Help desperately needed

welshwolf · May 1, 2010

I run a amd processor and xp pro sp3.. all my google searches are redirected to spam sites after I contracted a xp defender and xp antimalware virus.. have clean them I think.. but combo fix detects rootkit hooks that I just dont know how to remove.. I have attached the relevnt combofix log. thank you in advance.. Dave

ComboFix.txt

gringo_pr · May 1, 2010

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

1.Please do not run any other tool untill instructed to do so!
2.Please reply to this thread, do not start another!
3.Please tell me about any problems that have occurred during the fix.
4.Please tell me of any other symptoms you may be having as these can help also.
5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

The author of Combofix states very firmly in the Disclaimer that this tool is meant for private use and should never be used in an unsupervised environment. From the author:

Why we don't ask you to run ComboFix from the onset
As stated by the author of ComboFix:
ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.
We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.
With these logs we can determine the infections present & decide whether to deploy ComboFix.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.

DeFogger:

Please download

DeFogger to your desktop.
Double click DeFogger to run the tool.

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:

Please download DDS by sUBs from one of the links below and save it to your desktop:

Download DDS and save it to your desktop

Link1
Link2
Link3
Please disable any anti-malware program that will block scripts from running before running DDS.

Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:
- DDS.txt
- Attach.txt
[*]A window will open instructing you save & post the logs
[*]Save the logs to a convenient place such as your desktop
[*]Copy the contents of both logs & post in your next reply

Gmer

Download GMER Rootkit Scanner from here.

Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
[*]Then click the Scan button & wait for it to finish
[*]Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
[*]Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

information and logs:

In your next post I need the following
- 1.logs from DDS
  2.log from GMER
  3.let me know of any problems you may have had

Gringo

welshwolf · May 2, 2010

Hello and Welcome to the forums!
My name is Gringo and I'll be glad to help you with your computer problems.
Somethings to remember while we are working together.
1.Please do not run any other tool untill instructed to do so!
2.Please reply to this thread, do not start another!
3.Please tell me about any problems that have occurred during the fix.
4.Please tell me of any other symptoms you may be having as these can help also.
5.Please try as much as possible not to run anything while executing a fix.
If you follow these instructions, everything should go smoothly.
The author of Combofix states very firmly in the Disclaimer that this tool is meant for private use and should never be used in an unsupervised environment. From the author:
I would like to get a better look at your system, please do the following so I can get some more detailed logs.
DeFogger:
Please download
DeFogger to your desktop.
Double click DeFogger to run the tool.
The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Download DDS:
Please download DDS by sUBs from one of the links below and save it to your desktop:

Download DDS and save it to your desktop
Link1
Link2
Link3
Please disable any anti-malware program that will block scripts from running before running DDS.
Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:
DDS.txt
Attach.txt
[*]A window will open instructing you save & post the logs
[*]Save the logs to a convenient place such as your desktop
[*]Copy the contents of both logs & post in your next reply
Gmer
Download GMER Rootkit Scanner from here.
Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
[*]Then click the Scan button & wait for it to finish
[*]Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
[*]Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.
information and logs:
In your next post I need the following
1.logs from DDS
2.log from GMER
3.let me know of any problems you may have had
Gringo

Thank you for the help Gringo.

the only other problems I have had are that my sophos anti virus wouldnt scan and switched itself off, and I keep getting firewall turned off warnings on start up.

here are the logs you asked for.

attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 02/10/2006 21:28:54

System Uptime: 05/02/2010 16:52:13 (2065 hours ago)

Motherboard: ASUSTeK Computer INC. | | K8U-X

Processor: AMD Sempron Processor 3400+ | CPU 1 | 1999/200mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 49 GiB total, 30.37 GiB free.

D: is FIXED (NTFS) - 184 GiB total, 137.161 GiB free.

E: is CDROM ()

F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 28/04/2010 20:25:32 - System Checkpoint

RP2: 29/04/2010 18:20:49 - Removed Sophos AutoUpdate

RP3: 29/04/2010 18:21:30 - Removed Sophos Anti-Virus

RP4: 29/04/2010 19:05:33 - Installed AVG Free 9.0

RP5: 01/05/2010 23:06:08 - System Checkpoint

==== Installed Programs ======================

Ad-Aware

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.3

AI - Series

Apple Software Update

ASUS Probe V2.24.03

AsusUpdate

Athlon 64 Processor Driver

ATI - Software Uninstall Utility

ATI Catalyst Control Center

ATI Display Driver

AVG Free 9.0

BBC iPlayer Download Manager

Belkin Bluetooth Software

Catalyst Control Center - Branding

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Common

ccc-core-preinstall

ccc-core-static

ccc-utility

CCC Help English

Cool & Quiet

Critical Update for Windows Media Player 11 (KB959772)

Dawn Of War

Dawn Of War - Winter Assault

DVD Region-Free 3.30

DVD X Player Professional V3.0

GameShadow

GOM Player

Google Earth

Google Update Helper

Half-Life 2: Lost Coast

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.0 (KB932471)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Format SDK (KB902344)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

