1\applic~1\HP
2011-04-20 08:28:20 -------- d-----w- c:\program files\common files\HP
2011-04-20 08:28:01 -------- d-----w- c:\program files\common files\Hewlett-Packard
2011-04-20 08:22:28 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2011-04-20 08:22:27 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2011-04-20 08:18:12 278016 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp5mu.dll
2011-04-20 08:18:10 118272 ----a-w- c:\windows\system32\hpz3l5mu.dll
2011-04-20 08:18:06 271704 ----a-r- c:\windows\system32\hpzids01.dll
2011-04-20 08:17:23 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2011-04-20 08:16:21 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2011-04-20 08:16:21 309760 ----a-r- c:\windows\system32\difxapi.dll
2011-04-20 08:16:21 294912 ----a-r- c:\windows\system32\hpovst11.dll
2011-04-20 08:16:20 729088 ----a-r- c:\windows\system32\hpwwiax4.dll
2011-04-20 08:16:20 593920 ----a-r- c:\windows\system32\hpwtscl3.dll
2011-04-20 04:43:20 1373528 ----a-r- c:\windows\hpzshl01.exe
2011-04-20 04:43:20 1140056 ----a-r- c:\windows\hpzmsi01.exe
2011-04-20 04:43:19 -------- d-----w- c:\windows\yellowtail
2011-04-20 04:42:56 -------- d-----w- c:\program files\HP
2011-04-20 04:42:47 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-04-20 04:42:47 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-04-20 04:42:40 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-04-20 04:42:40 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-04-13 07:28:21 -------- d-----w- c:\program files\common files\Blizzard Entertainment
2011-04-13 07:27:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment
.
==================== Find3M ====================
.
2011-04-02 01:53:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-02 01:53:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2011-04-02 01:08:06 29480 ----a-w- c:\windows\system32\msxml3a.dll
2011-04-02 01:08:05 505128 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-02 01:08:05 353576 ----a-w- c:\windows\system32\msvcr71.dll
2011-04-02 00:42:24 0 ----a-w- c:\windows\ativpsrm.bin
2011-02-23 14:04:21 40648 ----a-w- c:\windows\avastSS.scr
2011-02-18 23:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP0822N rev.WA100-31 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x867046F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8670aa10]; MOV EAX, [0x8670aa8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86740AB8]
3 CLASSPNP[0xF786EFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000059[0x86794F18]
5 ACPI[0xF77E5620] -> nt!IofCallDriver[0x804E37D5] -> [0x86782D98]
\Driver\atapi[0x86746030] -> IRP_MJ_CREATE -> 0x867046F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8670453B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 20:07:56.57 ===============
 
First part of GMER

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-12 22:05:50
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_SP0822N rev.WA100-31
Running: gmer.exe; Driver: C:\DOCUME~1\Emily\LOCALS~1\Temp\fgdcapod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xA48939CA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xA48E8A68]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xA48B3AF5]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xA4895EAC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xA4895F04]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xA489601A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xA48B34A9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xA4895E02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xA4895F54]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xA4895E56]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xA4895FC8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xA48939EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xA48B41BB]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xA48B4471]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xA489629E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA48B4026]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA48B3E91]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xA48E8B18]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xA48937B8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xA4893A12]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xA4896412]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xA48944AA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xA4895EDC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xA4895F2C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xA4896044]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xA48B3805]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xA4895E2E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xA48960D6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xA4895F94]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xA4895E84]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xA48961BA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xA4895FF2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xA48E8BB0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xA48B3D0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xA4894370]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xA48B3B5E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA48F0E26]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xA48B2B1C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xA4893A36]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xA4893A5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xA4893812]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xA489394E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xA48B42C2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xA489392A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xA4893972]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xA4893A7E]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA48FD8DE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 34D 804E29B9 3 Bytes [0E, 8F, A4]
PAGE ntoskrnl.exe!ObInsertObject 805650BA 5 Bytes JMP A48FAD38 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056BB08 4 Bytes CALL A4894E25 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058124C 7 Bytes JMP A48FD8E2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 805A038B 5 Bytes JMP A48F929E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF61D9000, 0x1C5D38, 0xE8000020]
.text C:\Program Files\CyberLink\PowerDVD9\000.fcl section is writeable [0xA21BF000, 0x2892, 0xE8000020]
.vmp2 C:\Program Files\CyberLink\PowerDVD9\000.fcl entry point in ".vmp2" section [0xA21E2050]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[264] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\Program Files\Bonjour\mDNSResponder.exe[384] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\Program Files\Bonjour\mDNSResponder.exe[384] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\Program Files\Bonjour\mDNSResponder.exe[384] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\Program Files\Bonjour\mDNSResponder.exe[384] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\Program Files\Bonjour\mDNSResponder.exe[384] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\Program Files\Bonjour\mDNSResponder.exe[384] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\Program Files\Bonjour\mDNSResponder.exe[384] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\Program Files\Bonjour\mDNSResponder.exe[384] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\WINDOWS\system32\winlogon.exe[552] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00070030
.text C:\WINDOWS\system32\winlogon.exe[552] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\WINDOWS\system32\svchost.exe[576] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[576] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[576] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
.text C:\WINDOWS\system32\svchost.exe[576] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
.text C:\WINDOWS\system32\svchost.exe[576] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
.text C:\WINDOWS\system32\svchost.exe[576] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
.text C:\WINDOWS\system32\svchost.exe[576] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
.text C:\WINDOWS\system32\svchost.exe[576] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
.text C:\WINDOWS\system32\svchost.exe[576] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
.text C:\WINDOWS\system32\svchost.exe[576] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
.text C:\WINDOWS\system32\svchost.exe[576] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
.text C:\WINDOWS\system32\svchost.exe[576] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
.text C:\WINDOWS\system32\svchost.exe[576] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
.text C:\WINDOWS\system32\svchost.exe[576] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
.text C:\WINDOWS\system32\svchost.exe[576] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
.text C:\WINDOWS\system32\services.exe[600] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\services.exe[600] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\services.exe[600] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\services.exe[600] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\services.exe[600] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\services.exe[600] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\services.exe[600] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\WINDOWS\system32\lsass.exe[612] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\lsass.exe[612] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\lsass.exe[612] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\lsass.exe[612] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\lsass.exe[612] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\lsass.exe[612] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\lsass.exe[612] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\WINDOWS\system32\Ati2evxx.exe[756] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\WINDOWS\system32\Ati2evxx.exe[756] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\WINDOWS\system32\Ati2evxx.exe[756] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\WINDOWS\system32\Ati2evxx.exe[756] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\WINDOWS\system32\Ati2evxx.exe[756] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\WINDOWS\system32\Ati2evxx.exe[756] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\WINDOWS\system32\Ati2evxx.exe[756] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D01D4
.text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D00E4
.text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0120
.text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D015C
.text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0198
.text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D0030
.text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D006C
.text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D00A8
.text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
.text C:\WINDOWS\system32\svchost.exe[784] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
.text C:\WINDOWS\system32\svchost.exe[784] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
.text C:\WINDOWS\system32\svchost.exe[784] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
.text C:\WINDOWS\system32\svchost.exe[784] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
.text C:\WINDOWS\system32\svchost.exe[784] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
.text C:\Program Files\Java\jre6\bin\jqs.exe[832] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\Program Files\Java\jre6\bin\jqs.exe[832] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\Program Files\Java\jre6\bin\jqs.exe[832] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\Program Files\Java\jre6\bin\jqs.exe[832] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\Program Files\Java\jre6\bin\jqs.exe[832] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\Program Files\Java\jre6\bin\jqs.exe[832] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\Program Files\Java\jre6\bin\jqs.exe[832] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
.text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
.text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
.text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
.text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
.text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
.text C:\WINDOWS\System32\svchost.exe[940] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0075000A
.text C:\WINDOWS\System32\svchost.exe[940] ntdll.dll!NtWriteVirtualMemory
 