IL2 Sturmovik: Forgotten Battles

Jasc Paint Shop Pro 9

Java Auto Updater

Java 6 Update 20

Logitech Audio Echo Cancellation Component

Logitech Legacy USB Camera Driver Package

Logitech QuickCam

Logitech QuickCam Driver Package

Logitech Video Enumerator

LucasArts' X-Wing Alliance

Magic ISO Maker v4.5 (build 0109)

Malwarebytes' Anti-Malware

Managed DirectX (0901)

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Choice Guard

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Professional Edition 2003

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.5

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Mozilla Firefox (3.6.3)

MSVCRT

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6.0 Parser (KB933579)

MVision

NAVIGON Fresh 1.6.2

Nero 8

Nero PhotoShow Express 4

neroxml

OGA Notifier 2.0.0048.0

Orbit Downloader

Panda ActiveScan 2.0

PC Connectivity Solution

PlayTV Pro

PowerDVD

QuickTime

RealPlayer

RealUpgrade 1.0

Security Update for CAPICOM (KB931906)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 8 (KB969897)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Search 4 - KB963093

Security Update for Windows XP (KB913433)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980232)

Segoe UI

Skins

SoundMAX

Spybot - Search & Destroy

Steam

ULi PCI 10-100 Fast Ethernet Controller Driver

ULi PCI to AGP Controller Driver

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB971930)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB943729)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update for Windows XP (KB961503)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

WebFldrs XP

Windows Driver Package - Nokia (WUDFRd) WPD (11/03/2006 6.82.26.2)

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Messenger

Windows Live Upload Tool

Windows Media Format 11 runtime

Windows Media Format SDK Hotfix - KB891122

Windows Media Player 11

Windows PowerShell 1.0

Windows Presentation Foundation

Windows Rights Management Client Backwards Compatibility SP2

Windows Rights Management Client with Service Pack 2

Windows XP Service Pack 3

WinRAR archiver

XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

25/04/2010 20:57:41, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 0015F2701ED3 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

25/04/2010 18:41:34, error: Service Control Manager [7022] - The KService service hung on starting.

25/04/2010 18:40:08, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The system cannot find the path specified.

25/04/2010 15:45:13, error: Service Control Manager [7034] - The KService service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

dds.txt

DDS (Ver_10-03-17.01) - NTFSx86

Run by Dave at 17:06:06.70 on 02/05/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1380 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\PowerS.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\AVG\AVG9\avgtray.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Dave.KOROBA\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://bbc.co.uk/

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {f53be55f-08a0-472f-9391-90e6b40b5893} - No File

TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Nero PhotoShow Media Manager] c:\progra~1\nero\neroph~1\data\xtras\mssysmgr.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [PowerS] c:\windows\PowerS.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab

DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by115fd.bay115.hotmail.msn.com/resources/MsnPUpld.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159822449078

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178378334843

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game07.zylom.com/activex/zylomgamesplayer.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\program files\dvd region-free\DVDShell.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dave~1.kor\applic~1\mozilla\firefox\profiles\tgxtrig7.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo! Search

FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/

FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll

FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [1980-1-1 51840]

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-1-8 28552]

R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [2006-10-2 44928]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-29 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-29 29512]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-29 242896]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-29 308064]

R2 BT848;BtCap, WDM Video Capture;c:\windows\system32\drivers\BT848.SYS [2006-10-19 99206]

R2 BTTUNER;BtTuner, WDM TV Tuner;c:\windows\system32\drivers\Bttuner.sys [2006-10-19 13898]

R2 BTXBAR;BtXBar, WDM Crossbar;c:\windows\system32\drivers\Btxbar.sys [2006-10-19 6872]

R3 ULI5261;ULi Based Ethernet NT Driver;c:\windows\system32\drivers\ULILAN.SYS [2006-10-2 28160]

S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

S3 ATICDSDr;ATICDSDr;c:\ati\support\9_3_xp32_dd_ccc_wdm_enu\driver\bin\atiicdxx.sys [2009-2-25 6144]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-4-29 369920]

S3 dTVdrvNT;dTVdrvNT;c:\program files\prolink\playtv pro\DTVdrvNT.sys [2006-10-19 12188]

S4 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\aawservice.exe [?]