GMER part 2

7C90DFAE 5 Bytes JMP 00A7000A
.text C:\WINDOWS\System32\svchost.exe[940] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0074000C
.text C:\WINDOWS\System32\svchost.exe[940] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\System32\svchost.exe[940] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\System32\svchost.exe[940] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
.text C:\WINDOWS\System32\svchost.exe[940] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
.text C:\WINDOWS\System32\svchost.exe[940] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
.text C:\WINDOWS\System32\svchost.exe[940] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
.text C:\WINDOWS\System32\svchost.exe[940] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
.text C:\WINDOWS\System32\svchost.exe[940] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
.text C:\WINDOWS\System32\svchost.exe[940] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
.text C:\WINDOWS\System32\svchost.exe[940] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
.text C:\WINDOWS\System32\svchost.exe[940] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
.text C:\WINDOWS\System32\svchost.exe[940] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[940] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
.text C:\WINDOWS\System32\svchost.exe[940] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
.text C:\WINDOWS\System32\svchost.exe[940] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
.text C:\WINDOWS\System32\svchost.exe[940] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
.text C:\WINDOWS\System32\svchost.exe[940] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00B7000A
.text C:\WINDOWS\system32\svchost.exe[1020] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1020] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
.text C:\WINDOWS\system32\svchost.exe[1020] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
.text C:\WINDOWS\system32\svchost.exe[1020] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
.text C:\WINDOWS\system32\svchost.exe[1020] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
.text C:\WINDOWS\system32\svchost.exe[1020] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
.text C:\WINDOWS\system32\svchost.exe[1020] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
.text C:\WINDOWS\system32\Ati2evxx.exe[1052] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\WINDOWS\system32\Ati2evxx.exe[1052] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\WINDOWS\system32\Ati2evxx.exe[1052] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\WINDOWS\system32\Ati2evxx.exe[1052] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\WINDOWS\system32\Ati2evxx.exe[1052] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\WINDOWS\system32\Ati2evxx.exe[1052] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\WINDOWS\system32\Ati2evxx.exe[1052] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\WINDOWS\system32\Ati2evxx.exe[1052] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D01D4
.text C:\WINDOWS\system32\Ati2evxx.exe[1052] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D00E4
.text C:\WINDOWS\system32\Ati2evxx.exe[1052] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0120
.text C:\WINDOWS\system32\Ati2evxx.exe[1052] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D015C
.text C:\WINDOWS\system32\Ati2evxx.exe[1052] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0198
.text C:\WINDOWS\system32\Ati2evxx.exe[1052] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D0030
.text C:\WINDOWS\system32\Ati2evxx.exe[1052] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D006C
.text C:\WINDOWS\system32\Ati2evxx.exe[1052] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D00A8
.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
.text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
.text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
.text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
.text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
.text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
.text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
.text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
.text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
.text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
.text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
.text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
.text C:\WINDOWS\System32\svchost.exe[1200] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
.text C:\WINDOWS\System32\svchost.exe[1200] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
.text C:\WINDOWS\System32\svchost.exe[1200] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
.text C:\WINDOWS\System32\svchost.exe[1200] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
.text C:\WINDOWS\System32\svchost.exe[1200] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
.text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A
.text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BE000C
.text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003601D4
.text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003600E4
.text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00360120
.text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0036015C
.text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00360198
.text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00360030
.text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0036006C
.text C:\WINDOWS\Explorer.EXE[1332] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003600A8
.text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003700E4
.text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00370120
.text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003700A8
.text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00370030
.text C:\WINDOWS\Explorer.EXE[1332] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0037006C
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1452] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\WINDOWS\system32\ctfmon.exe[1548] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A0030
.text C:\WINDOWS\system32\ctfmon.exe[1548] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A006C
.text C:\WINDOWS\system32\ctfmon.exe[1548] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003601D4
.text C:\WINDOWS\system32\ctfmon.exe[1548] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003600E4
.text C:\WINDOWS\system32\ctfmon.exe[1548] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00360120
.text C:\WINDOWS\system32\ctfmon.exe[1548] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0036015C
.text C:\WINDOWS\system32\ctfmon.exe[1548] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00360198
.text C:\WINDOWS\system32\ctfmon.exe[1548] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00360030
.text C:\WINDOWS\system32\ctfmon.exe[1548] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0036006C
.text C:\WINDOWS\system32\ctfmon.exe[1548] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003600A8
.text C:\WINDOWS\system32\ctfmon.exe[1548] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003700E4
.text C:\WINDOWS\system32\ctfmon.exe[1548] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00370120
.text C:\WINDOWS\system32\ctfmon.exe[1548] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003700A8
.text C:\WINDOWS\system32\ctfmon.exe[1548] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00370030
.text C:\WINDOWS\system32\ctfmon.exe[1548] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0037006C
.text C:\WINDOWS\system32\spoolsv.exe[1952] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\spoolsv.exe[1952] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\spoolsv.exe[1952] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\spoolsv.exe[1952] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\spoolsv.exe[1952] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\spoolsv.exe[1952] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\spoolsv.exe[1952] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\spoolsv.exe[1952] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\spoolsv.exe[1952] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\spoolsv.exe[1952] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\spoolsv.exe[1952] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\spoolsv.exe[1952] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\spoolsv.exe[1952] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\spoolsv.exe[1952] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\spoolsv.exe[1952] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\WINDOWS\system32\svchost.exe[2028] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[2028] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
.text C:\WINDOWS\system32\svchost.exe[2028] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
.text C:\WINDOWS\system32\svchost.exe[2028] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
.text C:\WINDOWS\system32\svchost.exe[2028] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
.text C:\WINDOWS\system32\svchost.exe[2028] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
.text C:\WINDOWS\system32\svchost.exe[2028] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
.text C:\WINDOWS\system32\SearchIndexer.exe[2064] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000D0030
.text C:\WINDOWS\system32\SearchIndexer.exe[2064] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000D006C
.text C:\WINDOWS\system32\SearchIndexer.exe[2064] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[2064] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003401D4
.text C:\WINDOWS\system32\SearchIndexer.exe[2064] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003400E4
.text C:\WINDOWS\system32\SearchIndexer.exe[2064] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00340120
.text C:\WINDOWS\system32\SearchIndexer.exe[2064] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0034015C
.text C:\WINDOWS\system32\SearchIndexer.exe[2064] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00340198
.text C:\WINDOWS\system32\SearchIndexer.exe[2064] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00340030
.text C:\WINDOWS\system32\SearchIndexer.exe[2064] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0034006C
.text C:\WINDOWS\system32\SearchIndexer.exe[2064] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003400A8
.text C:\WINDOWS\system32\SearchIndexer.exe[2064] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003500E4
.text C:\WINDOWS\system32\SearchIndexer.exe[2064] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00350120
.text C:\WINDOWS\system32\SearchIndexer.exe[2064] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003500A8
.text C:\WINDOWS\system32\SearchIndexer.exe[2064] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00350030
.text C:\WINDOWS\system32\SearchIndexer.exe[2064] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0035006C
.text C:\WINDOWS\System32\alg.exe[3004] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\System32\alg.exe[3004] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\System32\alg.exe[3004] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002E00E4
.text C:\WINDOWS\System32\alg.exe[3004] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002E0120
.text C:\WINDOWS\System32\alg.exe[3004] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002E00A8
.text C:\WINDOWS\System32\alg.exe[3004] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002E0030
.text C:\WINDOWS\System32\alg.exe[3004] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002E006C
.text C:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002F01D4
.text C:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002F00E4
.text C:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002F0120
.text C:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002F015C
.text C:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002F0198
.text C:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002F0030
.text C:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002F006C
.text C:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002F00A8

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] [A48DF550] \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[600] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00610002
IAT C:\WINDOWS\system32\services.exe[600] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00610000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 866F353B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 866F353B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 866F353B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 866F353B

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----
 
Also, here are the results from the last MBAM scan I did:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6253

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/12/2011 10:17:57 PM
mbam-log-2011-05-12 (22-17-57).txt

Scan type: Quick scan
Objects scanned: 156954
Time elapsed: 10 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Unfortunately I didn't save the log from when it did find infected files in MBAM. I deleted the infected files of both the MBAM and the first avast boot scan. Not too sure if that was the right thing to do, but obviously the rootkit is still on here. So what would be the next step I would take to get rid of this?
 
Please run the following:
Please download MBRCheck and save to your desktop
  • Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
  • It will show a Black screen with some information that will contain either the below line if no problem is found:
    [o] Done! Press ENTER to exit...
  • Or you will see more information like below if a problem is found:
    [o] Found non-standard or infected MBR.
    [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
  • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
  • Paste this log to your next message.
===================================
Follow that with Please note: If you have Combofix on the desktop already, please uninstall it. The download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there
.
------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=============================
Follow with Eset online virus scan:
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.


Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
Hi, thank you so much for your help! So here are the results of MBR:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000004d

Kernel Drivers (total 131):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0xF7D2E000 \WINDOWS\system32\KDCOM.DLL
0xF7C3E000 \WINDOWS\system32\BOOTVID.dll
0xF77DF000 ACPI.sys
0xF7D30000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF77CE000 pci.sys
0xF782E000 isapnp.sys
0xF7DF6000 pciide.sys
0xF7AAE000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF783E000 MountMgr.sys
0xF77AF000 ftdisk.sys
0xF7D32000 dmload.sys
0xF7789000 dmio.sys
0xF7AB6000 PartMgr.sys
0xF784E000 VolSnap.sys
0xF7771000 atapi.sys
0xF785E000 disk.sys
0xF786E000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7751000 fltmgr.sys
0xF773F000 sr.sys
0xF787E000 PxHelp20.sys
0xF7728000 KSecDD.sys
0xF769B000 Ntfs.sys
0xF766E000 NDIS.sys
0xF788E000 uagp35.sys
0xF7654000 Mup.sys
0xF793E000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7256000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF70C5000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF794E000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF795E000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF796E000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF70A2000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7B86000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7B8E000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF707E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7B96000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7B9E000 \SystemRoot\system32\DRIVERS\sisnic.sys
0xF797E000 \SystemRoot\system32\DRIVERS\mf.sys
0xF7BA6000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF798E000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7CF2000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF706A000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7F4E000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF799E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7CF6000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF7053000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF79AE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF79BE000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7BAE000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF7042000 \SystemRoot\system32\DRIVERS\psched.sys
0xF79CE000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7BB6000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7BBE000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7012000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF79EE000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7BC6000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7BCE000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7D70000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6FB4000 \SystemRoot\system32\DRIVERS\update.sys
0xF7D12000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7A2E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7A3E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7D72000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAA781000 \SystemRoot\system32\drivers\adm8820.sys
0xAA75D000 \SystemRoot\system32\drivers\portcls.sys
0xF7A4E000 \SystemRoot\system32\drivers\drmk.sys
0xF7628000 \SystemRoot\system32\DRIVERS\admjoy.sys
0xF7BF6000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7DA2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7EEE000 \SystemRoot\System32\Drivers\Null.SYS
0xF7DA4000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7C06000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7C0E000 \SystemRoot\System32\drivers\vga.sys
0xF7DA6000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7DA8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7C16000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7C1E000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6F8C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA6E2000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA689000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF78BE000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xAA661000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7C26000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xAA63F000 \SystemRoot\System32\drivers\afd.sys
0xF78CE000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF7C2E000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0xAA5EC000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAA554000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF78DE000 \SystemRoot\System32\Drivers\Fips.SYS
0xAA52E000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF78EE000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAA444000 \SystemRoot\System32\Drivers\aswSP.SYS
0xAA3D4000 \SystemRoot\System32\Drivers\aswSnx.SYS
0xF7ACE000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF7B1E000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF79DE000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF7B26000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xAA3C4000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF6F7C000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xAA3BC000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xAA394000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7D66000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6FAC000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7B2E000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7E9F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF065000 \SystemRoot\System32\ati2cqag.dll
0xBF0FE000 \SystemRoot\System32\atikvmag.dll
0xBF182000 \SystemRoot\System32\atiok3x2.dll
0xBF1CD000 \SystemRoot\System32\ati3duag.dll
0xBF572000 \SystemRoot\System32\ativvaxx.dll
0xBF9C5000 \SystemRoot\System32\ATMFD.DLL
0xAA623000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xA826C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA800D000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA7D50000 \SystemRoot\system32\drivers\wdmaud.sys
0xA7F8D000 \SystemRoot\system32\drivers\sysaudio.sys
0xA7B15000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7D8E000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF7B66000 \SystemRoot\System32\drivers\aspi32.sys
0xA79CD000 \SystemRoot\system32\DRIVERS\srv.sys
0xA7A7D000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xA7889000 \??\C:\Program Files\CyberLink\PowerDVD9\000.fcl
0xA7488000 \SystemRoot\System32\Drivers\HTTP.sys
0xA747C000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA7329000 \??\C:\DOCUME~1\Emily\LOCALS~1\Temp\fgdcapod.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 35):
0 System Idle Process
4 System
516 C:\WINDOWS\system32\smss.exe
572 csrss.exe
604 C:\WINDOWS\system32\winlogon.exe
648 C:\WINDOWS\system32\services.exe
660 C:\WINDOWS\system32\lsass.exe
816 C:\WINDOWS\system32\ati2evxx.exe
832 C:\WINDOWS\system32\svchost.exe
928 svchost.exe
996 C:\WINDOWS\system32\svchost.exe
1064 svchost.exe
1084 C:\WINDOWS\system32\ati2evxx.exe
1200 svchost.exe
1416 C:\WINDOWS\explorer.exe
1492 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
1588 C:\Program Files\AVAST Software\Avast\AvastUI.exe
1604 C:\WINDOWS\system32\ctfmon.exe
2012 C:\WINDOWS\system32\spoolsv.exe
408 svchost.exe
444 C:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe
464 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
568 C:\Program Files\Bonjour\mDNSResponder.exe
776 C:\WINDOWS\system32\svchost.exe
1048 C:\Program Files\Java\jre6\bin\jqs.exe
1240 C:\WINDOWS\system32\svchost.exe
1560 C:\WINDOWS\system32\svchost.exe
1316 C:\WINDOWS\system32\svchost.exe
2148 C:\WINDOWS\system32\searchindexer.exe
3268 alg.exe
2416 C:\Program Files\Mozilla Firefox\firefox.exe
176 C:\Program Files\Mozilla Firefox\plugin-container.exe
2792 C:\WINDOWS\system32\searchprotocolhost.exe
3584 searchfilterhost.exe
3708 C:\Documents and Settings\Emily\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGSP0822N, Rev: WA100-31
PhysicalDrive1 Model Number: WDExt HDD 1021, Rev: 2002