=============== Created Last 30 ================

2010-05-02 16:02:47 0 ----a-w- c:\documents and settings\dave.koroba\defogger_reenable

2010-04-29 20:10:34 0 d-----w- C:\ComboFix

2010-04-29 19:59:47 0 d-----w- c:\docume~1\dave~1.kor\applic~1\AVG9

2010-04-29 19:16:26 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2010-04-29 18:51:15 0 d-----w- C:\$AVG

2010-04-29 18:08:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-04-29 18:08:42 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-04-29 18:08:36 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-04-29 18:08:30 0 d-----w- c:\windows\system32\drivers\Avg

2010-04-29 18:08:29 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar

2010-04-29 18:05:34 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-04-29 17:35:20 98816 ----a-w- c:\windows\sed.exe

2010-04-27 16:57:20 0 d-----w- c:\program files\Spyware Doctor

2010-04-25 14:45:05 3246 ----a-w- c:\windows\system32\wbem\Outlook_01cae485e4f32eea.mof

2010-04-25 14:41:58 0 d-----w- c:\program files\Microsoft ActiveSync

2010-04-25 14:39:08 0 d-----w- c:\windows\SHELLNEW

2010-04-23 17:22:41 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-04-20 17:02:40 0 d-----w- c:\docume~1\dave~1.kor\applic~1\Malwarebytes

2010-04-20 17:02:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-20 17:02:30 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 17:02:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-20 17:02:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-04-20 16:29:34 77312 ----a-w- c:\windows\MBR.exe

2010-04-20 16:29:34 256512 ----a-w- c:\windows\PEV.exe

2010-04-20 16:29:34 161792 ----a-w- c:\windows\SWREG.exe

2010-04-19 19:22:12 0 d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP

2010-04-19 19:07:47 0 d-----w- c:\program files\Trend Micro

2010-04-18 21:27:35 0 d-sh--w- c:\documents and settings\dave.koroba\IECompatCache

2010-04-18 21:18:07 0 d-----w- c:\docume~1\dave~1.kor\applic~1\GrabPro

2010-04-18 19:56:15 0 d-----w- c:\documents and settings\dave.koroba\Tracing

2010-04-18 19:44:38 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-18 19:42:40 0 d-----w- c:\docume~1\dave~1.kor\applic~1\Office Genuine Advantage

2010-04-18 17:45:34 0 d-----w- C:\escwsa

2010-04-18 16:52:16 0 d-sh--w- c:\documents and settings\dave.koroba\PrivacIE

==================== Find3M ====================

2010-05-02 15:52:44 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-17 08:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

2007-05-27 08:50:00 1547 ----a-w- c:\program files\plugin.inf

2007-05-27 08:49:40 181968 ----a-w- c:\program files\addrmap.dat

2008-07-19 19:09:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071920080720\index.dat

============= FINISH: 17:06:40.23 ===============

Gmer.txt

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-02 21:34:28

Windows 5.1.2600 Service Pack 3

Running: fzxo3inr.exe; Driver: C:\DOCUME~1\DAVE~1.KOR\LOCALS~1\Temp\kwtdqpod.sys

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9124000, 0x19DA46, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[192] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03A12862

.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[192] WS2_32.dll!send 71AB4C27 5 Bytes JMP 03A126EE

.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[192] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03A127E0

.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[192] WS2_32.dll!recv 71AB676F 5 Bytes JMP 03A12726

.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[192] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 03A1275E

.text C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[540] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E62862

.text C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[540] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E626EE

.text C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[540] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E627E0

.text C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[540] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E62726

.text C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[540] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E6275E

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[608] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01472862

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[608] WS2_32.dll!send 71AB4C27 5 Bytes JMP 014726EE

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[608] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 014727E0

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[608] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01472726

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[608] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0147275E

.text C:\WINDOWS\Explorer.EXE[644] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 51981C6B C:\Program Files\DVD Region-Free\DVDShell.dll (DVD Region-Free Shell Module/Fengtao Software)

.text C:\WINDOWS\Explorer.EXE[644] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01702862

.text C:\WINDOWS\Explorer.EXE[644] WS2_32.dll!send 71AB4C27 5 Bytes JMP 017026EE

.text C:\WINDOWS\Explorer.EXE[644] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 017027E0

.text C:\WINDOWS\Explorer.EXE[644] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01702726

.text C:\WINDOWS\Explorer.EXE[644] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0170275E

.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1020] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03A12862

.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1020] WS2_32.dll!send 71AB4C27 5 Bytes JMP 03A126EE

.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1020] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03A127E0

.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1020] WS2_32.dll!recv 71AB676F 5 Bytes JMP 03A12726

.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1020] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 03A1275E

.text C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe[1296] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 013A2862

.text C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe[1296] WS2_32.dll!send 71AB4C27 5 Bytes JMP 013A26EE

.text C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe[1296] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 013A27E0

.text C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe[1296] WS2_32.dll!recv 71AB676F 5 Bytes JMP 013A2726

.text C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe[1296] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 013A275E

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1504] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E42862

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1504] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E426EE

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1504] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E427E0

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1504] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E42726

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1504] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E4275E

.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2224] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E12862

.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2224] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E126EE

.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2224] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E127E0

.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2224] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E12726

.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2224] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E1275E

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2352] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00822862

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2352] WS2_32.dll!send 71AB4C27 5 Bytes JMP 008226EE

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2352] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 008227E0

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2352] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00822726

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2352] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0082275E

.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[2440] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03AD2862

.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[2440] WS2_32.dll!send 71AB4C27 5 Bytes JMP 03AD26EE

.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[2440] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03AD27E0

.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[2440] WS2_32.dll!recv 71AB676F 5 Bytes JMP 03AD2726

.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[2440] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 03AD275E

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2692] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00932862

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2692] WS2_32.dll!send 71AB4C27 5 Bytes JMP 009326EE

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2692] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 009327E0

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2692] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00932726

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2692] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0093275E

.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2708] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01222862

.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2708] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012226EE

.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2708] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012227E0

.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2708] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01222726

.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2708] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0122275E

.text C:\Program Files\AVG\AVG9\avgnsx.exe[2784] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01752862

.text C:\Program Files\AVG\AVG9\avgnsx.exe[2784] WS2_32.dll!send 71AB4C27 5 Bytes JMP 017526EE

.text C:\Program Files\AVG\AVG9\avgnsx.exe[2784] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 017527E0

.text C:\Program Files\AVG\AVG9\avgnsx.exe[2784] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01752726

.text C:\Program Files\AVG\AVG9\avgnsx.exe[2784] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0175275E

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3652] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 017D2862

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3652] WS2_32.dll!send 71AB4C27 5 Bytes JMP 017D26EE

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3652] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 017D27E0

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3652] WS2_32.dll!recv 71AB676F 5 Bytes JMP 017D2726

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3652] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 017D275E

.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3848] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DB2862

.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3848] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DB26EE

.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3848] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DB27E0

.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3848] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DB2726

.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3848] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DB275E

.text C:\WINDOWS\System32\alg.exe[4136] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C22862

.text C:\WINDOWS\System32\alg.exe[4136] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C226EE

.text C:\WINDOWS\System32\alg.exe[4136] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C227E0

.text C:\WINDOWS\System32\alg.exe[4136] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C22726

.text C:\WINDOWS\System32\alg.exe[4136] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C2275E

.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[5444] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F02862

.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[5444] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F026EE

.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[5444] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F027E0

.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[5444] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F02726

.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[5444] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F0275E

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-6 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\m5289 \Device\Scsi\m52891Port2Path0Target0Lun0 8A4F3438

Device \Driver\m5289 \Device\Scsi\m52891 8A4F3438

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

gringo_pr · May 3, 2010

Hello

please do the following

HelpAsst_mebroot_fix

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
- helpasst -mbrt
[*]Make sure you leave a space between helpasst and -mbrt !
[*]When it completes, a log will open.
[*]Please post the contents of that log.

*Note*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f
Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.
- helpasst -mbrt
[*]Make sure you leave a space between helpasst and -mbrt !
[*]When it completes, a log will open.
[*]Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

gringo

welshwolf · May 3, 2010

Hello
please do the following
HelpAsst_mebroot_fix
Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
helpasst -mbrt
[*]Make sure you leave a space between helpasst and -mbrt !
[*]When it completes, a log will open.
[*]Please post the contents of that log.
*Note*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.
mbr -f
Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.
helpasst -mbrt
[*]Make sure you leave a space between helpasst and -mbrt !
[*]When it completes, a log will open.
[*]Please post the contents of that log.
**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
gringo

Hello..

Ran tools as instructed log contents below..

C:\Documents and Settings\Dave.KOROBA\Desktop\HelpAsst_mebroot_fix.exe

03/05/2010 at 18:15:49.09

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes

Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove

Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key

closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

"65533:TCP"=-

"52344:TCP"=-

"2479:TCP"=-

"9892:TCP"=-

"3389:TCP"=-

"3246:TCP"=-

"7195:TCP"=-

"7194:TCP"=-

"3349:TCP"=-

"5198:TCP"=-

"8084:TCP"=-

"8085:TCP"=-

"4577:TCP"=-

"7654:TCP"=-

"2420:TCP"=-

"1960:TCP"=-

"4772:TCP"=-

"8044:TCP"=-

"8337:TCP"=-

"8336:TCP"=-

"4944:TCP"=-

"8388:TCP"=-

"4194:TCP"=-

"6888:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key

closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

"65533:TCP"=-

"52344:TCP"=-

"2479:TCP"=-

"9892:TCP"=-

"3389:TCP"=-

"3246:TCP"=-

"7195:TCP"=-

"7194:TCP"=-

"5198:TCP"=-

"3349:TCP"=-

"8084:TCP"=-

"8085:TCP"=-

"4577:TCP"=-

"7654:TCP"=-

"1960:TCP"=-

"2420:TCP"=-

"4772:TCP"=-

"8044:TCP"=-

"8336:TCP"=-

"8337:TCP"=-

"8388:TCP"=-

"4944:TCP"=-

"6888:TCP"=-

"4194:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1390067357-412668190-725345543-1000.bak

HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.KOROBA ~ attempting to remove

~ All C:\Documents and Settings\HelpAssistant.KOROBA files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 03/05/2010 at 18:48:26.12