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

After that I disabled my internet and virus program and proceeded with combofix forgetting I needed to be connected to the internet to install the Microsoft Windows Recovery Console, so I tried reconnecting but it kept failing to connect so I just let combofix continue to run since a message came up saying combofix wanted to continue scanning for malware. Here are the results:
ComboFix 11-05-13.02 - Emily 05/13/2011 17:39:28.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.664 [GMT -7:00]
Running from: c:\documents and settings\Emily\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Emily\Application Data\Adobe\plugs
c:\documents and settings\Emily\Application Data\Adobe\shed
c:\documents and settings\Emily\Local Settings\Application Data\{572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3}
c:\documents and settings\Emily\Local Settings\Application Data\{572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3}\chrome.manifest
c:\documents and settings\Emily\Local Settings\Application Data\{572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3}\chrome\content\_cfg.js
c:\documents and settings\Emily\Local Settings\Application Data\{572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3}\chrome\content\overlay.xul
c:\documents and settings\Emily\Local Settings\Application Data\{572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3}\install.rdf
G:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-04-14 to 2011-05-14 )))))))))))))))))))))))))))))))
.
.
2011-05-13 09:20 . 2011-05-13 09:20 -------- d-----w- c:\program files\ESET
2011-05-13 09:20 . 2011-05-13 09:20 2322184 ----a-w- C:\esetsmartinstaller_enu.exe
2011-05-13 07:02 . 2011-05-13 07:19 -------- d-----w- C:\TDSS
2011-05-13 01:25 . 2011-05-13 01:25 625664 ----a-w- C:\dds.scr
2011-05-13 00:00 . 2011-05-13 00:00 1376832 ----a-w- C:\sar_15_sfx.exe
2011-05-12 09:42 . 2011-05-13 05:11 -------- d-----w- C:\gmer
2011-05-12 08:35 . 2011-05-12 08:34 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-05-10 01:58 . 2011-05-10 01:58 -------- d-----w- c:\program files\CyberDefender
2011-05-07 07:58 . 2011-05-07 07:58 0 ----a-w- c:\windows\Ycoqetekolasihik.bin
2011-05-03 02:10 . 2011-05-03 02:10 -------- d-----w- c:\windows\Sun
2011-04-20 09:32 . 2011-04-20 09:32 -------- d-----w- c:\documents and settings\Emily\Application Data\HP
2011-04-20 09:05 . 2011-04-20 09:05 -------- d-----w- c:\documents and settings\Emily\Local Settings\Application Data\HP
2011-04-20 08:43 . 2011-04-20 08:43 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2011-04-20 08:34 . 2011-04-20 08:43 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2011-04-20 08:28 . 2011-04-20 08:28 -------- d-----w- c:\program files\Common Files\HP
2011-04-20 08:28 . 2011-04-20 08:28 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-04-20 08:27 . 2011-04-20 08:27 -------- d-----w- c:\program files\Hewlett-Packard
2011-04-20 08:22 . 2007-01-17 16:37 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2011-04-20 08:22 . 2007-01-17 16:37 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2011-04-20 08:19 . 2011-04-20 08:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2011-04-20 08:18 . 2007-11-06 02:06 278016 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5mu.dll
2011-04-20 08:18 . 2007-11-06 02:07 118272 ----a-w- c:\windows\system32\hpz3l5mu.dll
2011-04-20 08:18 . 2007-11-07 02:10 271704 ----a-r- c:\windows\system32\hpzids01.dll
2011-04-20 08:17 . 2007-01-17 16:37 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2011-04-20 08:16 . 2007-01-17 16:37 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2011-04-20 08:16 . 2007-01-17 16:37 309760 ----a-r- c:\windows\system32\difxapi.dll
2011-04-20 08:16 . 2007-01-17 16:31 294912 ----a-r- c:\windows\system32\hpovst11.dll
2011-04-20 08:16 . 2007-10-31 10:35 729088 ----a-r- c:\windows\system32\hpwwiax4.dll
2011-04-20 08:16 . 2007-10-31 10:35 593920 ----a-r- c:\windows\system32\hpwtscl3.dll
2011-04-20 04:43 . 2007-11-07 02:15 1140056 ----a-r- c:\windows\hpzmsi01.exe
2011-04-20 04:43 . 2007-11-07 02:04 1373528 ----a-r- c:\windows\hpzshl01.exe
2011-04-20 04:43 . 2011-04-20 04:43 -------- d-----w- c:\windows\yellowtail
2011-04-20 04:42 . 2011-04-20 08:43 -------- d-----w- c:\program files\HP
2011-04-20 04:42 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-04-20 04:42 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-04-20 04:42 . 2008-04-13 17:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-04-20 04:42 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-13 07:01 . 2011-05-13 07:01 1280815 ----a-w- C:\tdsskiller.zip
2011-05-10 12:10 . 2011-04-02 04:41 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2011-04-02 04:41 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-04-02 04:41 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2011-04-02 04:41 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2011-04-02 04:41 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 12:02 . 2011-04-02 04:41 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-10 12:02 . 2011-04-02 04:41 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-10 11:59 . 2011-04-02 04:41 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2011-04-02 04:41 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-10 11:59 . 2011-04-02 04:41 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-02 01:53 . 2011-04-02 01:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-02 01:53 . 2011-04-02 01:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2011-04-02 01:08 . 2011-04-02 00:56 29480 ----a-w- c:\windows\system32\msxml3a.dll
2011-04-02 01:08 . 2011-04-02 00:50 505128 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-02 01:08 . 2011-04-02 00:50 353576 ----a-w- c:\windows\system32\msvcr71.dll
2011-02-18 23:36 . 2011-04-02 03:19 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 23:36 . 2011-04-02 03:19 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
Code: 
<pre>
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\HP\Digital Imaging\bin\hpqSRMon .exe
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\windows\system32\rundll32 .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2009-11-06 297808]
.
[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2009-11-06 05:17 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Emily^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Emily\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\asecpp70.exe]
c:\documents and settings\Emily\Application Data\B048D7F1E838916CD6AFD9D3C6713578\asecpp70.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
c:\program files\HP\HP Software Update\HPWuSchd2.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyCleanPC Registry Cleaner]
c:\program files\CyberDefender\Registry Scanner\CDregclean.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-04-09 12:23 200704 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [N/A]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\A.tmp [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2011/04/01 17:58];c:\program files\CyberLink\PowerDVD9\000.fcl [2009-05-08 04:05 87536]
S2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10754\AGCoreService.exe [2010-06-29 20480]
S2 aswFsBlk;aswFsBlk; [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c:\documents and settings\Emily\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
FF - ProfilePath - c:\documents and settings\Emily\Application Data\Mozilla\Firefox\Profiles\xy85n44r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig?hl=en#t_0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-13 18:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\A.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-05-13 18:37:14
ComboFix-quarantined-files.txt 2011-05-14 01:36
.
Pre-Run: 54,426,267,648 bytes free
Post-Run: 54,402,711,552 bytes free
.
- - End Of File - - 4A1DB7A5A584EAF70DBFD3BA975C2EA3