Account active Yes

Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A521EE8]<<

kernel: MBR read successfully

user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters

ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking profile list ~~

S-1-5-21-1390067357-412668190-725345543-1000

%SystemDrive%\Documents and Settings\HelpAssistant.KOROBA

~~ Checking for HelpAssistant directories ~~

HelpAssistant

HelpAssistant.KOROBA

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

"65533:TCP"=65533:TCP:*:Enabled:Services

"52344:TCP"=52344:TCP:*:Enabled:Services

"4194:TCP"=4194:TCP:*:Enabled:Services

"6888:TCP"=6888:TCP:*:Enabled:Services

"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"65533:TCP"=65533:TCP:*:Enabled:Services

"52344:TCP"=52344:TCP:*:Enabled:Services

"4194:TCP"=4194:TCP:*:Enabled:Services

"6888:TCP"=6888:TCP:*:Enabled:Services

"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

~~ EOF ~~

welshwolf · May 3, 2010

Hello..
Ran tools as instructed log contents below..
C:\Documents and Settings\Dave.KOROBA\Desktop\HelpAsst_mebroot_fix.exe
03/05/2010 at 18:15:49.09
HelpAssistant account is Active ~ attempting to de-activate
Account active Yes
Local Group Memberships *Administrators
HelpAssistant successfully set Inactive
~~ Checking for termsrv32.dll ~~
termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll
~~ Checking firewall ports ~~
backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports
HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"9892:TCP"=-
"3389:TCP"=-
"3246:TCP"=-
"7195:TCP"=-
"7194:TCP"=-
"3349:TCP"=-
"5198:TCP"=-
"8084:TCP"=-
"8085:TCP"=-
"4577:TCP"=-
"7654:TCP"=-
"2420:TCP"=-
"1960:TCP"=-
"4772:TCP"=-
"8044:TCP"=-
"8337:TCP"=-
"8336:TCP"=-
"4944:TCP"=-
"8388:TCP"=-
"4194:TCP"=-
"6888:TCP"=-
backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports
HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"9892:TCP"=-
"3389:TCP"=-
"3246:TCP"=-
"7195:TCP"=-
"7194:TCP"=-
"5198:TCP"=-
"3349:TCP"=-
"8084:TCP"=-
"8085:TCP"=-
"4577:TCP"=-
"7654:TCP"=-
"1960:TCP"=-
"2420:TCP"=-
"4772:TCP"=-
"8044:TCP"=-
"8336:TCP"=-
"8337:TCP"=-
"8388:TCP"=-
"4944:TCP"=-
"6888:TCP"=-
"4194:TCP"=-
~~ Checking profile list ~~
HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1390067357-412668190-725345543-1000.bak
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.KOROBA ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant.KOROBA files successfully removed ~
~~ Checking mbr ~~
user & kernel MBR OK
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Status check on 03/05/2010 at 18:48:26.12
Account active Yes
Local Group Memberships *Administrators
~~ Checking mbr ~~
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A521EE8]<<
kernel: MBR read successfully
user & kernel MBR OK
~~ Checking for termsrv32.dll ~~
termsrv32.dll present!
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll
~~ Checking profile list ~~
S-1-5-21-1390067357-412668190-725345543-1000
%SystemDrive%\Documents and Settings\HelpAssistant.KOROBA
~~ Checking for HelpAssistant directories ~~
HelpAssistant
HelpAssistant.KOROBA
~~ Checking firewall ports ~~
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"4194:TCP"=4194:TCP:*:Enabled:Services
"6888:TCP"=6888:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"4194:TCP"=4194:TCP:*:Enabled:Services
"6888:TCP"=6888:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
~~ EOF ~~

Oh.. you said mention any other symptoms..

got the same " firewall is turned on" warning when the machine restarted which cleared after a few seconds

welshwolf · May 3, 2010

Oh.. you said mention any other symptoms..
got the same " firewall is turned on" warning when the machine restarted which cleared after a few seconds

sorry that should read "NO firewall is turned on.."

gringo_pr · May 3, 2010

Hello

Burn recovery console cd

Download recovery_console_cd.zip file to your drive and extract it to its own folder (c:\recoverycd for example).
Download floppy disk setup package xp pro for your operating system (XP pro) and save it to the folder you extracted the zip to.
Rename the floppy disk setup package to Bootdisk.exe.
Insert a blank cd into your burner.
Double-click the RecoveryCD.bat file and follow the prompts to burn a cd that will allow you to boot to the recovery console.

Boot into recovery console

insert the cd that we made into cd player
restart the computer
screen will say "Windows set up" just wait
at the welcome screen press "R"
type 1 to enter c:\windows
type in the following and press enter
- fixmbr
restart the computer

HelpAsst_mebroot_fix

I need you to rerun this program and to follow the instructions completly

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
- helpasst -mbrt
[*]Make sure you leave a space between helpasst and -mbrt !
[*]When it completes, a log will open.
[*]Please post the contents of that log.