Then I ran Eset, took around 6 hours to complete and only found:

C:\System Volume Information\_restore{2D4C0AFE-27F0-4A63-B549-5921EF306D85}\RP20\A0006328.exe Win32/Toolbar.AskSBar application
C:\System Volume Information\_restore{2D4C0AFE-27F0-4A63-B549-5921EF306D85}\RP60\A0016073.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
 
Okay, it appears thart the rootkit has beeen handled. Eset is fine. The 2 entries are System Restore points. They are not active in the system now. I will have you remove the old restore points when we're finished and set a new, clean one. (It goes without saying that you shouldn't be doing a Sytem Restore during cleaning!)

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry. Do not install new programs unless I have directed you to.

You put the Sophos AntiRootkit on the system the day after you posted the logs. This means that there can be changes in the logs and it makes it more difficult to work with them.
=========================================
Regarding Antimalware Doctor: It is a rogue anti-spyware program that displays fake security alerts and reports false scan results to make you think that your computer is infected with malware. This fake program is promoted and installed through the use of trojan viruses that usually come from fake online scanner and various bogus websites. The scam is that it will claim that you must purchase the program in order to remove the infections.
=========================================
Unless you can't get into Normal Mode, you should do these scans in Normal Mode. Combofix will disconnect briefly, but it's after the Repair Console query. If you need to boot into Safe Mode, I will tell you. You can connect and run Combofix again if you want, then go ahead and install the Recovery Console. After doing that, go on with the following:

Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::
c:\windows\system32\a.tmp
c:\windows\system32\A.tmp 
c:\windows\Ycoqetekolasihik.bin
DirLook::
c:\windows\yellowtail
RenV::
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\HP\Digital Imaging\bin\hpqSRMon .exe
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\windows\system32\rundll32 .exe
Folder::
c:\docume~1\emily\locals~1\applic~1\{572FBE01-02C6-4A99-B7F7-FC9C8FE7E6E3}
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"=-
[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\asecpp70.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyCleanPC Registry Cleaner]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"=-
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"=-
Driver::
MEMSWEEP2
FCopy::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Please uninstall CyberDefender. This is not a good program to have. It beings 'MyCleanPC' bundled with it and BHOs and Toolbars. So remove any related entries also.
===================================
An important note: If you are not already using a Site Advisor, I recommend WOT:

The Web of Trust (WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety. Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

Every time you do a search and the screen comes up with the sites, they will have the rating light. Green (2 shades), Amber/Yellow Caution, Red> not advised. A few sites haven't been rated and show as a blue flashlight. Go for the Green only. That will tell the that the site is safe and reliable and/or whatever program you're searching for should be safe.

If you want to link to another site from the page you're on o another, WOT will give you an Alert that the site is known for fraudulent entries, unreliable or other and the site won't load. Don't worry- those Alerts don't happen if you still to the green rating.
 