*Note*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f
Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.
- helpasst -mbrt
[*]Make sure you leave a space between helpasst and -mbrt !
[*]When it completes, a log will open.
[*]Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

gringo

welshwolf · May 4, 2010

Hello
Burn recovery console cd
Download recovery_console_cd.zip file to your drive and extract it to its own folder (c:\recoverycd for example).
Download floppy disk setup package xp pro for your operating system (XP pro) and save it to the folder you extracted the zip to.
Rename the floppy disk setup package to Bootdisk.exe.
Insert a blank cd into your burner.
Double-click the RecoveryCD.bat file and follow the prompts to burn a cd that will allow you to boot to the recovery console.
Boot into recovery console
insert the cd that we made into cd player
restart the computer
screen will say "Windows set up" just wait
at the welcome screen press "R"
type 1 to enter c:\windows
type in the following and press enter
fixmbr
restart the computer
HelpAsst_mebroot_fix
I need you to rerun this program and to follow the instructions completly
Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
helpasst -mbrt
[*]Make sure you leave a space between helpasst and -mbrt !
[*]When it completes, a log will open.
[*]Please post the contents of that log.
*Note*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.
mbr -f
Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.
helpasst -mbrt
[*]Make sure you leave a space between helpasst and -mbrt !
[*]When it completes, a log will open.
[*]Please post the contents of that log.
**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
gringo

Hello again gringo

ran the fixmbr and then the helpasst log below:

C:\Documents and Settings\Dave.KOROBA\Desktop\HelpAsst_mebroot_fix.exe

04/05/2010 at 20:08:39.34

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes

Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove

Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key

closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

"65533:TCP"=-

"52344:TCP"=-

"4194:TCP"=-

"6888:TCP"=-

"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key

closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

"65533:TCP"=-

"52344:TCP"=-

"4194:TCP"=-

"6888:TCP"=-

"3389:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1390067357-412668190-725345543-1000

HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.KOROBA ~ attempting to remove

~ All C:\Documents and Settings\HelpAssistant.KOROBA files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 04/05/2010 at 20:28:17.95

Account active No

Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys sfsync02.sys hal.dll SCSIPORT.SYS m5289.sys

kernel: MBR read successfully

user & kernel MBR OK

copy of MBR has been found in sector 0x01D1C4581

malicious code @ sector 0x01D1C4584 !

PE file found in sector at 0x01D1C459A !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters

ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

still getting the no firewall warning..

Dave.

gringo_pr · May 4, 2010

Good afternoon welshwolf

Please don't quote my instructions, It just makes for alot more to scroll thru to get to the logs - Thanks :lol:

That is looking alot better, ok lets move on now.

to turn on your firewall go to this webpage it will tell you how to do it.

http://support.microsoft.com/kb/283673

update combofix

I would like you to download an updated version of combofix.

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

"information and logs"

In your next post I need the following

log from combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

welshwolf · May 5, 2010

Good afternoon welshwolf
Please don't quote my instructions, It just makes for alot more to scroll thru to get to the logs - Thanks
That is looking alot better, ok lets move on now.
to turn on your firewall go to this webpage it will tell you how to do it.
http://support.microsoft.com/kb/283673
update combofix
I would like you to download an updated version of combofix.
Delete the version of combofix you have now on your desktop and download a new one from here
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
"information and logs"
In your next post I need the following
log from combofix
let me know of any problems you may have had

How is the computer doing now?
Gringo

hello Gringo

ComboFix 10-05-04.06 - Dave 05/05/2010 18:14:14.5.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1370 [GMT 1:00]

Running from: c:\documents and settings\Dave.KOROBA\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\WindowsUpdate

.

((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))

.

2010-05-04 16:59 . 2010-05-04 16:59 -------- d-----w- C:\RecoveryCD

2010-05-03 17:15 . 2010-05-04 19:08 -------- d-----w- C:\HelpAsst_backup

2010-04-29 19:59 . 2010-04-29 19:59 -------- d-----w- c:\documents and settings\Dave.KOROBA\Application Data\AVG9

2010-04-29 19:16 . 2010-04-29 19:16 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2010-04-29 18:51 . 2010-04-29 18:51 -------- d-----w- C:\$AVG

2010-04-29 18:36 . 2010-04-29 18:36 -------- d-----w- c:\documents and settings\Dave.KOROBA\Local Settings\Application Data\AVG Security Toolbar

2010-04-29 18:08 . 2010-04-29 18:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-04-29 18:08 . 2010-04-29 18:08 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-04-29 18:08 . 2010-04-29 18:08 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-04-29 18:08 . 2010-04-29 18:08 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-04-29 18:08 . 2010-05-05 17:11 -------- d-----w- c:\windows\system32\drivers\Avg

2010-04-29 18:08 . 2010-04-29 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2010-04-29 18:05 . 2010-04-29 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-04-27 17:47 . 2010-04-27 17:47 -------- d-sh--w- c:\documents and settings\Default User\IETldCache

2010-04-27 16:59 . 2010-04-27 16:59 -------- d-----w- c:\documents and settings\Dave.KOROBA\Local Settings\Application Data\Threat Expert

2010-04-27 16:57 . 2010-04-27 17:23 -------- d-----w- c:\program files\Spyware Doctor