I installed the Recovery Console and ran Combofix with the custom script, here are the results: ComboFix 11-05-14.01 - Emily 05/14/2011 18:19:14.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.657 [GMT -7:00]
Running from: c:\documents and settings\Emily\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Emily\Desktop\CFScript.txt.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\system32\a.tmp"
"c:\windows\Ycoqetekolasihik.bin"
.
PEV Error: StartUpFile
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Ycoqetekolasihik.bin
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2
.
.
((((((((((((((((((((((((( Files Created from 2011-04-15 to 2011-05-15 )))))))))))))))))))))))))))))))
.
.
2011-05-13 23:55 . 2011-05-13 23:55 80384 ----a-w- C:\MBRCheck.exe
2011-05-13 09:20 . 2011-05-13 09:20 -------- d-----w- c:\program files\ESET
2011-05-13 09:20 . 2011-05-13 09:20 2322184 ----a-w- C:\esetsmartinstaller_enu.exe
2011-05-13 07:02 . 2011-05-13 07:19 -------- d-----w- C:\TDSS
2011-05-13 01:25 . 2011-05-13 01:25 625664 ----a-w- C:\dds.scr
2011-05-13 00:00 . 2011-05-13 00:00 1376832 ----a-w- C:\sar_15_sfx.exe
2011-05-12 09:42 . 2011-05-13 05:11 -------- d-----w- C:\gmer
2011-05-12 08:35 . 2011-05-12 08:34 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-05-10 01:58 . 2011-05-10 01:58 -------- d-----w- c:\program files\CyberDefender
2011-05-03 02:10 . 2011-05-03 02:10 -------- d-----w- c:\windows\Sun
2011-04-20 09:32 . 2011-04-20 09:32 -------- d-----w- c:\documents and settings\Emily\Application Data\HP
2011-04-20 09:05 . 2011-04-20 09:05 -------- d-----w- c:\documents and settings\Emily\Local Settings\Application Data\HP
2011-04-20 08:43 . 2011-04-20 08:43 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2011-04-20 08:34 . 2011-04-20 08:43 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2011-04-20 08:28 . 2011-04-20 08:28 -------- d-----w- c:\program files\Common Files\HP
2011-04-20 08:28 . 2011-04-20 08:28 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-04-20 08:27 . 2011-04-20 08:27 -------- d-----w- c:\program files\Hewlett-Packard
2011-04-20 08:22 . 2007-01-17 16:37 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2011-04-20 08:22 . 2007-01-17 16:37 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2011-04-20 08:19 . 2011-04-20 08:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2011-04-20 08:18 . 2007-11-06 02:06 278016 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5mu.dll
2011-04-20 08:18 . 2007-11-06 02:07 118272 ----a-w- c:\windows\system32\hpz3l5mu.dll
2011-04-20 08:18 . 2007-11-07 02:10 271704 ----a-r- c:\windows\system32\hpzids01.dll
2011-04-20 08:17 . 2007-01-17 16:37 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2011-04-20 08:16 . 2007-01-17 16:37 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2011-04-20 08:16 . 2007-01-17 16:37 309760 ----a-r- c:\windows\system32\difxapi.dll
2011-04-20 08:16 . 2007-01-17 16:31 294912 ----a-r- c:\windows\system32\hpovst11.dll
2011-04-20 08:16 . 2007-10-31 10:35 729088 ----a-r- c:\windows\system32\hpwwiax4.dll
2011-04-20 08:16 . 2007-10-31 10:35 593920 ----a-r- c:\windows\system32\hpwtscl3.dll
2011-04-20 04:43 . 2007-11-07 02:15 1140056 ----a-r- c:\windows\hpzmsi01.exe
2011-04-20 04:43 . 2007-11-07 02:04 1373528 ----a-r- c:\windows\hpzshl01.exe
2011-04-20 04:43 . 2011-04-20 04:43 -------- d-----w- c:\windows\yellowtail
2011-04-20 04:42 . 2011-04-20 08:43 -------- d-----w- c:\program files\HP
2011-04-20 04:42 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-04-20 04:42 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-04-20 04:42 . 2008-04-13 17:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-04-20 04:42 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-13 07:01 . 2011-05-13 07:01 1280815 ----a-w- C:\tdsskiller.zip
2011-05-10 12:10 . 2011-04-02 04:41 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2011-04-02 04:41 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-04-02 04:41 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2011-04-02 04:41 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2011-04-02 04:41 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 12:02 . 2011-04-02 04:41 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-10 12:02 . 2011-04-02 04:41 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-10 11:59 . 2011-04-02 04:41 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2011-04-02 04:41 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-10 11:59 . 2011-04-02 04:41 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-02 01:53 . 2011-04-02 01:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-02 01:53 . 2011-04-02 01:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2011-04-02 01:08 . 2011-04-02 00:56 29480 ----a-w- c:\windows\system32\msxml3a.dll
2011-04-02 01:08 . 2011-04-02 00:50 505128 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-02 01:08 . 2011-04-02 00:50 353576 ----a-w- c:\windows\system32\msvcr71.dll
2011-02-18 23:36 . 2011-04-02 03:19 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 23:36 . 2011-04-02 03:19 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\yellowtail ----
.
2011-04-20 04:43 . 2007-06-08 13:12 340 ----a-r- c:\windows\yellowtail\scrub2k.ini
2011-04-20 04:43 . 2007-05-09 11:07 65536 ----a-r- c:\windows\yellowtail\scrub2k.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2009-11-06 05:17 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Emily^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Emily\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 04:17 49152 ----a-w- c:\program files\HP\HP Software Update\HPWuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 23:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-04-09 12:23 200704 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-11 06:32 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/1/2011 9:41 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/1/2011 9:41 PM 307928]
R2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10754\AGCoreService.exe [4/3/2011 5:46 PM 20480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/1/2011 9:41 PM 19544]
S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2011/04/01 17:58]; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c:\documents and settings\Emily\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
FF - ProfilePath - c:\documents and settings\Emily\Application Data\Mozilla\Firefox\Profiles\xy85n44r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig?hl=en#t_0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-asecpp70 - c:\documents and settings\Emily\Application Data\B048D7F1E838916CD6AFD9D3C6713578\asecpp70.exe
MSConfigStartUp-MyCleanPC Registry Cleaner - c:\program files\CyberDefender\Registry Scanner\CDregclean.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-14 19:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1196)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-05-14 19:20:17 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-15 02:19
ComboFix2.txt 2011-05-14 23:51
.
Pre-Run: 54,200,967,168 bytes free
Post-Run: 54,099,271,680 bytes free
.
- - End Of File - - 91291A7A2E2AFE33283BC25337B4E66F

A message did come up at the end saying there has been a rootkit detected and restarted the computer, after it finished rebooting avast pops up with a message saying suspicious files have been found: \\??\C:\...\catchme.sys Is this bad?
Also I uninstalled Sophos and Cyber Defender, as well as insalled WOT. I didn't have a Site Advisor before, do you know if it's safe to be doing online banking/pay pal accounts as well at the moment?
Thank you so much for all the help!
 
I'd like you to do a couple of things for me while I finishing checking this log:

1. Repeating:
Please uninstall CyberDefender. This is not a good program to have. It beings 'MyCleanPC' bundled with it and BHOs and Toolbars. So remove any related entries also.
Click to expand...
After it is uninstalled, you will remove the program folder, like this:
Right click on Start[/b> Click on Explore. this opens Windows Explorer and allows you to follow this path >>m My Computer> Double click on Local Drive(C)> Programs> Find CyberDefender> Do a Right click> Delete> Look for a separate folder named MyCleanPC If there is one, do a right click> Delete on it also. Then Exit and close Windows Explorer.
=============================================
Using the path below, you're going to uncheck all processes related to HP and it's Digital Imaging:
To remove entries from the Startup Menu using the msconfig utility:
  • Click on Start> Run> type in msconfig> enter>
    msconfig_open_xp.gif
  • Click on Selective Startup
  • Choose the Startup tab:
    startup_tab_xp.gif

    All images courtesy NetSquirrel
  • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
  • Uncheck any processes for HP and it's Digital Imaging
  • Click on Apply> OK when finished.
NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.
========================================
Taking the printer off of startup does not uninstall it. It just stops it from starting on boot and running in the background. All my printers/scanners/AIO have been from HP, They put a multitude of entries on the Startup Menu. I removed all of mine and have no problem. To Print, click on File> Print. You can make any adjustments to the print out by doing that. You can open the HP Image Director in All Programs if you need t use it.
=====================================
When you have finished with all of the above, please run this:
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Between the two of us, we will make sure the malware is gone and that your system isn't being overloaded running unneeded processes in the background. I have some of these entries in the Registry set up with script for HP to make sure they don't run untill you need it.
 
Hmm that's strange I had already uninstalled Cyber Defender, it's not showing up in my add/remove programs, nor is there any folders in Windows Explorer related to it. I just opened WE the normal way since I didn't see an option for explorer by right-clicking on the taskbar(just see toolbars, cascade windows, tile windows horizontally/vertically, show the desktop, task manager, lock taskbar and properties). In MSCONFIG the only 2 things selected under "Startup" are "avastUI" and "ctfmon" everything else I had already unchecked. It was already on "Selective Startup" as well. Here are the results from HiJack This: Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:00:44 PM, on 5/15/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: agihelper.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Documents and Settings\Emily\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301695638546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1301695622984
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 8851 bytes
 
My apology about accessing Windows Explorer. My direction was incorrect> It should have been "Right click on Start> Explore" You can also get there using the Windows key + E. Here is the path to delete the program folder- corrected:
After it is uninstalled, you will remove the program folder, like this:
Right click on Start[/b> Click on Explore. this opens Windows Explorer and allows you to follow this path >>m My Computer> Double click on Local Drive(C)> Programs> Find CyberDefender> Do a Right click> Delete> Look for a separate folder named MyCleanPC If there is one, do a right click> Delete on it also. Then Exit and close Windows Explorer.
Click to expand...


What model of HP printer do you have now? There are multiple HP processes running for a printer installed 2007.
 
So I went through Windows Explorer and wasn't able to find any Cyber Defender or MyCleanPC folders, I also did a Windows search and looked in the registry as well it looks like they're gone. I have an HP Officejet J4500 Series and there isn't any HP processes running in task manager at the moment I disabled them all in msconfig.
 
I missed the earlier:
G:\Autorun.inf removal in Combofix indicates possibly using an infected flash drive
This may be the reason for the repeated warnings. You'll need to disinfect the flash drive:
You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

Please disinfect all movable drives
  1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  4. Wait until it has finished scanning and then exit the program.
  5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
Adobe Reader is outdated. Visit this Adobe Reader site Uninstall any earlier updates as they are vulnerabilities. You have numerous entries for v8. Hopefully the update and uninstall of outdated version will bring them current.
Java is outdated: Check this site .Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
===========================================
About this question:
nsalled WOT. I didn't have a Site Advisor before, do you know if it's safe to be doing online banking/pay pal accounts as well at the moment?
Click to expand...
This is an apples and oranges question. WOT is a Site Advisor. It as rating criteria for Trustworthiness, Vendor Reliability, Privacy, Child Safety.

PayPal is an e-commerce business allowing payments and money transfers to be made through the Internet
Click to expand...

The only suggestion I can give by way of comparison is that if I wanted to use PayPal for a financial transaction, I would only want to use it on a site that was well rated.
=============================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::
C:\tdsskiller.zip
c:\windows\yellowtail\scrub2k.ini
c:\windows\yellowtail\scrub2k.exe
Folder::
c:\program files\CyberDefender
c:\windows\yellowtail
DDS::
uURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

Driver::

FCopy::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
 
ComboFix 11-05-14.01 - Emily 05/22/2011 1:08.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.635 [GMT -7:00]
Running from: c:\documents and settings\Emily\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Emily\Desktop\CFScript.txt.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
- REDUCED FUNCTIONALITY MODE -
.
FILE ::
"C:\tdsskiller.zip"
"c:\windows\yellowtail\scrub2k.exe"
"c:\windows\yellowtail\scrub2k.ini"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\hijackthis\HiJackThis.exe
C:\tdsskiller.zip
c:\windows\yellowtail
c:\windows\yellowtail\scrub2k.exe
c:\windows\yellowtail\scrub2k.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-04-22 to 2011-05-22 )))))))))))))))))))))))))))))))
.
.
2011-05-22 06:14 . 2011-05-22 06:14 -------- d-----w- c:\program files\Common Files\Java
2011-05-22 06:14 . 2011-04-14 12:08 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-05-22 06:14 . 2011-04-14 12:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-22 06:11 . 2011-05-22 06:11 887072 ----a-w- C:\jre-6u25-windows-i586-iftw.exe
2011-05-22 06:10 . 2011-05-22 06:10 12602368 ----a-w- C:\AdbeRdrUpd1001_Tier2.msp
2011-05-17 21:23 . 2011-05-17 21:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-15 23:58 . 2011-05-22 08:11 -------- d-----w- C:\HiJackThis
2011-05-13 23:55 . 2011-05-13 23:55 80384 ----a-w- C:\MBRCheck.exe
2011-05-13 09:20 . 2011-05-13 09:20 -------- d-----w- c:\program files\ESET
2011-05-13 09:20 . 2011-05-13 09:20 2322184 ----a-w- C:\esetsmartinstaller_enu.exe
2011-05-13 07:02 . 2011-05-13 07:19 -------- d-----w- C:\TDSS
2011-05-13 01:25 . 2011-05-13 01:25 625664 ----a-w- C:\dds.scr
2011-05-13 00:00 . 2011-05-13 00:00 1376832 ----a-w- C:\sar_15_sfx.exe
2011-05-12 09:42 . 2011-05-13 05:11 -------- d-----w- C:\gmer
2011-05-12 08:35 . 2011-05-12 08:34 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-05-03 02:10 . 2011-05-03 02:10 -------- d-----w- c:\windows\Sun
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-22 06:31 . 2011-05-22 06:18 132176337 ----a-w- C:\AdbeRdr1000_mui_Std.zip
2011-05-10 12:10 . 2011-04-02 04:41 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2011-04-02 04:41 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-04-02 04:41 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2011-04-02 04:41 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2011-04-02 04:41 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 12:02 . 2011-04-02 04:41 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-10 12:02 . 2011-04-02 04:41 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-10 11:59 . 2011-04-02 04:41 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2011-04-02 04:41 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-10 11:59 . 2011-04-02 04:41 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-14 09:40 . 2011-04-02 01:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-02 01:08 . 2011-04-02 00:56 29480 ----a-w- c:\windows\system32\msxml3a.dll
2011-04-02 01:08 . 2011-04-02 00:50 505128 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-02 01:08 . 2011-04-02 00:50 353576 ----a-w- c:\windows\system32\msvcr71.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
c:\documents and settings\Emily\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\3.1.5.7619\Launcher.exe [2011-4-3 157088]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Emily^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Emily\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 04:17 49152 ----a-w- c:\program files\HP\HP Software Update\HPWuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 23:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-04-09 12:23 200704 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-11 06:32 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2011/04/01 17:58]; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10754\AGCoreService.exe [2010-06-29 20480]
S2 aswFsBlk;aswFsBlk; [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c:\documents and settings\Emily\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
FF - ProfilePath - c:\documents and settings\Emily\Application Data\Mozilla\Firefox\Profiles\xy85n44r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig?hl=en#t_0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-22 01:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-05-22 01:26:02
ComboFix-quarantined-files.txt 2011-05-22 08:25
ComboFix2.txt 2011-05-15 02:20
ComboFix3.txt 2011-05-14 23:51
.
Pre-Run: 53,253,582,848 bytes free
Post-Run: 53,258,833,920 bytes free
.
- - End Of File - - E032C73D31D02EC9F31ADFBEACCBF2AD