2010-04-25 14:41 . 2010-04-25 14:41 -------- d-----w- c:\program files\Microsoft ActiveSync

2010-04-25 14:39 . 2010-04-25 14:42 -------- d-----w- c:\windows\SHELLNEW

2010-04-25 14:38 . 2010-04-25 14:38 -------- d-----w- c:\program files\Microsoft.NET

2010-04-23 19:00 . 2010-04-23 19:00 -------- d-----w- c:\documents and settings\Dave.KOROBA\Local Settings\Application Data\Adobe

2010-04-23 17:22 . 2010-04-23 17:22 -------- d-----w- c:\program files\Common Files\Java

2010-04-20 21:10 . 2010-04-20 21:10 -------- d-----w- c:\documents and settings\Dave.KOROBA\Application Data\GRETECH

2010-04-20 17:02 . 2010-04-20 17:02 -------- d-----w- c:\documents and settings\Dave.KOROBA\Application Data\Malwarebytes

2010-04-20 17:02 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-20 17:02 . 2010-04-20 17:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-20 17:02 . 2010-04-20 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-04-20 17:02 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-19 19:22 . 2010-04-19 19:25 -------- d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP

2010-04-19 19:07 . 2010-04-19 19:07 -------- d-----w- c:\program files\Trend Micro

2010-04-19 17:31 . 2010-04-19 17:31 -------- d-----w- c:\documents and settings\TEMP

2010-04-18 21:47 . 2010-04-18 21:47 -------- d-----w- c:\documents and settings\Dave.KOROBA\Application Data\AdobeUM

2010-04-18 21:34 . 2010-04-18 21:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-04-18 21:27 . 2010-04-18 21:27 -------- d-sh--w- c:\documents and settings\Dave.KOROBA\IECompatCache

2010-04-18 21:18 . 2010-04-18 21:18 -------- d-----w- c:\documents and settings\Dave.KOROBA\Application Data\GrabPro

2010-04-18 20:43 . 2010-05-01 21:46 -------- d-----w- c:\documents and settings\Dave.KOROBA\Application Data\Orbit

2010-04-18 19:56 . 2010-05-05 17:06 -------- d-----w- c:\documents and settings\Dave.KOROBA\Tracing

2010-04-18 19:44 . 2010-04-23 17:22 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-18 19:42 . 2010-04-18 19:42 -------- d-----w- c:\documents and settings\Dave.KOROBA\Application Data\Office Genuine Advantage

2010-04-18 17:45 . 2010-04-18 17:45 -------- d-----w- C:\escwsa

2010-04-18 16:52 . 2010-04-18 16:52 -------- d-sh--w- c:\documents and settings\Dave.KOROBA\PrivacIE

2010-04-18 16:36 . 2010-04-18 16:36 -------- d-----w- c:\documents and settings\Dave.KOROBA\Local Settings\Application Data\Mozilla

2010-04-18 16:21 . 2010-04-25 17:14 64096 ----a-w- c:\documents and settings\Dave.KOROBA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-18 16:21 . 2010-04-18 16:21 -------- d-----w- c:\documents and settings\Dave.KOROBA\Local Settings\Application Data\Ahead

2010-04-18 16:21 . 2010-04-23 17:30 -------- d-----w- c:\documents and settings\Dave.KOROBA\Application Data\Nero

2010-04-18 16:21 . 2010-04-18 16:21 -------- d-----w- c:\documents and settings\Dave.KOROBA\Local Settings\Application Data\ATI

2010-04-18 16:21 . 2010-04-18 16:21 -------- d-----w- c:\documents and settings\Dave.KOROBA\Application Data\ATI

2010-04-18 16:16 . 2010-04-18 16:16 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\Mozilla

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-05 17:18 . 2007-12-27 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki

2010-05-05 17:05 . 2006-10-02 23:26 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-04-27 17:22 . 2007-08-16 22:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-23 17:25 . 2009-07-07 00:02 -------- d-----w- c:\program files\Microsoft

2010-04-23 17:17 . 2006-12-25 22:16 -------- d-----w- c:\program files\Common Files\Adobe

2010-04-22 20:40 . 2007-09-15 14:55 -------- d-----w- c:\program files\Java

2010-04-21 22:59 . 2006-11-01 23:07 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-19 19:22 . 2007-02-18 00:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-04-18 22:14 . 2010-03-09 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-04-18 20:52 . 2010-03-09 17:14 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-04-18 19:44 . 2010-04-18 19:44 503808 ----a-w- c:\documents and settings\Dave.KOROBA\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-686f6ccb-n\msvcp71.dll

2010-04-18 19:44 . 2010-04-18 19:44 499712 ----a-w- c:\documents and settings\Dave.KOROBA\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-686f6ccb-n\jmc.dll

2010-04-18 19:44 . 2010-04-18 19:44 348160 ----a-w- c:\documents and settings\Dave.KOROBA\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-686f6ccb-n\msvcr71.dll