I checked my Add/Remove programs, it says Adobe Reader X (10.0.1) is installed and on the website it looks like that's the latest one,tried downloading the update but got a message saying: The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade patch. Should I uninstall and do a reinstall? The update I downloaded was called" AdbeRdrUpd1001_tier2." My Java is now up to date as well. I did as you said and ran Flash Disinfector as well, I have an external hard drive.
 
Okay, something has changed because Combofix ran in - REDUCED FUNCTIONALITY MODE
In Windows XP, this can be caused by the need to activate Office- or possibly to reactivate it. I see the following installs:
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007

Has the activation been done? I note it's the Enterprise version. If this being used in a work setting it may need to be activated by the IT in the office?
========================================
Here's an explanation of the Adobe Reader you got:
C:\AdbeRdrUpd1001_Tier2.msp

The "Tier_<some number>" identifies the installer language in the filename as follows:
* Tier 1: English, French, German, and Japanese (Reader only: MUI Reader)
* Tier 2: Italian, Spanish, Dutch, Brazilian, Portuguese, Swedish, Danish, Finnish, and Norwegian
This was a patch for a language that was not on the system. Therefore you got this message:
"The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program."
You can delete this directory and uninstall the patch.

If you show Adobe Reader X installed, you don't need to do anything else. This was what I saw, so I told you to update:
Adobe\Acrobat 8.0
Open IE> Tools> Manage Add-ons> the dialog box has 2 locations: addons currently on system and addons previously on system. Look in both location and remove any for Adobe Reader v8.

How is the system doing now? Improved? Problems?
 
Microsoft Office seems to be working fine for me, I've never noticed anything popping up saying I need to activate. However I didn't actually install Microsoft Office myself, just before I ended up with a virus I had Windows reinstalled by a friend of mine and he also put Office on there, this computer is just for at home use. Is there any way I can tell if it's been activated or should i contact him? It looks like I downloaded the wrong tier, I got rid of the other one and installed Tier 1 successfully. Now, when I look in IE there is:
Adobe PDF: 5/10/2007 8.1.0.0
Adobe PDF Link Helper: 1/30/2011 10.0.1.434
Adobe PDF Conversion Toolbar helper: 5/10/2007 8.1.0.0
Adobe PDF 5/10/2007 8.1.0.0

All of them say "Enabled" so should I disable all of the v8? I don't see an option to remove.
Everything seems to be running pretty normal, haven't been getting anymore virus warnings or anything, however it is running a little slow but nothing too extreme. Would you like me to run ComboFix again or is everything looking okay?
 
I think I know what happened with the system. When 'friend' reinstalled Windows, it put a Vundo malware infection on the system, plus possible other malware. MS Office cost about $150.00. It's not a program that can be legally 'shared'. The version showing in the installed programs list is for Microsoft Office Enterprise 2007 This is for a business environment. The MUI entries for Office are for different languages packs.

As long as your system is running in the Reduced Function Mode, you won't have full use of the system. If you did not purchase MS Office and have it on your system originally, you will need to uninstall it or buy it. You can't legally activate it because you don't have the license key. You may want to have a conversation with him about this.

Most likely, he used a flash drive somewhere in the process. It had malware on it and it got passed on to your system.
============================================
You have run Combofix 3 times:
1. First time: was 5/13> Got Vundo malware &Warning of No Recovery Console.
After that I disabled my internet and virus program and proceeded with combofix
Click to expand...
If you ever have to run Combofix On another machine, keep this in mind:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. (You are told to do this before running the scan)
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.[/b (But in a note at the end, you are informed the Combofix will do the disconnect- it does not tell you to do it and it won't happen until it has gone through the check for the recovery console)
Click to expand...

2. Second time was on 5/14, using the script> No warnings
3. Third time was on 5/22, running script again> Reduced Functionality Mode.

So it appears that there was some change to the MS Office between 5/14 and 5/22.
 
Interesting, although I don't think he'd go out of his way to infect my system. He has been a computer technician for the past 25 years, as well as a family friend however I will definitely talk to him when he gets back. I think the reason for the virus is because my avast was disabled for a couple of days, I had the trial version but forgot to register to keep it on my system and others were using this computer while it wasn't enabled. He never mentioned using a flash drive however we do have an external hard drive. I've used MS office in the past week but I haven't made any changes. Everything seems to be running okay now, thank you so much for all of your help and support, much appreciated!

Emily
 
It was not my intent to suggest that your friend deliberately infected your system. But the removal of G:\Autorun.inf in Combofix points to Drive G. I checked the drives in the DDS log and found this: G: is FIXED (NTFS) - 932 GiB total, 896.21 GiB free.

So unless he also has a Drive G, this would indicate that you may need to disinfect that drive also.

I see a Registry entry from 2008 that can be for Office- or a Worm. There is not CID to identify it, so let's take a look:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :reg
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
:file
c:\windows\system32\ctfmon.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Something changed the system to make it run in Reduced Functionality Mode. I will leave it up to you to resolve the Office issue. The tech might have a volume license to install Office- I don't know that. but it requires a license.
 
Oh okay, my bad I thought we were finished! Yeah I don't think he has a drive G it's probably just mine, I will ask him though. Is there anything else I need to download to disinfect that drive? I ran System Look:
SystemLook 04.09.10 by jpshortstuff
Log created at 17:18 on 27/05/2011 by Emily
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\WINDOWS\system32\ctfmon.exe"
"inimapping"="0"


========== file ==========

c:\windows\system32\ctfmon.exe - File found and opened.
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Created at 22:56 on 03/08/2004
Modified at 00:12 on 14/04/2008
Size: 15360 bytes
Attributes: --a----
FileDescription: CTF Loader
FileVersion: 5.1.2600.5512 (xpsp.080413-2105)
ProductVersion: 5.1.2600.5512
OriginalFilename: CTFMON.EXE
InternalName: CTFMON
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

-= EOF =-
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
786
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back