2010-04-18 19:44 . 2010-04-18 19:44 61440 ----a-w- c:\documents and settings\Dave.KOROBA\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6e493c34-n\decora-sse.dll

2010-04-18 19:44 . 2010-04-18 19:44 12800 ----a-w- c:\documents and settings\Dave.KOROBA\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6e493c34-n\decora-d3d.dll

2010-04-07 11:24 . 2009-12-28 19:34 -------- d-----w- c:\program files\Orbitdownloader

2010-03-18 18:15 . 2010-03-18 18:15 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll

2010-03-18 18:15 . 2010-03-18 18:15 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll

2010-03-18 18:15 . 2010-03-18 18:15 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll

2010-03-18 18:15 . 2010-03-18 18:15 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll

2010-03-18 18:15 . 2010-03-18 18:15 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll

2010-03-18 18:15 . 2010-03-18 18:15 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll

2010-03-18 18:15 . 2010-03-18 18:15 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

2010-03-18 18:15 . 2010-03-18 18:15 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll

2010-03-18 18:15 . 2006-11-24 21:59 -------- d-----w- c:\program files\Common Files\Real

2010-03-18 18:15 . 2006-11-24 21:59 -------- d-----w- c:\program files\Real

2010-03-18 18:14 . 2010-03-18 18:14 -------- d-----w- c:\program files\Common Files\xing shared

2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-23 13:04 . 2010-04-29 18:17 1664256 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll

2010-02-17 08:10 . 2004-08-04 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 10:03 . 2010-03-14 17:24 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2007-05-27 08:50 . 2007-05-27 08:50 1547 ----a-w- c:\program files\plugin.inf

2007-05-27 08:49 . 2007-05-27 08:49 181968 ----a-w- c:\program files\addrmap.dat

.

((((((((((((((((((((((((((((( SnapShot_2010-04-29_17.36.35 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-05-05 17:05 . 2010-05-05 17:05 16384 c:\windows\Temp\Perflib_Perfdata_974.dat

+ 2010-05-05 17:05 . 2010-05-05 17:05 16384 c:\windows\Temp\Perflib_Perfdata_958.dat

+ 2004-08-04 12:00 . 2010-05-05 17:09 72428 c:\windows\system32\perfc009.dat

- 2004-08-04 12:00 . 2010-04-29 17:21 72428 c:\windows\system32\perfc009.dat

+ 2004-08-04 12:00 . 2010-05-05 17:09 444996 c:\windows\system32\perfh009.dat

- 2004-08-04 12:00 . 2010-04-29 17:21 444996 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2010-02-23 13:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"Nero PhotoShow Media Manager"="c:\progra~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe" [2006-01-13 249856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PowerS"="c:\windows\PowerS.exe" [2001-08-03 159800]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-18 202256]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\program files\DVD Region-Free\DVDShell.dll" [2003-12-20 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-04-29 18:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Remote Controller.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Remote Controller.lnk

backup=c:\windows\pss\Remote Controller.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TV Scheduler.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TV Scheduler.lnk

backup=c:\windows\pss\TV Scheduler.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Probe]

2002-12-06 15:07 617984 ----a-w- c:\program files\ASUS\Asus Probe\AsusProb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]

2008-06-08 08:31 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2008-06-19 08:53 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\Games new\\steam\\steamapps\\wolfman131313\\half-life 2 deathmatch\\hl2.exe"=

"d:\\Games new\\steam\\Steam.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"d:\\Games new\\DoW\\W40k.exe"=

"d:\\Games new\\DoW\\W40kWA.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [01/01/1980 01:00 51840]

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [08/01/2010 12:30 28552]

R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [02/10/2006 21:40 44928]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [29/04/2010 19:08 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [29/04/2010 19:08 242896]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [29/04/2010 19:07 308064]

R2 BT848;BtCap, WDM Video Capture;c:\windows\system32\drivers\BT848.SYS [19/10/2006 20:43 99206]

R2 BTTUNER;BtTuner, WDM TV Tuner;c:\windows\system32\drivers\Bttuner.sys [19/10/2006 20:43 13898]

R2 BTXBAR;BtXBar, WDM Crossbar;c:\windows\system32\drivers\Btxbar.sys [19/10/2006 20:43 6872]

R3 ULI5261;ULi Based Ethernet NT Driver;c:\windows\system32\drivers\ULILAN.SYS [02/10/2006 21:40 28160]

S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

S3 ATICDSDr;ATICDSDr;c:\ati\SUPPORT\9_3_xp32_dd_ccc_wdm_enu\Driver\BIN\atiicdxx.sys [25/02/2009 22:04 6144]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [29/04/2010 19:08 369920]

S3 dTVdrvNT;dTVdrvNT;c:\program files\Prolink\PlayTV Pro\DTVdrvNT.sys [19/10/2006 20:43 12188]

.

Contents of the 'Scheduled Tasks' folder

2010-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-05-05 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

2010-05-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-412668190-725345543-1003.job